1 //===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // Details of the algorithm: 12 // http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13 // 14 //===----------------------------------------------------------------------===// 15 16 #define DEBUG_TYPE "asan" 17 18 #include "llvm/Transforms/Instrumentation.h" 19 #include "llvm/ADT/ArrayRef.h" 20 #include "llvm/ADT/DenseMap.h" 21 #include "llvm/ADT/DepthFirstIterator.h" 22 #include "llvm/ADT/OwningPtr.h" 23 #include "llvm/ADT/SmallSet.h" 24 #include "llvm/ADT/SmallString.h" 25 #include "llvm/ADT/SmallVector.h" 26 #include "llvm/ADT/StringExtras.h" 27 #include "llvm/ADT/Triple.h" 28 #include "llvm/DIBuilder.h" 29 #include "llvm/IR/DataLayout.h" 30 #include "llvm/IR/Function.h" 31 #include "llvm/IR/IRBuilder.h" 32 #include "llvm/IR/InlineAsm.h" 33 #include "llvm/IR/IntrinsicInst.h" 34 #include "llvm/IR/LLVMContext.h" 35 #include "llvm/IR/Module.h" 36 #include "llvm/IR/Type.h" 37 #include "llvm/InstVisitor.h" 38 #include "llvm/Support/CallSite.h" 39 #include "llvm/Support/CommandLine.h" 40 #include "llvm/Support/DataTypes.h" 41 #include "llvm/Support/Debug.h" 42 #include "llvm/Support/raw_ostream.h" 43 #include "llvm/Support/system_error.h" 44 #include "llvm/Target/TargetMachine.h" 45 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 46 #include "llvm/Transforms/Utils/BlackList.h" 47 #include "llvm/Transforms/Utils/Local.h" 48 #include "llvm/Transforms/Utils/ModuleUtils.h" 49 #include <algorithm> 50 #include <string> 51 52 using namespace llvm; 53 54 static const uint64_t kDefaultShadowScale = 3; 55 static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 56 static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 57 static const uint64_t kDefaultShort64bitShadowOffset = 0x7FFF8000; // < 2G. 58 static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41; 59 60 static const size_t kMaxStackMallocSize = 1 << 16; // 64K 61 static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 62 static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 63 64 static const char *kAsanModuleCtorName = "asan.module_ctor"; 65 static const char *kAsanModuleDtorName = "asan.module_dtor"; 66 static const int kAsanCtorAndCtorPriority = 1; 67 static const char *kAsanReportErrorTemplate = "__asan_report_"; 68 static const char *kAsanReportLoadN = "__asan_report_load_n"; 69 static const char *kAsanReportStoreN = "__asan_report_store_n"; 70 static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 71 static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 72 static const char *kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; 73 static const char *kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; 74 static const char *kAsanInitName = "__asan_init_v2"; 75 static const char *kAsanHandleNoReturnName = "__asan_handle_no_return"; 76 static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 77 static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 78 static const char *kAsanStackMallocName = "__asan_stack_malloc"; 79 static const char *kAsanStackFreeName = "__asan_stack_free"; 80 static const char *kAsanGenPrefix = "__asan_gen_"; 81 static const char *kAsanPoisonStackMemoryName = "__asan_poison_stack_memory"; 82 static const char *kAsanUnpoisonStackMemoryName = 83 "__asan_unpoison_stack_memory"; 84 85 static const int kAsanStackLeftRedzoneMagic = 0xf1; 86 static const int kAsanStackMidRedzoneMagic = 0xf2; 87 static const int kAsanStackRightRedzoneMagic = 0xf3; 88 static const int kAsanStackPartialRedzoneMagic = 0xf4; 89 90 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 91 static const size_t kNumberOfAccessSizes = 5; 92 93 // Command-line flags. 94 95 // This flag may need to be replaced with -f[no-]asan-reads. 96 static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 97 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 98 static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 99 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 100 static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics", 101 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), 102 cl::Hidden, cl::init(true)); 103 static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path", 104 cl::desc("use instrumentation with slow path for all accesses"), 105 cl::Hidden, cl::init(false)); 106 // This flag limits the number of instructions to be instrumented 107 // in any given BB. Normally, this should be set to unlimited (INT_MAX), 108 // but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary 109 // set it to 10000. 110 static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb", 111 cl::init(10000), 112 cl::desc("maximal number of instructions to instrument in any given BB"), 113 cl::Hidden); 114 // This flag may need to be replaced with -f[no]asan-stack. 115 static cl::opt<bool> ClStack("asan-stack", 116 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 117 // This flag may need to be replaced with -f[no]asan-use-after-return. 118 static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 119 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 120 // This flag may need to be replaced with -f[no]asan-globals. 121 static cl::opt<bool> ClGlobals("asan-globals", 122 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 123 static cl::opt<bool> ClInitializers("asan-initialization-order", 124 cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(false)); 125 static cl::opt<bool> ClMemIntrin("asan-memintrin", 126 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 127 static cl::opt<bool> ClRealignStack("asan-realign-stack", 128 cl::desc("Realign stack to 32"), cl::Hidden, cl::init(true)); 129 static cl::opt<std::string> ClBlacklistFile("asan-blacklist", 130 cl::desc("File containing the list of objects to ignore " 131 "during instrumentation"), cl::Hidden); 132 133 // These flags allow to change the shadow mapping. 134 // The shadow mapping looks like 135 // Shadow = (Mem >> scale) + (1 << offset_log) 136 static cl::opt<int> ClMappingScale("asan-mapping-scale", 137 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 138 static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 139 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 140 static cl::opt<bool> ClShort64BitOffset("asan-short-64bit-mapping-offset", 141 cl::desc("Use short immediate constant as the mapping offset for 64bit"), 142 cl::Hidden, cl::init(true)); 143 144 // Optimization flags. Not user visible, used mostly for testing 145 // and benchmarking the tool. 146 static cl::opt<bool> ClOpt("asan-opt", 147 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 148 static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 149 cl::desc("Instrument the same temp just once"), cl::Hidden, 150 cl::init(true)); 151 static cl::opt<bool> ClOptGlobals("asan-opt-globals", 152 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 153 154 static cl::opt<bool> ClCheckLifetime("asan-check-lifetime", 155 cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), 156 cl::Hidden, cl::init(false)); 157 158 // Debug flags. 159 static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 160 cl::init(0)); 161 static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 162 cl::Hidden, cl::init(0)); 163 static cl::opt<std::string> ClDebugFunc("asan-debug-func", 164 cl::Hidden, cl::desc("Debug func")); 165 static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 166 cl::Hidden, cl::init(-1)); 167 static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 168 cl::Hidden, cl::init(-1)); 169 170 namespace { 171 /// A set of dynamically initialized globals extracted from metadata. 172 class SetOfDynamicallyInitializedGlobals { 173 public: 174 void Init(Module& M) { 175 // Clang generates metadata identifying all dynamically initialized globals. 176 NamedMDNode *DynamicGlobals = 177 M.getNamedMetadata("llvm.asan.dynamically_initialized_globals"); 178 if (!DynamicGlobals) 179 return; 180 for (int i = 0, n = DynamicGlobals->getNumOperands(); i < n; ++i) { 181 MDNode *MDN = DynamicGlobals->getOperand(i); 182 assert(MDN->getNumOperands() == 1); 183 Value *VG = MDN->getOperand(0); 184 // The optimizer may optimize away a global entirely, in which case we 185 // cannot instrument access to it. 186 if (!VG) 187 continue; 188 DynInitGlobals.insert(cast<GlobalVariable>(VG)); 189 } 190 } 191 bool Contains(GlobalVariable *G) { return DynInitGlobals.count(G) != 0; } 192 private: 193 SmallSet<GlobalValue*, 32> DynInitGlobals; 194 }; 195 196 /// This struct defines the shadow mapping using the rule: 197 /// shadow = (mem >> Scale) ADD-or-OR Offset. 198 struct ShadowMapping { 199 int Scale; 200 uint64_t Offset; 201 bool OrShadowOffset; 202 }; 203 204 static ShadowMapping getShadowMapping(const Module &M, int LongSize, 205 bool ZeroBaseShadow) { 206 llvm::Triple TargetTriple(M.getTargetTriple()); 207 bool IsAndroid = TargetTriple.getEnvironment() == llvm::Triple::Android; 208 bool IsMacOSX = TargetTriple.getOS() == llvm::Triple::MacOSX; 209 bool IsPPC64 = TargetTriple.getArch() == llvm::Triple::ppc64; 210 bool IsX86_64 = TargetTriple.getArch() == llvm::Triple::x86_64; 211 212 ShadowMapping Mapping; 213 214 // OR-ing shadow offset if more efficient (at least on x86), 215 // but on ppc64 we have to use add since the shadow offset is not neccesary 216 // 1/8-th of the address space. 217 Mapping.OrShadowOffset = !IsPPC64 && !ClShort64BitOffset; 218 219 Mapping.Offset = (IsAndroid || ZeroBaseShadow) ? 0 : 220 (LongSize == 32 ? kDefaultShadowOffset32 : 221 IsPPC64 ? kPPC64_ShadowOffset64 : kDefaultShadowOffset64); 222 if (!ZeroBaseShadow && ClShort64BitOffset && IsX86_64 && !IsMacOSX) { 223 assert(LongSize == 64); 224 Mapping.Offset = kDefaultShort64bitShadowOffset; 225 } 226 if (!ZeroBaseShadow && ClMappingOffsetLog >= 0) { 227 // Zero offset log is the special case. 228 Mapping.Offset = (ClMappingOffsetLog == 0) ? 0 : 1ULL << ClMappingOffsetLog; 229 } 230 231 Mapping.Scale = kDefaultShadowScale; 232 if (ClMappingScale) { 233 Mapping.Scale = ClMappingScale; 234 } 235 236 return Mapping; 237 } 238 239 static size_t RedzoneSizeForScale(int MappingScale) { 240 // Redzone used for stack and globals is at least 32 bytes. 241 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 242 return std::max(32U, 1U << MappingScale); 243 } 244 245 /// AddressSanitizer: instrument the code in module to find memory bugs. 246 struct AddressSanitizer : public FunctionPass { 247 AddressSanitizer(bool CheckInitOrder = true, 248 bool CheckUseAfterReturn = false, 249 bool CheckLifetime = false, 250 StringRef BlacklistFile = StringRef(), 251 bool ZeroBaseShadow = false) 252 : FunctionPass(ID), 253 CheckInitOrder(CheckInitOrder || ClInitializers), 254 CheckUseAfterReturn(CheckUseAfterReturn || ClUseAfterReturn), 255 CheckLifetime(CheckLifetime || ClCheckLifetime), 256 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 257 : BlacklistFile), 258 ZeroBaseShadow(ZeroBaseShadow) {} 259 virtual const char *getPassName() const { 260 return "AddressSanitizerFunctionPass"; 261 } 262 void instrumentMop(Instruction *I); 263 void instrumentAddress(Instruction *OrigIns, Instruction *InsertBefore, 264 Value *Addr, uint32_t TypeSize, bool IsWrite, 265 Value *SizeArgument); 266 Value *createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 267 Value *ShadowValue, uint32_t TypeSize); 268 Instruction *generateCrashCode(Instruction *InsertBefore, Value *Addr, 269 bool IsWrite, size_t AccessSizeIndex, 270 Value *SizeArgument); 271 bool instrumentMemIntrinsic(MemIntrinsic *MI); 272 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 273 Value *Size, 274 Instruction *InsertBefore, bool IsWrite); 275 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 276 bool runOnFunction(Function &F); 277 void createInitializerPoisonCalls(Module &M, 278 Value *FirstAddr, Value *LastAddr); 279 bool maybeInsertAsanInitAtFunctionEntry(Function &F); 280 void emitShadowMapping(Module &M, IRBuilder<> &IRB) const; 281 virtual bool doInitialization(Module &M); 282 static char ID; // Pass identification, replacement for typeid 283 284 private: 285 void initializeCallbacks(Module &M); 286 287 bool ShouldInstrumentGlobal(GlobalVariable *G); 288 bool LooksLikeCodeInBug11395(Instruction *I); 289 void FindDynamicInitializers(Module &M); 290 291 bool CheckInitOrder; 292 bool CheckUseAfterReturn; 293 bool CheckLifetime; 294 SmallString<64> BlacklistFile; 295 bool ZeroBaseShadow; 296 297 LLVMContext *C; 298 DataLayout *TD; 299 int LongSize; 300 Type *IntptrTy; 301 ShadowMapping Mapping; 302 Function *AsanCtorFunction; 303 Function *AsanInitFunction; 304 Function *AsanHandleNoReturnFunc; 305 OwningPtr<BlackList> BL; 306 // This array is indexed by AccessIsWrite and log2(AccessSize). 307 Function *AsanErrorCallback[2][kNumberOfAccessSizes]; 308 // This array is indexed by AccessIsWrite. 309 Function *AsanErrorCallbackSized[2]; 310 InlineAsm *EmptyAsm; 311 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 312 313 friend struct FunctionStackPoisoner; 314 }; 315 316 class AddressSanitizerModule : public ModulePass { 317 public: 318 AddressSanitizerModule(bool CheckInitOrder = true, 319 StringRef BlacklistFile = StringRef(), 320 bool ZeroBaseShadow = false) 321 : ModulePass(ID), 322 CheckInitOrder(CheckInitOrder || ClInitializers), 323 BlacklistFile(BlacklistFile.empty() ? ClBlacklistFile 324 : BlacklistFile), 325 ZeroBaseShadow(ZeroBaseShadow) {} 326 bool runOnModule(Module &M); 327 static char ID; // Pass identification, replacement for typeid 328 virtual const char *getPassName() const { 329 return "AddressSanitizerModule"; 330 } 331 332 private: 333 void initializeCallbacks(Module &M); 334 335 bool ShouldInstrumentGlobal(GlobalVariable *G); 336 void createInitializerPoisonCalls(Module &M, Value *FirstAddr, 337 Value *LastAddr); 338 size_t RedzoneSize() const { 339 return RedzoneSizeForScale(Mapping.Scale); 340 } 341 342 bool CheckInitOrder; 343 SmallString<64> BlacklistFile; 344 bool ZeroBaseShadow; 345 346 OwningPtr<BlackList> BL; 347 SetOfDynamicallyInitializedGlobals DynamicallyInitializedGlobals; 348 Type *IntptrTy; 349 LLVMContext *C; 350 DataLayout *TD; 351 ShadowMapping Mapping; 352 Function *AsanPoisonGlobals; 353 Function *AsanUnpoisonGlobals; 354 Function *AsanRegisterGlobals; 355 Function *AsanUnregisterGlobals; 356 }; 357 358 // Stack poisoning does not play well with exception handling. 359 // When an exception is thrown, we essentially bypass the code 360 // that unpoisones the stack. This is why the run-time library has 361 // to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 362 // stack in the interceptor. This however does not work inside the 363 // actual function which catches the exception. Most likely because the 364 // compiler hoists the load of the shadow value somewhere too high. 365 // This causes asan to report a non-existing bug on 453.povray. 366 // It sounds like an LLVM bug. 367 struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> { 368 Function &F; 369 AddressSanitizer &ASan; 370 DIBuilder DIB; 371 LLVMContext *C; 372 Type *IntptrTy; 373 Type *IntptrPtrTy; 374 ShadowMapping Mapping; 375 376 SmallVector<AllocaInst*, 16> AllocaVec; 377 SmallVector<Instruction*, 8> RetVec; 378 uint64_t TotalStackSize; 379 unsigned StackAlignment; 380 381 Function *AsanStackMallocFunc, *AsanStackFreeFunc; 382 Function *AsanPoisonStackMemoryFunc, *AsanUnpoisonStackMemoryFunc; 383 384 // Stores a place and arguments of poisoning/unpoisoning call for alloca. 385 struct AllocaPoisonCall { 386 IntrinsicInst *InsBefore; 387 uint64_t Size; 388 bool DoPoison; 389 }; 390 SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec; 391 392 // Maps Value to an AllocaInst from which the Value is originated. 393 typedef DenseMap<Value*, AllocaInst*> AllocaForValueMapTy; 394 AllocaForValueMapTy AllocaForValue; 395 396 FunctionStackPoisoner(Function &F, AddressSanitizer &ASan) 397 : F(F), ASan(ASan), DIB(*F.getParent()), C(ASan.C), 398 IntptrTy(ASan.IntptrTy), IntptrPtrTy(PointerType::get(IntptrTy, 0)), 399 Mapping(ASan.Mapping), 400 TotalStackSize(0), StackAlignment(1 << Mapping.Scale) {} 401 402 bool runOnFunction() { 403 if (!ClStack) return false; 404 // Collect alloca, ret, lifetime instructions etc. 405 for (df_iterator<BasicBlock*> DI = df_begin(&F.getEntryBlock()), 406 DE = df_end(&F.getEntryBlock()); DI != DE; ++DI) { 407 BasicBlock *BB = *DI; 408 visit(*BB); 409 } 410 if (AllocaVec.empty()) return false; 411 412 initializeCallbacks(*F.getParent()); 413 414 poisonStack(); 415 416 if (ClDebugStack) { 417 DEBUG(dbgs() << F); 418 } 419 return true; 420 } 421 422 // Finds all static Alloca instructions and puts 423 // poisoned red zones around all of them. 424 // Then unpoison everything back before the function returns. 425 void poisonStack(); 426 427 // ----------------------- Visitors. 428 /// \brief Collect all Ret instructions. 429 void visitReturnInst(ReturnInst &RI) { 430 RetVec.push_back(&RI); 431 } 432 433 /// \brief Collect Alloca instructions we want (and can) handle. 434 void visitAllocaInst(AllocaInst &AI) { 435 if (!isInterestingAlloca(AI)) return; 436 437 StackAlignment = std::max(StackAlignment, AI.getAlignment()); 438 AllocaVec.push_back(&AI); 439 uint64_t AlignedSize = getAlignedAllocaSize(&AI); 440 TotalStackSize += AlignedSize; 441 } 442 443 /// \brief Collect lifetime intrinsic calls to check for use-after-scope 444 /// errors. 445 void visitIntrinsicInst(IntrinsicInst &II) { 446 if (!ASan.CheckLifetime) return; 447 Intrinsic::ID ID = II.getIntrinsicID(); 448 if (ID != Intrinsic::lifetime_start && 449 ID != Intrinsic::lifetime_end) 450 return; 451 // Found lifetime intrinsic, add ASan instrumentation if necessary. 452 ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0)); 453 // If size argument is undefined, don't do anything. 454 if (Size->isMinusOne()) return; 455 // Check that size doesn't saturate uint64_t and can 456 // be stored in IntptrTy. 457 const uint64_t SizeValue = Size->getValue().getLimitedValue(); 458 if (SizeValue == ~0ULL || 459 !ConstantInt::isValueValidForType(IntptrTy, SizeValue)) 460 return; 461 // Find alloca instruction that corresponds to llvm.lifetime argument. 462 AllocaInst *AI = findAllocaForValue(II.getArgOperand(1)); 463 if (!AI) return; 464 bool DoPoison = (ID == Intrinsic::lifetime_end); 465 AllocaPoisonCall APC = {&II, SizeValue, DoPoison}; 466 AllocaPoisonCallVec.push_back(APC); 467 } 468 469 // ---------------------- Helpers. 470 void initializeCallbacks(Module &M); 471 472 // Check if we want (and can) handle this alloca. 473 bool isInterestingAlloca(AllocaInst &AI) { 474 return (!AI.isArrayAllocation() && 475 AI.isStaticAlloca() && 476 AI.getAllocatedType()->isSized()); 477 } 478 479 size_t RedzoneSize() const { 480 return RedzoneSizeForScale(Mapping.Scale); 481 } 482 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 483 Type *Ty = AI->getAllocatedType(); 484 uint64_t SizeInBytes = ASan.TD->getTypeAllocSize(Ty); 485 return SizeInBytes; 486 } 487 uint64_t getAlignedSize(uint64_t SizeInBytes) { 488 size_t RZ = RedzoneSize(); 489 return ((SizeInBytes + RZ - 1) / RZ) * RZ; 490 } 491 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 492 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 493 return getAlignedSize(SizeInBytes); 494 } 495 /// Finds alloca where the value comes from. 496 AllocaInst *findAllocaForValue(Value *V); 497 void poisonRedZones(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 498 Value *ShadowBase, bool DoPoison); 499 void poisonAlloca(Value *V, uint64_t Size, IRBuilder<> IRB, bool DoPoison); 500 }; 501 502 } // namespace 503 504 char AddressSanitizer::ID = 0; 505 INITIALIZE_PASS(AddressSanitizer, "asan", 506 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 507 false, false) 508 FunctionPass *llvm::createAddressSanitizerFunctionPass( 509 bool CheckInitOrder, bool CheckUseAfterReturn, bool CheckLifetime, 510 StringRef BlacklistFile, bool ZeroBaseShadow) { 511 return new AddressSanitizer(CheckInitOrder, CheckUseAfterReturn, 512 CheckLifetime, BlacklistFile, ZeroBaseShadow); 513 } 514 515 char AddressSanitizerModule::ID = 0; 516 INITIALIZE_PASS(AddressSanitizerModule, "asan-module", 517 "AddressSanitizer: detects use-after-free and out-of-bounds bugs." 518 "ModulePass", false, false) 519 ModulePass *llvm::createAddressSanitizerModulePass( 520 bool CheckInitOrder, StringRef BlacklistFile, bool ZeroBaseShadow) { 521 return new AddressSanitizerModule(CheckInitOrder, BlacklistFile, 522 ZeroBaseShadow); 523 } 524 525 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) { 526 size_t Res = CountTrailingZeros_32(TypeSize / 8); 527 assert(Res < kNumberOfAccessSizes); 528 return Res; 529 } 530 531 // Create a constant for Str so that we can pass it to the run-time lib. 532 static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 533 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 534 GlobalVariable *GV = new GlobalVariable(M, StrConst->getType(), true, 535 GlobalValue::PrivateLinkage, StrConst, 536 kAsanGenPrefix); 537 GV->setUnnamedAddr(true); // Ok to merge these. 538 GV->setAlignment(1); // Strings may not be merged w/o setting align 1. 539 return GV; 540 } 541 542 static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { 543 return G->getName().find(kAsanGenPrefix) == 0; 544 } 545 546 Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 547 // Shadow >> scale 548 Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); 549 if (Mapping.Offset == 0) 550 return Shadow; 551 // (Shadow >> scale) | offset 552 if (Mapping.OrShadowOffset) 553 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 554 else 555 return IRB.CreateAdd(Shadow, ConstantInt::get(IntptrTy, Mapping.Offset)); 556 } 557 558 void AddressSanitizer::instrumentMemIntrinsicParam( 559 Instruction *OrigIns, 560 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 561 IRBuilder<> IRB(InsertBefore); 562 if (Size->getType() != IntptrTy) 563 Size = IRB.CreateIntCast(Size, IntptrTy, false); 564 // Check the first byte. 565 instrumentAddress(OrigIns, InsertBefore, Addr, 8, IsWrite, Size); 566 // Check the last byte. 567 IRB.SetInsertPoint(InsertBefore); 568 Value *SizeMinusOne = IRB.CreateSub(Size, ConstantInt::get(IntptrTy, 1)); 569 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 570 Value *AddrLast = IRB.CreateAdd(AddrLong, SizeMinusOne); 571 instrumentAddress(OrigIns, InsertBefore, AddrLast, 8, IsWrite, Size); 572 } 573 574 // Instrument memset/memmove/memcpy 575 bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 576 Value *Dst = MI->getDest(); 577 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 578 Value *Src = MemTran ? MemTran->getSource() : 0; 579 Value *Length = MI->getLength(); 580 581 Constant *ConstLength = dyn_cast<Constant>(Length); 582 Instruction *InsertBefore = MI; 583 if (ConstLength) { 584 if (ConstLength->isNullValue()) return false; 585 } else { 586 // The size is not a constant so it could be zero -- check at run-time. 587 IRBuilder<> IRB(InsertBefore); 588 589 Value *Cmp = IRB.CreateICmpNE(Length, 590 Constant::getNullValue(Length->getType())); 591 InsertBefore = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 592 } 593 594 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 595 if (Src) 596 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 597 return true; 598 } 599 600 // If I is an interesting memory access, return the PointerOperand 601 // and set IsWrite. Otherwise return NULL. 602 static Value *isInterestingMemoryAccess(Instruction *I, bool *IsWrite) { 603 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 604 if (!ClInstrumentReads) return NULL; 605 *IsWrite = false; 606 return LI->getPointerOperand(); 607 } 608 if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 609 if (!ClInstrumentWrites) return NULL; 610 *IsWrite = true; 611 return SI->getPointerOperand(); 612 } 613 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) { 614 if (!ClInstrumentAtomics) return NULL; 615 *IsWrite = true; 616 return RMW->getPointerOperand(); 617 } 618 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) { 619 if (!ClInstrumentAtomics) return NULL; 620 *IsWrite = true; 621 return XCHG->getPointerOperand(); 622 } 623 return NULL; 624 } 625 626 void AddressSanitizer::instrumentMop(Instruction *I) { 627 bool IsWrite = false; 628 Value *Addr = isInterestingMemoryAccess(I, &IsWrite); 629 assert(Addr); 630 if (ClOpt && ClOptGlobals) { 631 if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) { 632 // If initialization order checking is disabled, a simple access to a 633 // dynamically initialized global is always valid. 634 if (!CheckInitOrder) 635 return; 636 // If a global variable does not have dynamic initialization we don't 637 // have to instrument it. However, if a global does not have initailizer 638 // at all, we assume it has dynamic initializer (in other TU). 639 if (G->hasInitializer() && !DynamicallyInitializedGlobals.Contains(G)) 640 return; 641 } 642 } 643 644 Type *OrigPtrTy = Addr->getType(); 645 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 646 647 assert(OrigTy->isSized()); 648 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 649 650 assert((TypeSize % 8) == 0); 651 652 // Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check. 653 if (TypeSize == 8 || TypeSize == 16 || 654 TypeSize == 32 || TypeSize == 64 || TypeSize == 128) 655 return instrumentAddress(I, I, Addr, TypeSize, IsWrite, 0); 656 // Instrument unusual size (but still multiple of 8). 657 // We can not do it with a single check, so we do 1-byte check for the first 658 // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able 659 // to report the actual access size. 660 IRBuilder<> IRB(I); 661 Value *LastByte = IRB.CreateIntToPtr( 662 IRB.CreateAdd(IRB.CreatePointerCast(Addr, IntptrTy), 663 ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), 664 OrigPtrTy); 665 Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); 666 instrumentAddress(I, I, Addr, 8, IsWrite, Size); 667 instrumentAddress(I, I, LastByte, 8, IsWrite, Size); 668 } 669 670 // Validate the result of Module::getOrInsertFunction called for an interface 671 // function of AddressSanitizer. If the instrumented module defines a function 672 // with the same name, their prototypes must match, otherwise 673 // getOrInsertFunction returns a bitcast. 674 static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 675 if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast); 676 FuncOrBitcast->dump(); 677 report_fatal_error("trying to redefine an AddressSanitizer " 678 "interface function"); 679 } 680 681 Instruction *AddressSanitizer::generateCrashCode( 682 Instruction *InsertBefore, Value *Addr, 683 bool IsWrite, size_t AccessSizeIndex, Value *SizeArgument) { 684 IRBuilder<> IRB(InsertBefore); 685 CallInst *Call = SizeArgument 686 ? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument) 687 : IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr); 688 689 // We don't do Call->setDoesNotReturn() because the BB already has 690 // UnreachableInst at the end. 691 // This EmptyAsm is required to avoid callback merge. 692 IRB.CreateCall(EmptyAsm); 693 return Call; 694 } 695 696 Value *AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value *AddrLong, 697 Value *ShadowValue, 698 uint32_t TypeSize) { 699 size_t Granularity = 1 << Mapping.Scale; 700 // Addr & (Granularity - 1) 701 Value *LastAccessedByte = IRB.CreateAnd( 702 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 703 // (Addr & (Granularity - 1)) + size - 1 704 if (TypeSize / 8 > 1) 705 LastAccessedByte = IRB.CreateAdd( 706 LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 707 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 708 LastAccessedByte = IRB.CreateIntCast( 709 LastAccessedByte, ShadowValue->getType(), false); 710 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 711 return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue); 712 } 713 714 void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 715 Instruction *InsertBefore, 716 Value *Addr, uint32_t TypeSize, 717 bool IsWrite, Value *SizeArgument) { 718 IRBuilder<> IRB(InsertBefore); 719 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 720 721 Type *ShadowTy = IntegerType::get( 722 *C, std::max(8U, TypeSize >> Mapping.Scale)); 723 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 724 Value *ShadowPtr = memToShadow(AddrLong, IRB); 725 Value *CmpVal = Constant::getNullValue(ShadowTy); 726 Value *ShadowValue = IRB.CreateLoad( 727 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 728 729 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 730 size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize); 731 size_t Granularity = 1 << Mapping.Scale; 732 TerminatorInst *CrashTerm = 0; 733 734 if (ClAlwaysSlowPath || (TypeSize < 8 * Granularity)) { 735 TerminatorInst *CheckTerm = 736 SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), false); 737 assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional()); 738 BasicBlock *NextBB = CheckTerm->getSuccessor(0); 739 IRB.SetInsertPoint(CheckTerm); 740 Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize); 741 BasicBlock *CrashBlock = 742 BasicBlock::Create(*C, "", NextBB->getParent(), NextBB); 743 CrashTerm = new UnreachableInst(*C, CrashBlock); 744 BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2); 745 ReplaceInstWithInst(CheckTerm, NewTerm); 746 } else { 747 CrashTerm = SplitBlockAndInsertIfThen(cast<Instruction>(Cmp), true); 748 } 749 750 Instruction *Crash = generateCrashCode( 751 CrashTerm, AddrLong, IsWrite, AccessSizeIndex, SizeArgument); 752 Crash->setDebugLoc(OrigIns->getDebugLoc()); 753 } 754 755 void AddressSanitizerModule::createInitializerPoisonCalls( 756 Module &M, Value *FirstAddr, Value *LastAddr) { 757 // We do all of our poisoning and unpoisoning within _GLOBAL__I_a. 758 Function *GlobalInit = M.getFunction("_GLOBAL__I_a"); 759 // If that function is not present, this TU contains no globals, or they have 760 // all been optimized away 761 if (!GlobalInit) 762 return; 763 764 // Set up the arguments to our poison/unpoison functions. 765 IRBuilder<> IRB(GlobalInit->begin()->getFirstInsertionPt()); 766 767 // Add a call to poison all external globals before the given function starts. 768 IRB.CreateCall2(AsanPoisonGlobals, FirstAddr, LastAddr); 769 770 // Add calls to unpoison all globals before each return instruction. 771 for (Function::iterator I = GlobalInit->begin(), E = GlobalInit->end(); 772 I != E; ++I) { 773 if (ReturnInst *RI = dyn_cast<ReturnInst>(I->getTerminator())) { 774 CallInst::Create(AsanUnpoisonGlobals, "", RI); 775 } 776 } 777 } 778 779 bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) { 780 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 781 DEBUG(dbgs() << "GLOBAL: " << *G << "\n"); 782 783 if (BL->isIn(*G)) return false; 784 if (!Ty->isSized()) return false; 785 if (!G->hasInitializer()) return false; 786 if (GlobalWasGeneratedByAsan(G)) return false; // Our own global. 787 // Touch only those globals that will not be defined in other modules. 788 // Don't handle ODR type linkages since other modules may be built w/o asan. 789 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 790 G->getLinkage() != GlobalVariable::PrivateLinkage && 791 G->getLinkage() != GlobalVariable::InternalLinkage) 792 return false; 793 // Two problems with thread-locals: 794 // - The address of the main thread's copy can't be computed at link-time. 795 // - Need to poison all copies, not just the main thread's one. 796 if (G->isThreadLocal()) 797 return false; 798 // For now, just ignore this Alloca if the alignment is large. 799 if (G->getAlignment() > RedzoneSize()) return false; 800 801 // Ignore all the globals with the names starting with "\01L_OBJC_". 802 // Many of those are put into the .cstring section. The linker compresses 803 // that section by removing the spare \0s after the string terminator, so 804 // our redzones get broken. 805 if ((G->getName().find("\01L_OBJC_") == 0) || 806 (G->getName().find("\01l_OBJC_") == 0)) { 807 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 808 return false; 809 } 810 811 if (G->hasSection()) { 812 StringRef Section(G->getSection()); 813 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 814 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 815 // them. 816 if ((Section.find("__OBJC,") == 0) || 817 (Section.find("__DATA, __objc_") == 0)) { 818 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 819 return false; 820 } 821 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 822 // Constant CFString instances are compiled in the following way: 823 // -- the string buffer is emitted into 824 // __TEXT,__cstring,cstring_literals 825 // -- the constant NSConstantString structure referencing that buffer 826 // is placed into __DATA,__cfstring 827 // Therefore there's no point in placing redzones into __DATA,__cfstring. 828 // Moreover, it causes the linker to crash on OS X 10.7 829 if (Section.find("__DATA,__cfstring") == 0) { 830 DEBUG(dbgs() << "Ignoring CFString: " << *G); 831 return false; 832 } 833 } 834 835 return true; 836 } 837 838 void AddressSanitizerModule::initializeCallbacks(Module &M) { 839 IRBuilder<> IRB(*C); 840 // Declare our poisoning and unpoisoning functions. 841 AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 842 kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 843 AsanPoisonGlobals->setLinkage(Function::ExternalLinkage); 844 AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction( 845 kAsanUnpoisonGlobalsName, IRB.getVoidTy(), NULL)); 846 AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage); 847 // Declare functions that register/unregister globals. 848 AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 849 kAsanRegisterGlobalsName, IRB.getVoidTy(), 850 IntptrTy, IntptrTy, NULL)); 851 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 852 AsanUnregisterGlobals = checkInterfaceFunction(M.getOrInsertFunction( 853 kAsanUnregisterGlobalsName, 854 IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 855 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 856 } 857 858 // This function replaces all global variables with new variables that have 859 // trailing redzones. It also creates a function that poisons 860 // redzones and inserts this function into llvm.global_ctors. 861 bool AddressSanitizerModule::runOnModule(Module &M) { 862 if (!ClGlobals) return false; 863 TD = getAnalysisIfAvailable<DataLayout>(); 864 if (!TD) 865 return false; 866 BL.reset(new BlackList(BlacklistFile)); 867 if (BL->isIn(M)) return false; 868 C = &(M.getContext()); 869 int LongSize = TD->getPointerSizeInBits(); 870 IntptrTy = Type::getIntNTy(*C, LongSize); 871 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 872 initializeCallbacks(M); 873 DynamicallyInitializedGlobals.Init(M); 874 875 SmallVector<GlobalVariable *, 16> GlobalsToChange; 876 877 for (Module::GlobalListType::iterator G = M.global_begin(), 878 E = M.global_end(); G != E; ++G) { 879 if (ShouldInstrumentGlobal(G)) 880 GlobalsToChange.push_back(G); 881 } 882 883 size_t n = GlobalsToChange.size(); 884 if (n == 0) return false; 885 886 // A global is described by a structure 887 // size_t beg; 888 // size_t size; 889 // size_t size_with_redzone; 890 // const char *name; 891 // const char *module_name; 892 // size_t has_dynamic_init; 893 // We initialize an array of such structures and pass it to a run-time call. 894 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 895 IntptrTy, IntptrTy, 896 IntptrTy, IntptrTy, NULL); 897 SmallVector<Constant *, 16> Initializers(n), DynamicInit; 898 899 900 Function *CtorFunc = M.getFunction(kAsanModuleCtorName); 901 assert(CtorFunc); 902 IRBuilder<> IRB(CtorFunc->getEntryBlock().getTerminator()); 903 904 // The addresses of the first and last dynamically initialized globals in 905 // this TU. Used in initialization order checking. 906 Value *FirstDynamic = 0, *LastDynamic = 0; 907 908 GlobalVariable *ModuleName = createPrivateGlobalForString( 909 M, M.getModuleIdentifier()); 910 911 for (size_t i = 0; i < n; i++) { 912 static const uint64_t kMaxGlobalRedzone = 1 << 18; 913 GlobalVariable *G = GlobalsToChange[i]; 914 PointerType *PtrTy = cast<PointerType>(G->getType()); 915 Type *Ty = PtrTy->getElementType(); 916 uint64_t SizeInBytes = TD->getTypeAllocSize(Ty); 917 uint64_t MinRZ = RedzoneSize(); 918 // MinRZ <= RZ <= kMaxGlobalRedzone 919 // and trying to make RZ to be ~ 1/4 of SizeInBytes. 920 uint64_t RZ = std::max(MinRZ, 921 std::min(kMaxGlobalRedzone, 922 (SizeInBytes / MinRZ / 4) * MinRZ)); 923 uint64_t RightRedzoneSize = RZ; 924 // Round up to MinRZ 925 if (SizeInBytes % MinRZ) 926 RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ); 927 assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0); 928 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 929 // Determine whether this global should be poisoned in initialization. 930 bool GlobalHasDynamicInitializer = 931 DynamicallyInitializedGlobals.Contains(G); 932 // Don't check initialization order if this global is blacklisted. 933 GlobalHasDynamicInitializer &= !BL->isInInit(*G); 934 935 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 936 Constant *NewInitializer = ConstantStruct::get( 937 NewTy, G->getInitializer(), 938 Constant::getNullValue(RightRedZoneTy), NULL); 939 940 GlobalVariable *Name = createPrivateGlobalForString(M, G->getName()); 941 942 // Create a new global variable with enough space for a redzone. 943 GlobalVariable *NewGlobal = new GlobalVariable( 944 M, NewTy, G->isConstant(), G->getLinkage(), 945 NewInitializer, "", G, G->getThreadLocalMode()); 946 NewGlobal->copyAttributesFrom(G); 947 NewGlobal->setAlignment(MinRZ); 948 949 Value *Indices2[2]; 950 Indices2[0] = IRB.getInt32(0); 951 Indices2[1] = IRB.getInt32(0); 952 953 G->replaceAllUsesWith( 954 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 955 NewGlobal->takeName(G); 956 G->eraseFromParent(); 957 958 Initializers[i] = ConstantStruct::get( 959 GlobalStructTy, 960 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 961 ConstantInt::get(IntptrTy, SizeInBytes), 962 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 963 ConstantExpr::getPointerCast(Name, IntptrTy), 964 ConstantExpr::getPointerCast(ModuleName, IntptrTy), 965 ConstantInt::get(IntptrTy, GlobalHasDynamicInitializer), 966 NULL); 967 968 // Populate the first and last globals declared in this TU. 969 if (CheckInitOrder && GlobalHasDynamicInitializer) { 970 LastDynamic = ConstantExpr::getPointerCast(NewGlobal, IntptrTy); 971 if (FirstDynamic == 0) 972 FirstDynamic = LastDynamic; 973 } 974 975 DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); 976 } 977 978 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 979 GlobalVariable *AllGlobals = new GlobalVariable( 980 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 981 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 982 983 // Create calls for poisoning before initializers run and unpoisoning after. 984 if (CheckInitOrder && FirstDynamic && LastDynamic) 985 createInitializerPoisonCalls(M, FirstDynamic, LastDynamic); 986 IRB.CreateCall2(AsanRegisterGlobals, 987 IRB.CreatePointerCast(AllGlobals, IntptrTy), 988 ConstantInt::get(IntptrTy, n)); 989 990 // We also need to unregister globals at the end, e.g. when a shared library 991 // gets closed. 992 Function *AsanDtorFunction = Function::Create( 993 FunctionType::get(Type::getVoidTy(*C), false), 994 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 995 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 996 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 997 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 998 IRB.CreatePointerCast(AllGlobals, IntptrTy), 999 ConstantInt::get(IntptrTy, n)); 1000 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 1001 1002 DEBUG(dbgs() << M); 1003 return true; 1004 } 1005 1006 void AddressSanitizer::initializeCallbacks(Module &M) { 1007 IRBuilder<> IRB(*C); 1008 // Create __asan_report* callbacks. 1009 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) { 1010 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 1011 AccessSizeIndex++) { 1012 // IsWrite and TypeSize are encoded in the function name. 1013 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 1014 (AccessIsWrite ? "store" : "load") + itostr(1 << AccessSizeIndex); 1015 // If we are merging crash callbacks, they have two parameters. 1016 AsanErrorCallback[AccessIsWrite][AccessSizeIndex] = 1017 checkInterfaceFunction(M.getOrInsertFunction( 1018 FunctionName, IRB.getVoidTy(), IntptrTy, NULL)); 1019 } 1020 } 1021 AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction( 1022 kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1023 AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction( 1024 kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1025 1026 AsanHandleNoReturnFunc = checkInterfaceFunction(M.getOrInsertFunction( 1027 kAsanHandleNoReturnName, IRB.getVoidTy(), NULL)); 1028 // We insert an empty inline asm after __asan_report* to avoid callback merge. 1029 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 1030 StringRef(""), StringRef(""), 1031 /*hasSideEffects=*/true); 1032 } 1033 1034 void AddressSanitizer::emitShadowMapping(Module &M, IRBuilder<> &IRB) const { 1035 // Tell the values of mapping offset and scale to the run-time. 1036 GlobalValue *asan_mapping_offset = 1037 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1038 ConstantInt::get(IntptrTy, Mapping.Offset), 1039 kAsanMappingOffsetName); 1040 // Read the global, otherwise it may be optimized away. 1041 IRB.CreateLoad(asan_mapping_offset, true); 1042 1043 GlobalValue *asan_mapping_scale = 1044 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 1045 ConstantInt::get(IntptrTy, Mapping.Scale), 1046 kAsanMappingScaleName); 1047 // Read the global, otherwise it may be optimized away. 1048 IRB.CreateLoad(asan_mapping_scale, true); 1049 } 1050 1051 // virtual 1052 bool AddressSanitizer::doInitialization(Module &M) { 1053 // Initialize the private fields. No one has accessed them before. 1054 TD = getAnalysisIfAvailable<DataLayout>(); 1055 1056 if (!TD) 1057 return false; 1058 BL.reset(new BlackList(BlacklistFile)); 1059 DynamicallyInitializedGlobals.Init(M); 1060 1061 C = &(M.getContext()); 1062 LongSize = TD->getPointerSizeInBits(); 1063 IntptrTy = Type::getIntNTy(*C, LongSize); 1064 1065 AsanCtorFunction = Function::Create( 1066 FunctionType::get(Type::getVoidTy(*C), false), 1067 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 1068 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 1069 // call __asan_init in the module ctor. 1070 IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB)); 1071 AsanInitFunction = checkInterfaceFunction( 1072 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 1073 AsanInitFunction->setLinkage(Function::ExternalLinkage); 1074 IRB.CreateCall(AsanInitFunction); 1075 1076 Mapping = getShadowMapping(M, LongSize, ZeroBaseShadow); 1077 emitShadowMapping(M, IRB); 1078 1079 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 1080 return true; 1081 } 1082 1083 bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) { 1084 // For each NSObject descendant having a +load method, this method is invoked 1085 // by the ObjC runtime before any of the static constructors is called. 1086 // Therefore we need to instrument such methods with a call to __asan_init 1087 // at the beginning in order to initialize our runtime before any access to 1088 // the shadow memory. 1089 // We cannot just ignore these methods, because they may call other 1090 // instrumented functions. 1091 if (F.getName().find(" load]") != std::string::npos) { 1092 IRBuilder<> IRB(F.begin()->begin()); 1093 IRB.CreateCall(AsanInitFunction); 1094 return true; 1095 } 1096 return false; 1097 } 1098 1099 bool AddressSanitizer::runOnFunction(Function &F) { 1100 if (BL->isIn(F)) return false; 1101 if (&F == AsanCtorFunction) return false; 1102 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false; 1103 DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n"); 1104 initializeCallbacks(*F.getParent()); 1105 1106 // If needed, insert __asan_init before checking for SanitizeAddress attr. 1107 maybeInsertAsanInitAtFunctionEntry(F); 1108 1109 if (!F.getAttributes().hasAttribute(AttributeSet::FunctionIndex, 1110 Attribute::SanitizeAddress)) 1111 return false; 1112 1113 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 1114 return false; 1115 1116 // We want to instrument every address only once per basic block (unless there 1117 // are calls between uses). 1118 SmallSet<Value*, 16> TempsToInstrument; 1119 SmallVector<Instruction*, 16> ToInstrument; 1120 SmallVector<Instruction*, 8> NoReturnCalls; 1121 bool IsWrite; 1122 1123 // Fill the set of memory operations to instrument. 1124 for (Function::iterator FI = F.begin(), FE = F.end(); 1125 FI != FE; ++FI) { 1126 TempsToInstrument.clear(); 1127 int NumInsnsPerBB = 0; 1128 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 1129 BI != BE; ++BI) { 1130 if (LooksLikeCodeInBug11395(BI)) return false; 1131 if (Value *Addr = isInterestingMemoryAccess(BI, &IsWrite)) { 1132 if (ClOpt && ClOptSameTemp) { 1133 if (!TempsToInstrument.insert(Addr)) 1134 continue; // We've seen this temp in the current BB. 1135 } 1136 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 1137 // ok, take it. 1138 } else { 1139 CallSite CS(BI); 1140 if (CS) { 1141 // A call inside BB. 1142 TempsToInstrument.clear(); 1143 if (CS.doesNotReturn()) 1144 NoReturnCalls.push_back(CS.getInstruction()); 1145 } 1146 continue; 1147 } 1148 ToInstrument.push_back(BI); 1149 NumInsnsPerBB++; 1150 if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) 1151 break; 1152 } 1153 } 1154 1155 // Instrument. 1156 int NumInstrumented = 0; 1157 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 1158 Instruction *Inst = ToInstrument[i]; 1159 if (ClDebugMin < 0 || ClDebugMax < 0 || 1160 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 1161 if (isInterestingMemoryAccess(Inst, &IsWrite)) 1162 instrumentMop(Inst); 1163 else 1164 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 1165 } 1166 NumInstrumented++; 1167 } 1168 1169 FunctionStackPoisoner FSP(F, *this); 1170 bool ChangedStack = FSP.runOnFunction(); 1171 1172 // We must unpoison the stack before every NoReturn call (throw, _exit, etc). 1173 // See e.g. http://code.google.com/p/address-sanitizer/issues/detail?id=37 1174 for (size_t i = 0, n = NoReturnCalls.size(); i != n; i++) { 1175 Instruction *CI = NoReturnCalls[i]; 1176 IRBuilder<> IRB(CI); 1177 IRB.CreateCall(AsanHandleNoReturnFunc); 1178 } 1179 DEBUG(dbgs() << "ASAN done instrumenting:\n" << F << "\n"); 1180 1181 return NumInstrumented > 0 || ChangedStack || !NoReturnCalls.empty(); 1182 } 1183 1184 static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 1185 if (ShadowRedzoneSize == 1) return PoisonByte; 1186 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 1187 if (ShadowRedzoneSize == 4) 1188 return (PoisonByte << 24) + (PoisonByte << 16) + 1189 (PoisonByte << 8) + (PoisonByte); 1190 llvm_unreachable("ShadowRedzoneSize is either 1, 2 or 4"); 1191 } 1192 1193 static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 1194 size_t Size, 1195 size_t RZSize, 1196 size_t ShadowGranularity, 1197 uint8_t Magic) { 1198 for (size_t i = 0; i < RZSize; 1199 i+= ShadowGranularity, Shadow++) { 1200 if (i + ShadowGranularity <= Size) { 1201 *Shadow = 0; // fully addressable 1202 } else if (i >= Size) { 1203 *Shadow = Magic; // unaddressable 1204 } else { 1205 *Shadow = Size - i; // first Size-i bytes are addressable 1206 } 1207 } 1208 } 1209 1210 // Workaround for bug 11395: we don't want to instrument stack in functions 1211 // with large assembly blobs (32-bit only), otherwise reg alloc may crash. 1212 // FIXME: remove once the bug 11395 is fixed. 1213 bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 1214 if (LongSize != 32) return false; 1215 CallInst *CI = dyn_cast<CallInst>(I); 1216 if (!CI || !CI->isInlineAsm()) return false; 1217 if (CI->getNumArgOperands() <= 5) return false; 1218 // We have inline assembly with quite a few arguments. 1219 return true; 1220 } 1221 1222 void FunctionStackPoisoner::initializeCallbacks(Module &M) { 1223 IRBuilder<> IRB(*C); 1224 AsanStackMallocFunc = checkInterfaceFunction(M.getOrInsertFunction( 1225 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL)); 1226 AsanStackFreeFunc = checkInterfaceFunction(M.getOrInsertFunction( 1227 kAsanStackFreeName, IRB.getVoidTy(), 1228 IntptrTy, IntptrTy, IntptrTy, NULL)); 1229 AsanPoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1230 kAsanPoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1231 AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(M.getOrInsertFunction( 1232 kAsanUnpoisonStackMemoryName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 1233 } 1234 1235 void FunctionStackPoisoner::poisonRedZones( 1236 const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, Value *ShadowBase, 1237 bool DoPoison) { 1238 size_t ShadowRZSize = RedzoneSize() >> Mapping.Scale; 1239 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 1240 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 1241 Type *RZPtrTy = PointerType::get(RZTy, 0); 1242 1243 Value *PoisonLeft = ConstantInt::get(RZTy, 1244 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 1245 Value *PoisonMid = ConstantInt::get(RZTy, 1246 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 1247 Value *PoisonRight = ConstantInt::get(RZTy, 1248 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 1249 1250 // poison the first red zone. 1251 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 1252 1253 // poison all other red zones. 1254 uint64_t Pos = RedzoneSize(); 1255 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1256 AllocaInst *AI = AllocaVec[i]; 1257 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1258 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1259 assert(AlignedSize - SizeInBytes < RedzoneSize()); 1260 Value *Ptr = NULL; 1261 1262 Pos += AlignedSize; 1263 1264 assert(ShadowBase->getType() == IntptrTy); 1265 if (SizeInBytes < AlignedSize) { 1266 // Poison the partial redzone at right 1267 Ptr = IRB.CreateAdd( 1268 ShadowBase, ConstantInt::get(IntptrTy, 1269 (Pos >> Mapping.Scale) - ShadowRZSize)); 1270 size_t AddressableBytes = RedzoneSize() - (AlignedSize - SizeInBytes); 1271 uint32_t Poison = 0; 1272 if (DoPoison) { 1273 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 1274 RedzoneSize(), 1275 1ULL << Mapping.Scale, 1276 kAsanStackPartialRedzoneMagic); 1277 } 1278 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 1279 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1280 } 1281 1282 // Poison the full redzone at right. 1283 Ptr = IRB.CreateAdd(ShadowBase, 1284 ConstantInt::get(IntptrTy, Pos >> Mapping.Scale)); 1285 bool LastAlloca = (i == AllocaVec.size() - 1); 1286 Value *Poison = LastAlloca ? PoisonRight : PoisonMid; 1287 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 1288 1289 Pos += RedzoneSize(); 1290 } 1291 } 1292 1293 void FunctionStackPoisoner::poisonStack() { 1294 uint64_t LocalStackSize = TotalStackSize + 1295 (AllocaVec.size() + 1) * RedzoneSize(); 1296 1297 bool DoStackMalloc = ASan.CheckUseAfterReturn 1298 && LocalStackSize <= kMaxStackMallocSize; 1299 1300 assert(AllocaVec.size() > 0); 1301 Instruction *InsBefore = AllocaVec[0]; 1302 IRBuilder<> IRB(InsBefore); 1303 1304 1305 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 1306 AllocaInst *MyAlloca = 1307 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 1308 if (ClRealignStack && StackAlignment < RedzoneSize()) 1309 StackAlignment = RedzoneSize(); 1310 MyAlloca->setAlignment(StackAlignment); 1311 assert(MyAlloca->isStaticAlloca()); 1312 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 1313 Value *LocalStackBase = OrigStackBase; 1314 1315 if (DoStackMalloc) { 1316 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 1317 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 1318 } 1319 1320 // This string will be parsed by the run-time (DescribeStackAddress). 1321 SmallString<2048> StackDescriptionStorage; 1322 raw_svector_ostream StackDescription(StackDescriptionStorage); 1323 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 1324 1325 // Insert poison calls for lifetime intrinsics for alloca. 1326 bool HavePoisonedAllocas = false; 1327 for (size_t i = 0, n = AllocaPoisonCallVec.size(); i < n; i++) { 1328 const AllocaPoisonCall &APC = AllocaPoisonCallVec[i]; 1329 IntrinsicInst *II = APC.InsBefore; 1330 AllocaInst *AI = findAllocaForValue(II->getArgOperand(1)); 1331 assert(AI); 1332 IRBuilder<> IRB(II); 1333 poisonAlloca(AI, APC.Size, IRB, APC.DoPoison); 1334 HavePoisonedAllocas |= APC.DoPoison; 1335 } 1336 1337 uint64_t Pos = RedzoneSize(); 1338 // Replace Alloca instructions with base+offset. 1339 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 1340 AllocaInst *AI = AllocaVec[i]; 1341 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 1342 StringRef Name = AI->getName(); 1343 StackDescription << Pos << " " << SizeInBytes << " " 1344 << Name.size() << " " << Name << " "; 1345 uint64_t AlignedSize = getAlignedAllocaSize(AI); 1346 assert((AlignedSize % RedzoneSize()) == 0); 1347 Value *NewAllocaPtr = IRB.CreateIntToPtr( 1348 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 1349 AI->getType()); 1350 replaceDbgDeclareForAlloca(AI, NewAllocaPtr, DIB); 1351 AI->replaceAllUsesWith(NewAllocaPtr); 1352 Pos += AlignedSize + RedzoneSize(); 1353 } 1354 assert(Pos == LocalStackSize); 1355 1356 // Write the Magic value and the frame description constant to the redzone. 1357 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 1358 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 1359 BasePlus0); 1360 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 1361 ConstantInt::get(IntptrTy, 1362 ASan.LongSize/8)); 1363 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 1364 GlobalVariable *StackDescriptionGlobal = 1365 createPrivateGlobalForString(*F.getParent(), StackDescription.str()); 1366 Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, 1367 IntptrTy); 1368 IRB.CreateStore(Description, BasePlus1); 1369 1370 // Poison the stack redzones at the entry. 1371 Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB); 1372 poisonRedZones(AllocaVec, IRB, ShadowBase, true); 1373 1374 // Unpoison the stack before all ret instructions. 1375 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 1376 Instruction *Ret = RetVec[i]; 1377 IRBuilder<> IRBRet(Ret); 1378 // Mark the current frame as retired. 1379 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 1380 BasePlus0); 1381 // Unpoison the stack. 1382 poisonRedZones(AllocaVec, IRBRet, ShadowBase, false); 1383 if (DoStackMalloc) { 1384 // In use-after-return mode, mark the whole stack frame unaddressable. 1385 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 1386 ConstantInt::get(IntptrTy, LocalStackSize), 1387 OrigStackBase); 1388 } else if (HavePoisonedAllocas) { 1389 // If we poisoned some allocas in llvm.lifetime analysis, 1390 // unpoison whole stack frame now. 1391 assert(LocalStackBase == OrigStackBase); 1392 poisonAlloca(LocalStackBase, LocalStackSize, IRBRet, false); 1393 } 1394 } 1395 1396 // We are done. Remove the old unused alloca instructions. 1397 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) 1398 AllocaVec[i]->eraseFromParent(); 1399 } 1400 1401 void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size, 1402 IRBuilder<> IRB, bool DoPoison) { 1403 // For now just insert the call to ASan runtime. 1404 Value *AddrArg = IRB.CreatePointerCast(V, IntptrTy); 1405 Value *SizeArg = ConstantInt::get(IntptrTy, Size); 1406 IRB.CreateCall2(DoPoison ? AsanPoisonStackMemoryFunc 1407 : AsanUnpoisonStackMemoryFunc, 1408 AddrArg, SizeArg); 1409 } 1410 1411 // Handling llvm.lifetime intrinsics for a given %alloca: 1412 // (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca. 1413 // (2) if %size is constant, poison memory for llvm.lifetime.end (to detect 1414 // invalid accesses) and unpoison it for llvm.lifetime.start (the memory 1415 // could be poisoned by previous llvm.lifetime.end instruction, as the 1416 // variable may go in and out of scope several times, e.g. in loops). 1417 // (3) if we poisoned at least one %alloca in a function, 1418 // unpoison the whole stack frame at function exit. 1419 1420 AllocaInst *FunctionStackPoisoner::findAllocaForValue(Value *V) { 1421 if (AllocaInst *AI = dyn_cast<AllocaInst>(V)) 1422 // We're intested only in allocas we can handle. 1423 return isInterestingAlloca(*AI) ? AI : 0; 1424 // See if we've already calculated (or started to calculate) alloca for a 1425 // given value. 1426 AllocaForValueMapTy::iterator I = AllocaForValue.find(V); 1427 if (I != AllocaForValue.end()) 1428 return I->second; 1429 // Store 0 while we're calculating alloca for value V to avoid 1430 // infinite recursion if the value references itself. 1431 AllocaForValue[V] = 0; 1432 AllocaInst *Res = 0; 1433 if (CastInst *CI = dyn_cast<CastInst>(V)) 1434 Res = findAllocaForValue(CI->getOperand(0)); 1435 else if (PHINode *PN = dyn_cast<PHINode>(V)) { 1436 for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) { 1437 Value *IncValue = PN->getIncomingValue(i); 1438 // Allow self-referencing phi-nodes. 1439 if (IncValue == PN) continue; 1440 AllocaInst *IncValueAI = findAllocaForValue(IncValue); 1441 // AI for incoming values should exist and should all be equal. 1442 if (IncValueAI == 0 || (Res != 0 && IncValueAI != Res)) 1443 return 0; 1444 Res = IncValueAI; 1445 } 1446 } 1447 if (Res != 0) 1448 AllocaForValue[V] = Res; 1449 return Res; 1450 } 1451