Lines Matching defs:Shadow
14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every
15 /// byte of the application memory, poison the shadow of the malloc-ed
16 /// or alloca-ed memory, load the shadow bits on every memory read,
17 /// propagate the shadow bits through some of the arithmetic
18 /// instruction (including MOV), store the shadow bits on every memory
20 /// associated shadow is poisoned.
30 /// Another difference from Memcheck is that we use 8 shadow bits per
31 /// byte of application memory and use a direct shadow mapping. This
33 /// shadow updates (Memcheck is single-threaded so races are not a
34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
37 /// The default value of shadow is 0, which means "clean" (not poisoned).
40 /// shadow memory is ready. On error, __msan_warning is called. Since
42 /// specialized thread-local shadow for return values
52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
77 /// not the other way around. We load the shadow _after_ the application load,
78 /// and we store the shadow _before_ the app store. Also, we always store clean
79 /// shadow (if the application store is atomic). This way, if the store-load
80 /// pair constitutes a happens-before arc, shadow store and load are correctly
86 /// must store the new shadow before the app operation, and load the shadow
90 /// clean shadow.
157 cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
164 // This flag controls whether we check the shadow of the address
171 cl::desc("report accesses through a pointer which has poisoned shadow"),
228 /// \brief Thread-local shadow storage for function parameters.
232 /// \brief Thread-local shadow storage for function return value.
236 /// \brief Thread-local shadow storage for in-register va_arg function
239 /// \brief Thread-local shadow storage for va_arg overflow area
266 /// \brief Address mask used in application-to-shadow address calculation.
269 /// \brief Offset of the origin shadow from the "normal" shadow.
464 /// necessary to propagate argument shadow through VarArg function
499 /// instructions store and load corresponding shadow and origin
500 /// values. Most instructions propagate shadow from arguments to their
502 /// test their argument shadow and print reports (with a runtime call) if it's
520 Value *Shadow;
524 : Shadow(S), Origin(O), OrigIns(I) { }
552 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
554 if (isa<StructType>(Shadow->getType())) {
558 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
559 // TODO(eugenis): handle non-zero constant shadow by inserting an
592 Value *Shadow = SI.isAtomic() ? getCleanShadow(Val) : getShadow(Val);
593 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
596 IRB.CreateAlignedStore(Shadow, ShadowPtr, SI.getAlignment());
606 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), Alignment,
612 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
615 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n");
616 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
651 Value *Shadow = ShadowData.Shadow;
653 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
706 // blocks, such nodes will not have any shadow value associated with them.
707 // It's easier to remove unreachable blocks than deal with missing shadow.
710 // Iterate all BBs in depth-first order and create shadow instructions
712 // For PHI nodes we create dummy shadow PHIs which will be finalized later.
738 // Insert shadow value checks.
747 /// \brief Compute the shadow type that corresponds to a given Value.
752 /// \brief Compute the shadow type that corresponds to a given Type.
757 // For integer type, shadow is the same as the original type.
785 /// \brief Convert a shadow value to it's flattened variant.
793 /// \brief Compute the shadow address that corresponds to a given application
796 /// Shadow = Addr & ~ShadowMask.
821 /// \brief Compute the shadow address for a given function argument.
823 /// Shadow = ParamTLS+ArgOffset.
842 /// \brief Compute the shadow address for a retval.
855 /// \brief Set SV to be the shadow value for V.
857 assert(!ShadowMap.count(V) && "Values may only have one shadow");
869 /// \brief Create a clean shadow value for a given value.
871 /// Clean shadow (all zeroes) means all bits of the value are defined
880 /// \brief Create a dirty shadow of a given shadow type.
892 /// \brief Create a dirty shadow for a given value.
905 /// \brief Get the shadow value for a given Value.
912 // For instructions the shadow is already stored in the map.
913 Value *Shadow = ShadowMap[V];
914 if (!Shadow) {
915 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
917 assert(Shadow && "No shadow for a value");
919 return Shadow;
928 // For arguments we compute the shadow on demand and store it in the map.
946 // ByVal pointer itself has clean shadow. We copy the actual
947 // argument shadow to the underlying memory.
974 assert(*ShadowPtr && "Could not find shadow for an argument");
977 // For everything else the shadow is zero.
981 /// \brief Get the shadow for i-th argument of the instruction I.
1005 /// \brief Remember the place where a shadow check should be inserted.
1008 /// UMR warning in runtime if the shadow value is not 0.
1009 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
1010 assert(Shadow);
1013 Type *ShadowTy = Shadow->getType();
1015 "Can only insert checks for integer and vector shadow types");
1018 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
1021 /// \brief Remember the place where a shadow check should be inserted.
1027 Instruction *Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
1028 if (!Shadow) return;
1030 insertShadowCheck(Shadow, Origin, OrigIns);
1071 /// Loads the corresponding shadow and (optionally) origin.
1105 /// Stores the corresponding shadow and (optionally) origin.
1213 /// \brief Propagate shadow for bitwise AND.
1217 /// corresponding bit in B don't affect the resulting shadow.
1262 /// \brief Default propagation of shadow and/or origin.
1264 /// This class implements the general case of shadow propagation, used in all
1266 /// actually does. It converts all input shadow values to a common type
1279 Value *Shadow;
1286 Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {}
1288 /// \brief Add a pair of shadow and origin values to the mix.
1292 if (!Shadow)
1293 Shadow = OpShadow;
1295 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
1296 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
1325 /// \brief Set the current combined values as the given instruction's shadow
1329 assert(Shadow);
1330 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
1331 MSV->setShadow(I, Shadow);
1355 "Vector of pointers is not a valid shadow type");
1361 /// \brief Cast between two shadow types, extending or truncating as
1380 /// \brief Cast an application value to the type of its own shadow.
1391 /// \brief Propagate shadow for arbitrary operation.
1405 // shadow left by the required number of bits. Effectively, we transform
1514 // Split shadow into sign bit and other bits.
1517 // Maximise the undefined shadow bit, minimize other undefined bits.
1531 // Split shadow into sign bit and other bits.
1534 // Minimise the undefined shadow bit, maximise other undefined bits.
1545 /// This function does exact shadow propagation for all relational
1579 /// propagating the highest bit of the shadow. Everything else is delegated
1595 Value* Shadow =
1597 setShadow(&I, Shadow);
1661 /// we will memove the shadow twice: which is bad in case
1675 // Similar to memmove: avoid copying shadow twice.
1734 Value *Shadow = getShadow(&I, 1);
1735 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
1739 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1);
1879 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
1902 // Combine shadow for elements of ConvertOp that are used in this operation,
1904 // FIXME: consider propagating shadow of ConvertOp, at least in the case of
1922 // Build result shadow by zero-filling parts of CopyOp shadow that come from
2025 // Shadow is propagated with the signed variant of the same intrinsic applied
2267 // For inline asm, do the usual thing: check argument shadow and mark all
2309 // Compute the Shadow for arg even if it is ByVal, because
2310 // in that case getShadow() will copy the actual arg shadow to
2315 " Shadow: " << *ArgShadow << "\n");
2345 // Now, get the shadow for the RetVal.
2348 // Until we have full dynamic coverage, make sure the retval shadow is 0.
2366 "Could not find insertion point for retval shadow load");
2384 Value *Shadow = getCleanShadow(RetVal);
2385 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2387 Value *Shadow = getShadow(RetVal);
2388 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2456 // Result shadow if condition shadow is 0.
2470 // Cast arguments to shadow-compatible type.
2474 // Result shadow if condition shadow is 1.
2548 // Everything else: stop propagating and check for poisoned shadow.
2593 // For VarArg functions, store the argument shadow in an ABI-specific format
2599 // MSanParamTLS, and extract shadow on va_arg() call in the argument list
2648 /// \brief Compute the shadow address for a given va_arg.
2696 // Copy va_list shadow from the backup copy of the TLS contents.
