1 //===-- MemorySanitizer.cpp - detector of uninitialized reads -------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 /// \file 10 /// This file is a part of MemorySanitizer, a detector of uninitialized 11 /// reads. 12 /// 13 /// The algorithm of the tool is similar to Memcheck 14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every 15 /// byte of the application memory, poison the shadow of the malloc-ed 16 /// or alloca-ed memory, load the shadow bits on every memory read, 17 /// propagate the shadow bits through some of the arithmetic 18 /// instruction (including MOV), store the shadow bits on every memory 19 /// write, report a bug on some other instructions (e.g. JMP) if the 20 /// associated shadow is poisoned. 21 /// 22 /// But there are differences too. The first and the major one: 23 /// compiler instrumentation instead of binary instrumentation. This 24 /// gives us much better register allocation, possible compiler 25 /// optimizations and a fast start-up. But this brings the major issue 26 /// as well: msan needs to see all program events, including system 27 /// calls and reads/writes in system libraries, so we either need to 28 /// compile *everything* with msan or use a binary translation 29 /// component (e.g. DynamoRIO) to instrument pre-built libraries. 30 /// Another difference from Memcheck is that we use 8 shadow bits per 31 /// byte of application memory and use a direct shadow mapping. This 32 /// greatly simplifies the instrumentation code and avoids races on 33 /// shadow updates (Memcheck is single-threaded so races are not a 34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow 35 /// path storage that uses 8 bits per byte). 36 /// 37 /// The default value of shadow is 0, which means "clean" (not poisoned). 38 /// 39 /// Every module initializer should call __msan_init to ensure that the 40 /// shadow memory is ready. On error, __msan_warning is called. Since 41 /// parameters and return values may be passed via registers, we have a 42 /// specialized thread-local shadow for return values 43 /// (__msan_retval_tls) and parameters (__msan_param_tls). 44 /// 45 /// Origin tracking. 46 /// 47 /// MemorySanitizer can track origins (allocation points) of all uninitialized 48 /// values. This behavior is controlled with a flag (msan-track-origins) and is 49 /// disabled by default. 50 /// 51 /// Origins are 4-byte values created and interpreted by the runtime library. 52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes 53 /// of application memory. Propagation of origins is basically a bunch of 54 /// "select" instructions that pick the origin of a dirty argument, if an 55 /// instruction has one. 56 /// 57 /// Every 4 aligned, consecutive bytes of application memory have one origin 58 /// value associated with them. If these bytes contain uninitialized data 59 /// coming from 2 different allocations, the last store wins. Because of this, 60 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in 61 /// practice. 62 /// 63 /// Origins are meaningless for fully initialized values, so MemorySanitizer 64 /// avoids storing origin to memory when a fully initialized value is stored. 65 /// This way it avoids needless overwritting origin of the 4-byte region on 66 /// a short (i.e. 1 byte) clean store, and it is also good for performance. 67 /// 68 /// Atomic handling. 69 /// 70 /// Ideally, every atomic store of application value should update the 71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store 72 /// of two disjoint locations can not be done without severe slowdown. 73 /// 74 /// Therefore, we implement an approximation that may err on the safe side. 75 /// In this implementation, every atomically accessed location in the program 76 /// may only change from (partially) uninitialized to fully initialized, but 77 /// not the other way around. We load the shadow _after_ the application load, 78 /// and we store the shadow _before_ the app store. Also, we always store clean 79 /// shadow (if the application store is atomic). This way, if the store-load 80 /// pair constitutes a happens-before arc, shadow store and load are correctly 81 /// ordered such that the load will get either the value that was stored, or 82 /// some later value (which is always clean). 83 /// 84 /// This does not work very well with Compare-And-Swap (CAS) and 85 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW 86 /// must store the new shadow before the app operation, and load the shadow 87 /// after the app operation. Computers don't work this way. Current 88 /// implementation ignores the load aspect of CAS/RMW, always returning a clean 89 /// value. It implements the store part as a simple atomic store by storing a 90 /// clean shadow. 91 92 //===----------------------------------------------------------------------===// 93 94 #include "llvm/Transforms/Instrumentation.h" 95 #include "llvm/ADT/DepthFirstIterator.h" 96 #include "llvm/ADT/SmallString.h" 97 #include "llvm/ADT/SmallVector.h" 98 #include "llvm/ADT/StringExtras.h" 99 #include "llvm/ADT/Triple.h" 100 #include "llvm/IR/DataLayout.h" 101 #include "llvm/IR/Function.h" 102 #include "llvm/IR/IRBuilder.h" 103 #include "llvm/IR/InlineAsm.h" 104 #include "llvm/IR/InstVisitor.h" 105 #include "llvm/IR/IntrinsicInst.h" 106 #include "llvm/IR/LLVMContext.h" 107 #include "llvm/IR/MDBuilder.h" 108 #include "llvm/IR/Module.h" 109 #include "llvm/IR/Type.h" 110 #include "llvm/IR/ValueMap.h" 111 #include "llvm/Support/CommandLine.h" 112 #include "llvm/Support/Compiler.h" 113 #include "llvm/Support/Debug.h" 114 #include "llvm/Support/raw_ostream.h" 115 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 116 #include "llvm/Transforms/Utils/Local.h" 117 #include "llvm/Transforms/Utils/ModuleUtils.h" 118 119 using namespace llvm; 120 121 #define DEBUG_TYPE "msan" 122 123 static const unsigned kOriginSize = 4; 124 static const unsigned kMinOriginAlignment = 4; 125 static const unsigned kShadowTLSAlignment = 8; 126 127 // These constants must be kept in sync with the ones in msan.h. 128 static const unsigned kParamTLSSize = 800; 129 static const unsigned kRetvalTLSSize = 800; 130 131 // Accesses sizes are powers of two: 1, 2, 4, 8. 132 static const size_t kNumberOfAccessSizes = 4; 133 134 /// \brief Track origins of uninitialized values. 135 /// 136 /// Adds a section to MemorySanitizer report that points to the allocation 137 /// (stack or heap) the uninitialized bits came from originally. 138 static cl::opt<int> ClTrackOrigins("msan-track-origins", 139 cl::desc("Track origins (allocation sites) of poisoned memory"), 140 cl::Hidden, cl::init(0)); 141 static cl::opt<bool> ClKeepGoing("msan-keep-going", 142 cl::desc("keep going after reporting a UMR"), 143 cl::Hidden, cl::init(false)); 144 static cl::opt<bool> ClPoisonStack("msan-poison-stack", 145 cl::desc("poison uninitialized stack variables"), 146 cl::Hidden, cl::init(true)); 147 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call", 148 cl::desc("poison uninitialized stack variables with a call"), 149 cl::Hidden, cl::init(false)); 150 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern", 151 cl::desc("poison uninitialized stack variables with the given patter"), 152 cl::Hidden, cl::init(0xff)); 153 static cl::opt<bool> ClPoisonUndef("msan-poison-undef", 154 cl::desc("poison undef temps"), 155 cl::Hidden, cl::init(true)); 156 157 static cl::opt<bool> ClHandleICmp("msan-handle-icmp", 158 cl::desc("propagate shadow through ICmpEQ and ICmpNE"), 159 cl::Hidden, cl::init(true)); 160 161 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact", 162 cl::desc("exact handling of relational integer ICmp"), 163 cl::Hidden, cl::init(false)); 164 165 // This flag controls whether we check the shadow of the address 166 // operand of load or store. Such bugs are very rare, since load from 167 // a garbage address typically results in SEGV, but still happen 168 // (e.g. only lower bits of address are garbage, or the access happens 169 // early at program startup where malloc-ed memory is more likely to 170 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown. 171 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address", 172 cl::desc("report accesses through a pointer which has poisoned shadow"), 173 cl::Hidden, cl::init(true)); 174 175 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions", 176 cl::desc("print out instructions with default strict semantics"), 177 cl::Hidden, cl::init(false)); 178 179 static cl::opt<int> ClInstrumentationWithCallThreshold( 180 "msan-instrumentation-with-call-threshold", 181 cl::desc( 182 "If the function being instrumented requires more than " 183 "this number of checks and origin stores, use callbacks instead of " 184 "inline checks (-1 means never use callbacks)."), 185 cl::Hidden, cl::init(3500)); 186 187 // This is an experiment to enable handling of cases where shadow is a non-zero 188 // compile-time constant. For some unexplainable reason they were silently 189 // ignored in the instrumentation. 190 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow", 191 cl::desc("Insert checks for constant shadow values"), 192 cl::Hidden, cl::init(false)); 193 194 namespace { 195 196 // Memory map parameters used in application-to-shadow address calculation. 197 // Offset = (Addr & ~AndMask) ^ XorMask 198 // Shadow = ShadowBase + Offset 199 // Origin = OriginBase + Offset 200 struct MemoryMapParams { 201 uint64_t AndMask; 202 uint64_t XorMask; 203 uint64_t ShadowBase; 204 uint64_t OriginBase; 205 }; 206 207 struct PlatformMemoryMapParams { 208 const MemoryMapParams *bits32; 209 const MemoryMapParams *bits64; 210 }; 211 212 // i386 Linux 213 static const MemoryMapParams Linux_I386_MemoryMapParams = { 214 0x000080000000, // AndMask 215 0, // XorMask (not used) 216 0, // ShadowBase (not used) 217 0x000040000000, // OriginBase 218 }; 219 220 // x86_64 Linux 221 static const MemoryMapParams Linux_X86_64_MemoryMapParams = { 222 0x400000000000, // AndMask 223 0, // XorMask (not used) 224 0, // ShadowBase (not used) 225 0x200000000000, // OriginBase 226 }; 227 228 // mips64 Linux 229 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = { 230 0x004000000000, // AndMask 231 0, // XorMask (not used) 232 0, // ShadowBase (not used) 233 0x002000000000, // OriginBase 234 }; 235 236 // i386 FreeBSD 237 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = { 238 0x000180000000, // AndMask 239 0x000040000000, // XorMask 240 0x000020000000, // ShadowBase 241 0x000700000000, // OriginBase 242 }; 243 244 // x86_64 FreeBSD 245 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = { 246 0xc00000000000, // AndMask 247 0x200000000000, // XorMask 248 0x100000000000, // ShadowBase 249 0x380000000000, // OriginBase 250 }; 251 252 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = { 253 &Linux_I386_MemoryMapParams, 254 &Linux_X86_64_MemoryMapParams, 255 }; 256 257 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = { 258 NULL, 259 &Linux_MIPS64_MemoryMapParams, 260 }; 261 262 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = { 263 &FreeBSD_I386_MemoryMapParams, 264 &FreeBSD_X86_64_MemoryMapParams, 265 }; 266 267 /// \brief An instrumentation pass implementing detection of uninitialized 268 /// reads. 269 /// 270 /// MemorySanitizer: instrument the code in module to find 271 /// uninitialized reads. 272 class MemorySanitizer : public FunctionPass { 273 public: 274 MemorySanitizer(int TrackOrigins = 0) 275 : FunctionPass(ID), 276 TrackOrigins(std::max(TrackOrigins, (int)ClTrackOrigins)), 277 WarningFn(nullptr) {} 278 const char *getPassName() const override { return "MemorySanitizer"; } 279 bool runOnFunction(Function &F) override; 280 bool doInitialization(Module &M) override; 281 static char ID; // Pass identification, replacement for typeid. 282 283 private: 284 void initializeCallbacks(Module &M); 285 286 /// \brief Track origins (allocation points) of uninitialized values. 287 int TrackOrigins; 288 289 LLVMContext *C; 290 Type *IntptrTy; 291 Type *OriginTy; 292 /// \brief Thread-local shadow storage for function parameters. 293 GlobalVariable *ParamTLS; 294 /// \brief Thread-local origin storage for function parameters. 295 GlobalVariable *ParamOriginTLS; 296 /// \brief Thread-local shadow storage for function return value. 297 GlobalVariable *RetvalTLS; 298 /// \brief Thread-local origin storage for function return value. 299 GlobalVariable *RetvalOriginTLS; 300 /// \brief Thread-local shadow storage for in-register va_arg function 301 /// parameters (x86_64-specific). 302 GlobalVariable *VAArgTLS; 303 /// \brief Thread-local shadow storage for va_arg overflow area 304 /// (x86_64-specific). 305 GlobalVariable *VAArgOverflowSizeTLS; 306 /// \brief Thread-local space used to pass origin value to the UMR reporting 307 /// function. 308 GlobalVariable *OriginTLS; 309 310 /// \brief The run-time callback to print a warning. 311 Value *WarningFn; 312 // These arrays are indexed by log2(AccessSize). 313 Value *MaybeWarningFn[kNumberOfAccessSizes]; 314 Value *MaybeStoreOriginFn[kNumberOfAccessSizes]; 315 316 /// \brief Run-time helper that generates a new origin value for a stack 317 /// allocation. 318 Value *MsanSetAllocaOrigin4Fn; 319 /// \brief Run-time helper that poisons stack on function entry. 320 Value *MsanPoisonStackFn; 321 /// \brief Run-time helper that records a store (or any event) of an 322 /// uninitialized value and returns an updated origin id encoding this info. 323 Value *MsanChainOriginFn; 324 /// \brief MSan runtime replacements for memmove, memcpy and memset. 325 Value *MemmoveFn, *MemcpyFn, *MemsetFn; 326 327 /// \brief Memory map parameters used in application-to-shadow calculation. 328 const MemoryMapParams *MapParams; 329 330 MDNode *ColdCallWeights; 331 /// \brief Branch weights for origin store. 332 MDNode *OriginStoreWeights; 333 /// \brief An empty volatile inline asm that prevents callback merge. 334 InlineAsm *EmptyAsm; 335 336 friend struct MemorySanitizerVisitor; 337 friend struct VarArgAMD64Helper; 338 friend struct VarArgMIPS64Helper; 339 }; 340 } // namespace 341 342 char MemorySanitizer::ID = 0; 343 INITIALIZE_PASS(MemorySanitizer, "msan", 344 "MemorySanitizer: detects uninitialized reads.", 345 false, false) 346 347 FunctionPass *llvm::createMemorySanitizerPass(int TrackOrigins) { 348 return new MemorySanitizer(TrackOrigins); 349 } 350 351 /// \brief Create a non-const global initialized with the given string. 352 /// 353 /// Creates a writable global for Str so that we can pass it to the 354 /// run-time lib. Runtime uses first 4 bytes of the string to store the 355 /// frame ID, so the string needs to be mutable. 356 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M, 357 StringRef Str) { 358 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str); 359 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false, 360 GlobalValue::PrivateLinkage, StrConst, ""); 361 } 362 363 364 /// \brief Insert extern declaration of runtime-provided functions and globals. 365 void MemorySanitizer::initializeCallbacks(Module &M) { 366 // Only do this once. 367 if (WarningFn) 368 return; 369 370 IRBuilder<> IRB(*C); 371 // Create the callback. 372 // FIXME: this function should have "Cold" calling conv, 373 // which is not yet implemented. 374 StringRef WarningFnName = ClKeepGoing ? "__msan_warning" 375 : "__msan_warning_noreturn"; 376 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), nullptr); 377 378 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes; 379 AccessSizeIndex++) { 380 unsigned AccessSize = 1 << AccessSizeIndex; 381 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize); 382 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction( 383 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 384 IRB.getInt32Ty(), nullptr); 385 386 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize); 387 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction( 388 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), 389 IRB.getInt8PtrTy(), IRB.getInt32Ty(), nullptr); 390 } 391 392 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction( 393 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy, 394 IRB.getInt8PtrTy(), IntptrTy, nullptr); 395 MsanPoisonStackFn = 396 M.getOrInsertFunction("__msan_poison_stack", IRB.getVoidTy(), 397 IRB.getInt8PtrTy(), IntptrTy, nullptr); 398 MsanChainOriginFn = M.getOrInsertFunction( 399 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty(), nullptr); 400 MemmoveFn = M.getOrInsertFunction( 401 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 402 IRB.getInt8PtrTy(), IntptrTy, nullptr); 403 MemcpyFn = M.getOrInsertFunction( 404 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 405 IntptrTy, nullptr); 406 MemsetFn = M.getOrInsertFunction( 407 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 408 IntptrTy, nullptr); 409 410 // Create globals. 411 RetvalTLS = new GlobalVariable( 412 M, ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8), false, 413 GlobalVariable::ExternalLinkage, nullptr, "__msan_retval_tls", nullptr, 414 GlobalVariable::InitialExecTLSModel); 415 RetvalOriginTLS = new GlobalVariable( 416 M, OriginTy, false, GlobalVariable::ExternalLinkage, nullptr, 417 "__msan_retval_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 418 419 ParamTLS = new GlobalVariable( 420 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 421 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_tls", nullptr, 422 GlobalVariable::InitialExecTLSModel); 423 ParamOriginTLS = new GlobalVariable( 424 M, ArrayType::get(OriginTy, kParamTLSSize / 4), false, 425 GlobalVariable::ExternalLinkage, nullptr, "__msan_param_origin_tls", 426 nullptr, GlobalVariable::InitialExecTLSModel); 427 428 VAArgTLS = new GlobalVariable( 429 M, ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), false, 430 GlobalVariable::ExternalLinkage, nullptr, "__msan_va_arg_tls", nullptr, 431 GlobalVariable::InitialExecTLSModel); 432 VAArgOverflowSizeTLS = new GlobalVariable( 433 M, IRB.getInt64Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 434 "__msan_va_arg_overflow_size_tls", nullptr, 435 GlobalVariable::InitialExecTLSModel); 436 OriginTLS = new GlobalVariable( 437 M, IRB.getInt32Ty(), false, GlobalVariable::ExternalLinkage, nullptr, 438 "__msan_origin_tls", nullptr, GlobalVariable::InitialExecTLSModel); 439 440 // We insert an empty inline asm after __msan_report* to avoid callback merge. 441 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), 442 StringRef(""), StringRef(""), 443 /*hasSideEffects=*/true); 444 } 445 446 /// \brief Module-level initialization. 447 /// 448 /// inserts a call to __msan_init to the module's constructor list. 449 bool MemorySanitizer::doInitialization(Module &M) { 450 auto &DL = M.getDataLayout(); 451 452 Triple TargetTriple(M.getTargetTriple()); 453 switch (TargetTriple.getOS()) { 454 case Triple::FreeBSD: 455 switch (TargetTriple.getArch()) { 456 case Triple::x86_64: 457 MapParams = FreeBSD_X86_MemoryMapParams.bits64; 458 break; 459 case Triple::x86: 460 MapParams = FreeBSD_X86_MemoryMapParams.bits32; 461 break; 462 default: 463 report_fatal_error("unsupported architecture"); 464 } 465 break; 466 case Triple::Linux: 467 switch (TargetTriple.getArch()) { 468 case Triple::x86_64: 469 MapParams = Linux_X86_MemoryMapParams.bits64; 470 break; 471 case Triple::x86: 472 MapParams = Linux_X86_MemoryMapParams.bits32; 473 break; 474 case Triple::mips64: 475 case Triple::mips64el: 476 MapParams = Linux_MIPS_MemoryMapParams.bits64; 477 break; 478 default: 479 report_fatal_error("unsupported architecture"); 480 } 481 break; 482 default: 483 report_fatal_error("unsupported operating system"); 484 } 485 486 C = &(M.getContext()); 487 IRBuilder<> IRB(*C); 488 IntptrTy = IRB.getIntPtrTy(DL); 489 OriginTy = IRB.getInt32Ty(); 490 491 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000); 492 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000); 493 494 // Insert a call to __msan_init/__msan_track_origins into the module's CTORs. 495 appendToGlobalCtors(M, cast<Function>(M.getOrInsertFunction( 496 "__msan_init", IRB.getVoidTy(), nullptr)), 0); 497 498 if (TrackOrigins) 499 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 500 IRB.getInt32(TrackOrigins), "__msan_track_origins"); 501 502 if (ClKeepGoing) 503 new GlobalVariable(M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage, 504 IRB.getInt32(ClKeepGoing), "__msan_keep_going"); 505 506 return true; 507 } 508 509 namespace { 510 511 /// \brief A helper class that handles instrumentation of VarArg 512 /// functions on a particular platform. 513 /// 514 /// Implementations are expected to insert the instrumentation 515 /// necessary to propagate argument shadow through VarArg function 516 /// calls. Visit* methods are called during an InstVisitor pass over 517 /// the function, and should avoid creating new basic blocks. A new 518 /// instance of this class is created for each instrumented function. 519 struct VarArgHelper { 520 /// \brief Visit a CallSite. 521 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0; 522 523 /// \brief Visit a va_start call. 524 virtual void visitVAStartInst(VAStartInst &I) = 0; 525 526 /// \brief Visit a va_copy call. 527 virtual void visitVACopyInst(VACopyInst &I) = 0; 528 529 /// \brief Finalize function instrumentation. 530 /// 531 /// This method is called after visiting all interesting (see above) 532 /// instructions in a function. 533 virtual void finalizeInstrumentation() = 0; 534 535 virtual ~VarArgHelper() {} 536 }; 537 538 struct MemorySanitizerVisitor; 539 540 VarArgHelper* 541 CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 542 MemorySanitizerVisitor &Visitor); 543 544 unsigned TypeSizeToSizeIndex(unsigned TypeSize) { 545 if (TypeSize <= 8) return 0; 546 return Log2_32_Ceil(TypeSize / 8); 547 } 548 549 /// This class does all the work for a given function. Store and Load 550 /// instructions store and load corresponding shadow and origin 551 /// values. Most instructions propagate shadow from arguments to their 552 /// return values. Certain instructions (most importantly, BranchInst) 553 /// test their argument shadow and print reports (with a runtime call) if it's 554 /// non-zero. 555 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> { 556 Function &F; 557 MemorySanitizer &MS; 558 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes; 559 ValueMap<Value*, Value*> ShadowMap, OriginMap; 560 std::unique_ptr<VarArgHelper> VAHelper; 561 562 // The following flags disable parts of MSan instrumentation based on 563 // blacklist contents and command-line options. 564 bool InsertChecks; 565 bool PropagateShadow; 566 bool PoisonStack; 567 bool PoisonUndef; 568 bool CheckReturnValue; 569 570 struct ShadowOriginAndInsertPoint { 571 Value *Shadow; 572 Value *Origin; 573 Instruction *OrigIns; 574 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I) 575 : Shadow(S), Origin(O), OrigIns(I) { } 576 }; 577 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList; 578 SmallVector<Instruction*, 16> StoreList; 579 580 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS) 581 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)) { 582 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory); 583 InsertChecks = SanitizeFunction; 584 PropagateShadow = SanitizeFunction; 585 PoisonStack = SanitizeFunction && ClPoisonStack; 586 PoisonUndef = SanitizeFunction && ClPoisonUndef; 587 // FIXME: Consider using SpecialCaseList to specify a list of functions that 588 // must always return fully initialized values. For now, we hardcode "main". 589 CheckReturnValue = SanitizeFunction && (F.getName() == "main"); 590 591 DEBUG(if (!InsertChecks) 592 dbgs() << "MemorySanitizer is not inserting checks into '" 593 << F.getName() << "'\n"); 594 } 595 596 Value *updateOrigin(Value *V, IRBuilder<> &IRB) { 597 if (MS.TrackOrigins <= 1) return V; 598 return IRB.CreateCall(MS.MsanChainOriginFn, V); 599 } 600 601 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) { 602 const DataLayout &DL = F.getParent()->getDataLayout(); 603 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 604 if (IntptrSize == kOriginSize) return Origin; 605 assert(IntptrSize == kOriginSize * 2); 606 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false); 607 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8)); 608 } 609 610 /// \brief Fill memory range with the given origin value. 611 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr, 612 unsigned Size, unsigned Alignment) { 613 const DataLayout &DL = F.getParent()->getDataLayout(); 614 unsigned IntptrAlignment = DL.getABITypeAlignment(MS.IntptrTy); 615 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy); 616 assert(IntptrAlignment >= kMinOriginAlignment); 617 assert(IntptrSize >= kOriginSize); 618 619 unsigned Ofs = 0; 620 unsigned CurrentAlignment = Alignment; 621 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) { 622 Value *IntptrOrigin = originToIntptr(IRB, Origin); 623 Value *IntptrOriginPtr = 624 IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0)); 625 for (unsigned i = 0; i < Size / IntptrSize; ++i) { 626 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i) 627 : IntptrOriginPtr; 628 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment); 629 Ofs += IntptrSize / kOriginSize; 630 CurrentAlignment = IntptrAlignment; 631 } 632 } 633 634 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) { 635 Value *GEP = 636 i ? IRB.CreateConstGEP1_32(nullptr, OriginPtr, i) : OriginPtr; 637 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment); 638 CurrentAlignment = kMinOriginAlignment; 639 } 640 } 641 642 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin, 643 unsigned Alignment, bool AsCall) { 644 const DataLayout &DL = F.getParent()->getDataLayout(); 645 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 646 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType()); 647 if (isa<StructType>(Shadow->getType())) { 648 paintOrigin(IRB, updateOrigin(Origin, IRB), 649 getOriginPtr(Addr, IRB, Alignment), StoreSize, 650 OriginAlignment); 651 } else { 652 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 653 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 654 if (ConstantShadow) { 655 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) 656 paintOrigin(IRB, updateOrigin(Origin, IRB), 657 getOriginPtr(Addr, IRB, Alignment), StoreSize, 658 OriginAlignment); 659 return; 660 } 661 662 unsigned TypeSizeInBits = 663 DL.getTypeSizeInBits(ConvertedShadow->getType()); 664 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 665 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 666 Value *Fn = MS.MaybeStoreOriginFn[SizeIndex]; 667 Value *ConvertedShadow2 = IRB.CreateZExt( 668 ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 669 IRB.CreateCall3(Fn, ConvertedShadow2, 670 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 671 Origin); 672 } else { 673 Value *Cmp = IRB.CreateICmpNE( 674 ConvertedShadow, getCleanShadow(ConvertedShadow), "_mscmp"); 675 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 676 Cmp, IRB.GetInsertPoint(), false, MS.OriginStoreWeights); 677 IRBuilder<> IRBNew(CheckTerm); 678 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), 679 getOriginPtr(Addr, IRBNew, Alignment), StoreSize, 680 OriginAlignment); 681 } 682 } 683 } 684 685 void materializeStores(bool InstrumentWithCalls) { 686 for (auto Inst : StoreList) { 687 StoreInst &SI = *dyn_cast<StoreInst>(Inst); 688 689 IRBuilder<> IRB(&SI); 690 Value *Val = SI.getValueOperand(); 691 Value *Addr = SI.getPointerOperand(); 692 Value *Shadow = SI.isAtomic() ? getCleanShadow(Val) : getShadow(Val); 693 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 694 695 StoreInst *NewSI = 696 IRB.CreateAlignedStore(Shadow, ShadowPtr, SI.getAlignment()); 697 DEBUG(dbgs() << " STORE: " << *NewSI << "\n"); 698 (void)NewSI; 699 700 if (ClCheckAccessAddress) insertShadowCheck(Addr, &SI); 701 702 if (SI.isAtomic()) SI.setOrdering(addReleaseOrdering(SI.getOrdering())); 703 704 if (MS.TrackOrigins && !SI.isAtomic()) 705 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), SI.getAlignment(), 706 InstrumentWithCalls); 707 } 708 } 709 710 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin, 711 bool AsCall) { 712 IRBuilder<> IRB(OrigIns); 713 DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n"); 714 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB); 715 DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n"); 716 717 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow); 718 if (ConstantShadow) { 719 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) { 720 if (MS.TrackOrigins) { 721 IRB.CreateStore(Origin ? (Value *)Origin : (Value *)IRB.getInt32(0), 722 MS.OriginTLS); 723 } 724 IRB.CreateCall(MS.WarningFn); 725 IRB.CreateCall(MS.EmptyAsm); 726 // FIXME: Insert UnreachableInst if !ClKeepGoing? 727 // This may invalidate some of the following checks and needs to be done 728 // at the very end. 729 } 730 return; 731 } 732 733 const DataLayout &DL = OrigIns->getModule()->getDataLayout(); 734 735 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType()); 736 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits); 737 if (AsCall && SizeIndex < kNumberOfAccessSizes) { 738 Value *Fn = MS.MaybeWarningFn[SizeIndex]; 739 Value *ConvertedShadow2 = 740 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex))); 741 IRB.CreateCall2(Fn, ConvertedShadow2, MS.TrackOrigins && Origin 742 ? Origin 743 : (Value *)IRB.getInt32(0)); 744 } else { 745 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow, 746 getCleanShadow(ConvertedShadow), "_mscmp"); 747 Instruction *CheckTerm = SplitBlockAndInsertIfThen( 748 Cmp, OrigIns, 749 /* Unreachable */ !ClKeepGoing, MS.ColdCallWeights); 750 751 IRB.SetInsertPoint(CheckTerm); 752 if (MS.TrackOrigins) { 753 IRB.CreateStore(Origin ? (Value *)Origin : (Value *)IRB.getInt32(0), 754 MS.OriginTLS); 755 } 756 IRB.CreateCall(MS.WarningFn); 757 IRB.CreateCall(MS.EmptyAsm); 758 DEBUG(dbgs() << " CHECK: " << *Cmp << "\n"); 759 } 760 } 761 762 void materializeChecks(bool InstrumentWithCalls) { 763 for (const auto &ShadowData : InstrumentationList) { 764 Instruction *OrigIns = ShadowData.OrigIns; 765 Value *Shadow = ShadowData.Shadow; 766 Value *Origin = ShadowData.Origin; 767 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls); 768 } 769 DEBUG(dbgs() << "DONE:\n" << F); 770 } 771 772 /// \brief Add MemorySanitizer instrumentation to a function. 773 bool runOnFunction() { 774 MS.initializeCallbacks(*F.getParent()); 775 776 // In the presence of unreachable blocks, we may see Phi nodes with 777 // incoming nodes from such blocks. Since InstVisitor skips unreachable 778 // blocks, such nodes will not have any shadow value associated with them. 779 // It's easier to remove unreachable blocks than deal with missing shadow. 780 removeUnreachableBlocks(F); 781 782 // Iterate all BBs in depth-first order and create shadow instructions 783 // for all instructions (where applicable). 784 // For PHI nodes we create dummy shadow PHIs which will be finalized later. 785 for (BasicBlock *BB : depth_first(&F.getEntryBlock())) 786 visit(*BB); 787 788 789 // Finalize PHI nodes. 790 for (PHINode *PN : ShadowPHINodes) { 791 PHINode *PNS = cast<PHINode>(getShadow(PN)); 792 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr; 793 size_t NumValues = PN->getNumIncomingValues(); 794 for (size_t v = 0; v < NumValues; v++) { 795 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v)); 796 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v)); 797 } 798 } 799 800 VAHelper->finalizeInstrumentation(); 801 802 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 && 803 InstrumentationList.size() + StoreList.size() > 804 (unsigned)ClInstrumentationWithCallThreshold; 805 806 // Delayed instrumentation of StoreInst. 807 // This may add new checks to be inserted later. 808 materializeStores(InstrumentWithCalls); 809 810 // Insert shadow value checks. 811 materializeChecks(InstrumentWithCalls); 812 813 return true; 814 } 815 816 /// \brief Compute the shadow type that corresponds to a given Value. 817 Type *getShadowTy(Value *V) { 818 return getShadowTy(V->getType()); 819 } 820 821 /// \brief Compute the shadow type that corresponds to a given Type. 822 Type *getShadowTy(Type *OrigTy) { 823 if (!OrigTy->isSized()) { 824 return nullptr; 825 } 826 // For integer type, shadow is the same as the original type. 827 // This may return weird-sized types like i1. 828 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy)) 829 return IT; 830 const DataLayout &DL = F.getParent()->getDataLayout(); 831 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) { 832 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType()); 833 return VectorType::get(IntegerType::get(*MS.C, EltSize), 834 VT->getNumElements()); 835 } 836 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) { 837 return ArrayType::get(getShadowTy(AT->getElementType()), 838 AT->getNumElements()); 839 } 840 if (StructType *ST = dyn_cast<StructType>(OrigTy)) { 841 SmallVector<Type*, 4> Elements; 842 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 843 Elements.push_back(getShadowTy(ST->getElementType(i))); 844 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked()); 845 DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n"); 846 return Res; 847 } 848 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy); 849 return IntegerType::get(*MS.C, TypeSize); 850 } 851 852 /// \brief Flatten a vector type. 853 Type *getShadowTyNoVec(Type *ty) { 854 if (VectorType *vt = dyn_cast<VectorType>(ty)) 855 return IntegerType::get(*MS.C, vt->getBitWidth()); 856 return ty; 857 } 858 859 /// \brief Convert a shadow value to it's flattened variant. 860 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) { 861 Type *Ty = V->getType(); 862 Type *NoVecTy = getShadowTyNoVec(Ty); 863 if (Ty == NoVecTy) return V; 864 return IRB.CreateBitCast(V, NoVecTy); 865 } 866 867 /// \brief Compute the integer shadow offset that corresponds to a given 868 /// application address. 869 /// 870 /// Offset = (Addr & ~AndMask) ^ XorMask 871 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) { 872 uint64_t AndMask = MS.MapParams->AndMask; 873 assert(AndMask != 0 && "AndMask shall be specified"); 874 Value *OffsetLong = 875 IRB.CreateAnd(IRB.CreatePointerCast(Addr, MS.IntptrTy), 876 ConstantInt::get(MS.IntptrTy, ~AndMask)); 877 878 uint64_t XorMask = MS.MapParams->XorMask; 879 if (XorMask != 0) 880 OffsetLong = IRB.CreateXor(OffsetLong, 881 ConstantInt::get(MS.IntptrTy, XorMask)); 882 return OffsetLong; 883 } 884 885 /// \brief Compute the shadow address that corresponds to a given application 886 /// address. 887 /// 888 /// Shadow = ShadowBase + Offset 889 Value *getShadowPtr(Value *Addr, Type *ShadowTy, 890 IRBuilder<> &IRB) { 891 Value *ShadowLong = getShadowPtrOffset(Addr, IRB); 892 uint64_t ShadowBase = MS.MapParams->ShadowBase; 893 if (ShadowBase != 0) 894 ShadowLong = 895 IRB.CreateAdd(ShadowLong, 896 ConstantInt::get(MS.IntptrTy, ShadowBase)); 897 return IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0)); 898 } 899 900 /// \brief Compute the origin address that corresponds to a given application 901 /// address. 902 /// 903 /// OriginAddr = (OriginBase + Offset) & ~3ULL 904 Value *getOriginPtr(Value *Addr, IRBuilder<> &IRB, unsigned Alignment) { 905 Value *OriginLong = getShadowPtrOffset(Addr, IRB); 906 uint64_t OriginBase = MS.MapParams->OriginBase; 907 if (OriginBase != 0) 908 OriginLong = 909 IRB.CreateAdd(OriginLong, 910 ConstantInt::get(MS.IntptrTy, OriginBase)); 911 if (Alignment < kMinOriginAlignment) { 912 uint64_t Mask = kMinOriginAlignment - 1; 913 OriginLong = IRB.CreateAnd(OriginLong, 914 ConstantInt::get(MS.IntptrTy, ~Mask)); 915 } 916 return IRB.CreateIntToPtr(OriginLong, 917 PointerType::get(IRB.getInt32Ty(), 0)); 918 } 919 920 /// \brief Compute the shadow address for a given function argument. 921 /// 922 /// Shadow = ParamTLS+ArgOffset. 923 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB, 924 int ArgOffset) { 925 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy); 926 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 927 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 928 "_msarg"); 929 } 930 931 /// \brief Compute the origin address for a given function argument. 932 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB, 933 int ArgOffset) { 934 if (!MS.TrackOrigins) return nullptr; 935 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy); 936 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 937 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0), 938 "_msarg_o"); 939 } 940 941 /// \brief Compute the shadow address for a retval. 942 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) { 943 Value *Base = IRB.CreatePointerCast(MS.RetvalTLS, MS.IntptrTy); 944 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0), 945 "_msret"); 946 } 947 948 /// \brief Compute the origin address for a retval. 949 Value *getOriginPtrForRetval(IRBuilder<> &IRB) { 950 // We keep a single origin for the entire retval. Might be too optimistic. 951 return MS.RetvalOriginTLS; 952 } 953 954 /// \brief Set SV to be the shadow value for V. 955 void setShadow(Value *V, Value *SV) { 956 assert(!ShadowMap.count(V) && "Values may only have one shadow"); 957 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V); 958 } 959 960 /// \brief Set Origin to be the origin value for V. 961 void setOrigin(Value *V, Value *Origin) { 962 if (!MS.TrackOrigins) return; 963 assert(!OriginMap.count(V) && "Values may only have one origin"); 964 DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n"); 965 OriginMap[V] = Origin; 966 } 967 968 /// \brief Create a clean shadow value for a given value. 969 /// 970 /// Clean shadow (all zeroes) means all bits of the value are defined 971 /// (initialized). 972 Constant *getCleanShadow(Value *V) { 973 Type *ShadowTy = getShadowTy(V); 974 if (!ShadowTy) 975 return nullptr; 976 return Constant::getNullValue(ShadowTy); 977 } 978 979 /// \brief Create a dirty shadow of a given shadow type. 980 Constant *getPoisonedShadow(Type *ShadowTy) { 981 assert(ShadowTy); 982 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) 983 return Constant::getAllOnesValue(ShadowTy); 984 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) { 985 SmallVector<Constant *, 4> Vals(AT->getNumElements(), 986 getPoisonedShadow(AT->getElementType())); 987 return ConstantArray::get(AT, Vals); 988 } 989 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) { 990 SmallVector<Constant *, 4> Vals; 991 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++) 992 Vals.push_back(getPoisonedShadow(ST->getElementType(i))); 993 return ConstantStruct::get(ST, Vals); 994 } 995 llvm_unreachable("Unexpected shadow type"); 996 } 997 998 /// \brief Create a dirty shadow for a given value. 999 Constant *getPoisonedShadow(Value *V) { 1000 Type *ShadowTy = getShadowTy(V); 1001 if (!ShadowTy) 1002 return nullptr; 1003 return getPoisonedShadow(ShadowTy); 1004 } 1005 1006 /// \brief Create a clean (zero) origin. 1007 Value *getCleanOrigin() { 1008 return Constant::getNullValue(MS.OriginTy); 1009 } 1010 1011 /// \brief Get the shadow value for a given Value. 1012 /// 1013 /// This function either returns the value set earlier with setShadow, 1014 /// or extracts if from ParamTLS (for function arguments). 1015 Value *getShadow(Value *V) { 1016 if (!PropagateShadow) return getCleanShadow(V); 1017 if (Instruction *I = dyn_cast<Instruction>(V)) { 1018 // For instructions the shadow is already stored in the map. 1019 Value *Shadow = ShadowMap[V]; 1020 if (!Shadow) { 1021 DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent())); 1022 (void)I; 1023 assert(Shadow && "No shadow for a value"); 1024 } 1025 return Shadow; 1026 } 1027 if (UndefValue *U = dyn_cast<UndefValue>(V)) { 1028 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V); 1029 DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n"); 1030 (void)U; 1031 return AllOnes; 1032 } 1033 if (Argument *A = dyn_cast<Argument>(V)) { 1034 // For arguments we compute the shadow on demand and store it in the map. 1035 Value **ShadowPtr = &ShadowMap[V]; 1036 if (*ShadowPtr) 1037 return *ShadowPtr; 1038 Function *F = A->getParent(); 1039 IRBuilder<> EntryIRB(F->getEntryBlock().getFirstNonPHI()); 1040 unsigned ArgOffset = 0; 1041 const DataLayout &DL = F->getParent()->getDataLayout(); 1042 for (auto &FArg : F->args()) { 1043 if (!FArg.getType()->isSized()) { 1044 DEBUG(dbgs() << "Arg is not sized\n"); 1045 continue; 1046 } 1047 unsigned Size = 1048 FArg.hasByValAttr() 1049 ? DL.getTypeAllocSize(FArg.getType()->getPointerElementType()) 1050 : DL.getTypeAllocSize(FArg.getType()); 1051 if (A == &FArg) { 1052 bool Overflow = ArgOffset + Size > kParamTLSSize; 1053 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset); 1054 if (FArg.hasByValAttr()) { 1055 // ByVal pointer itself has clean shadow. We copy the actual 1056 // argument shadow to the underlying memory. 1057 // Figure out maximal valid memcpy alignment. 1058 unsigned ArgAlign = FArg.getParamAlignment(); 1059 if (ArgAlign == 0) { 1060 Type *EltType = A->getType()->getPointerElementType(); 1061 ArgAlign = DL.getABITypeAlignment(EltType); 1062 } 1063 if (Overflow) { 1064 // ParamTLS overflow. 1065 EntryIRB.CreateMemSet( 1066 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), 1067 Constant::getNullValue(EntryIRB.getInt8Ty()), Size, ArgAlign); 1068 } else { 1069 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment); 1070 Value *Cpy = EntryIRB.CreateMemCpy( 1071 getShadowPtr(V, EntryIRB.getInt8Ty(), EntryIRB), Base, Size, 1072 CopyAlign); 1073 DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n"); 1074 (void)Cpy; 1075 } 1076 *ShadowPtr = getCleanShadow(V); 1077 } else { 1078 if (Overflow) { 1079 // ParamTLS overflow. 1080 *ShadowPtr = getCleanShadow(V); 1081 } else { 1082 *ShadowPtr = 1083 EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment); 1084 } 1085 } 1086 DEBUG(dbgs() << " ARG: " << FArg << " ==> " << 1087 **ShadowPtr << "\n"); 1088 if (MS.TrackOrigins && !Overflow) { 1089 Value *OriginPtr = 1090 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset); 1091 setOrigin(A, EntryIRB.CreateLoad(OriginPtr)); 1092 } else { 1093 setOrigin(A, getCleanOrigin()); 1094 } 1095 } 1096 ArgOffset += RoundUpToAlignment(Size, kShadowTLSAlignment); 1097 } 1098 assert(*ShadowPtr && "Could not find shadow for an argument"); 1099 return *ShadowPtr; 1100 } 1101 // For everything else the shadow is zero. 1102 return getCleanShadow(V); 1103 } 1104 1105 /// \brief Get the shadow for i-th argument of the instruction I. 1106 Value *getShadow(Instruction *I, int i) { 1107 return getShadow(I->getOperand(i)); 1108 } 1109 1110 /// \brief Get the origin for a value. 1111 Value *getOrigin(Value *V) { 1112 if (!MS.TrackOrigins) return nullptr; 1113 if (!PropagateShadow) return getCleanOrigin(); 1114 if (isa<Constant>(V)) return getCleanOrigin(); 1115 assert((isa<Instruction>(V) || isa<Argument>(V)) && 1116 "Unexpected value type in getOrigin()"); 1117 Value *Origin = OriginMap[V]; 1118 assert(Origin && "Missing origin"); 1119 return Origin; 1120 } 1121 1122 /// \brief Get the origin for i-th argument of the instruction I. 1123 Value *getOrigin(Instruction *I, int i) { 1124 return getOrigin(I->getOperand(i)); 1125 } 1126 1127 /// \brief Remember the place where a shadow check should be inserted. 1128 /// 1129 /// This location will be later instrumented with a check that will print a 1130 /// UMR warning in runtime if the shadow value is not 0. 1131 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) { 1132 assert(Shadow); 1133 if (!InsertChecks) return; 1134 #ifndef NDEBUG 1135 Type *ShadowTy = Shadow->getType(); 1136 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) && 1137 "Can only insert checks for integer and vector shadow types"); 1138 #endif 1139 InstrumentationList.push_back( 1140 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns)); 1141 } 1142 1143 /// \brief Remember the place where a shadow check should be inserted. 1144 /// 1145 /// This location will be later instrumented with a check that will print a 1146 /// UMR warning in runtime if the value is not fully defined. 1147 void insertShadowCheck(Value *Val, Instruction *OrigIns) { 1148 assert(Val); 1149 Value *Shadow, *Origin; 1150 if (ClCheckConstantShadow) { 1151 Shadow = getShadow(Val); 1152 if (!Shadow) return; 1153 Origin = getOrigin(Val); 1154 } else { 1155 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val)); 1156 if (!Shadow) return; 1157 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val)); 1158 } 1159 insertShadowCheck(Shadow, Origin, OrigIns); 1160 } 1161 1162 AtomicOrdering addReleaseOrdering(AtomicOrdering a) { 1163 switch (a) { 1164 case NotAtomic: 1165 return NotAtomic; 1166 case Unordered: 1167 case Monotonic: 1168 case Release: 1169 return Release; 1170 case Acquire: 1171 case AcquireRelease: 1172 return AcquireRelease; 1173 case SequentiallyConsistent: 1174 return SequentiallyConsistent; 1175 } 1176 llvm_unreachable("Unknown ordering"); 1177 } 1178 1179 AtomicOrdering addAcquireOrdering(AtomicOrdering a) { 1180 switch (a) { 1181 case NotAtomic: 1182 return NotAtomic; 1183 case Unordered: 1184 case Monotonic: 1185 case Acquire: 1186 return Acquire; 1187 case Release: 1188 case AcquireRelease: 1189 return AcquireRelease; 1190 case SequentiallyConsistent: 1191 return SequentiallyConsistent; 1192 } 1193 llvm_unreachable("Unknown ordering"); 1194 } 1195 1196 // ------------------- Visitors. 1197 1198 /// \brief Instrument LoadInst 1199 /// 1200 /// Loads the corresponding shadow and (optionally) origin. 1201 /// Optionally, checks that the load address is fully defined. 1202 void visitLoadInst(LoadInst &I) { 1203 assert(I.getType()->isSized() && "Load type must have size"); 1204 IRBuilder<> IRB(I.getNextNode()); 1205 Type *ShadowTy = getShadowTy(&I); 1206 Value *Addr = I.getPointerOperand(); 1207 if (PropagateShadow && !I.getMetadata("nosanitize")) { 1208 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1209 setShadow(&I, 1210 IRB.CreateAlignedLoad(ShadowPtr, I.getAlignment(), "_msld")); 1211 } else { 1212 setShadow(&I, getCleanShadow(&I)); 1213 } 1214 1215 if (ClCheckAccessAddress) 1216 insertShadowCheck(I.getPointerOperand(), &I); 1217 1218 if (I.isAtomic()) 1219 I.setOrdering(addAcquireOrdering(I.getOrdering())); 1220 1221 if (MS.TrackOrigins) { 1222 if (PropagateShadow) { 1223 unsigned Alignment = I.getAlignment(); 1224 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment); 1225 setOrigin(&I, IRB.CreateAlignedLoad(getOriginPtr(Addr, IRB, Alignment), 1226 OriginAlignment)); 1227 } else { 1228 setOrigin(&I, getCleanOrigin()); 1229 } 1230 } 1231 } 1232 1233 /// \brief Instrument StoreInst 1234 /// 1235 /// Stores the corresponding shadow and (optionally) origin. 1236 /// Optionally, checks that the store address is fully defined. 1237 void visitStoreInst(StoreInst &I) { 1238 StoreList.push_back(&I); 1239 } 1240 1241 void handleCASOrRMW(Instruction &I) { 1242 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I)); 1243 1244 IRBuilder<> IRB(&I); 1245 Value *Addr = I.getOperand(0); 1246 Value *ShadowPtr = getShadowPtr(Addr, I.getType(), IRB); 1247 1248 if (ClCheckAccessAddress) 1249 insertShadowCheck(Addr, &I); 1250 1251 // Only test the conditional argument of cmpxchg instruction. 1252 // The other argument can potentially be uninitialized, but we can not 1253 // detect this situation reliably without possible false positives. 1254 if (isa<AtomicCmpXchgInst>(I)) 1255 insertShadowCheck(I.getOperand(1), &I); 1256 1257 IRB.CreateStore(getCleanShadow(&I), ShadowPtr); 1258 1259 setShadow(&I, getCleanShadow(&I)); 1260 setOrigin(&I, getCleanOrigin()); 1261 } 1262 1263 void visitAtomicRMWInst(AtomicRMWInst &I) { 1264 handleCASOrRMW(I); 1265 I.setOrdering(addReleaseOrdering(I.getOrdering())); 1266 } 1267 1268 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) { 1269 handleCASOrRMW(I); 1270 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering())); 1271 } 1272 1273 // Vector manipulation. 1274 void visitExtractElementInst(ExtractElementInst &I) { 1275 insertShadowCheck(I.getOperand(1), &I); 1276 IRBuilder<> IRB(&I); 1277 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1), 1278 "_msprop")); 1279 setOrigin(&I, getOrigin(&I, 0)); 1280 } 1281 1282 void visitInsertElementInst(InsertElementInst &I) { 1283 insertShadowCheck(I.getOperand(2), &I); 1284 IRBuilder<> IRB(&I); 1285 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1), 1286 I.getOperand(2), "_msprop")); 1287 setOriginForNaryOp(I); 1288 } 1289 1290 void visitShuffleVectorInst(ShuffleVectorInst &I) { 1291 insertShadowCheck(I.getOperand(2), &I); 1292 IRBuilder<> IRB(&I); 1293 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1), 1294 I.getOperand(2), "_msprop")); 1295 setOriginForNaryOp(I); 1296 } 1297 1298 // Casts. 1299 void visitSExtInst(SExtInst &I) { 1300 IRBuilder<> IRB(&I); 1301 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop")); 1302 setOrigin(&I, getOrigin(&I, 0)); 1303 } 1304 1305 void visitZExtInst(ZExtInst &I) { 1306 IRBuilder<> IRB(&I); 1307 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop")); 1308 setOrigin(&I, getOrigin(&I, 0)); 1309 } 1310 1311 void visitTruncInst(TruncInst &I) { 1312 IRBuilder<> IRB(&I); 1313 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop")); 1314 setOrigin(&I, getOrigin(&I, 0)); 1315 } 1316 1317 void visitBitCastInst(BitCastInst &I) { 1318 IRBuilder<> IRB(&I); 1319 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I))); 1320 setOrigin(&I, getOrigin(&I, 0)); 1321 } 1322 1323 void visitPtrToIntInst(PtrToIntInst &I) { 1324 IRBuilder<> IRB(&I); 1325 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1326 "_msprop_ptrtoint")); 1327 setOrigin(&I, getOrigin(&I, 0)); 1328 } 1329 1330 void visitIntToPtrInst(IntToPtrInst &I) { 1331 IRBuilder<> IRB(&I); 1332 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false, 1333 "_msprop_inttoptr")); 1334 setOrigin(&I, getOrigin(&I, 0)); 1335 } 1336 1337 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); } 1338 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); } 1339 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); } 1340 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); } 1341 void visitFPExtInst(CastInst& I) { handleShadowOr(I); } 1342 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); } 1343 1344 /// \brief Propagate shadow for bitwise AND. 1345 /// 1346 /// This code is exact, i.e. if, for example, a bit in the left argument 1347 /// is defined and 0, then neither the value not definedness of the 1348 /// corresponding bit in B don't affect the resulting shadow. 1349 void visitAnd(BinaryOperator &I) { 1350 IRBuilder<> IRB(&I); 1351 // "And" of 0 and a poisoned value results in unpoisoned value. 1352 // 1&1 => 1; 0&1 => 0; p&1 => p; 1353 // 1&0 => 0; 0&0 => 0; p&0 => 0; 1354 // 1&p => p; 0&p => 0; p&p => p; 1355 // S = (S1 & S2) | (V1 & S2) | (S1 & V2) 1356 Value *S1 = getShadow(&I, 0); 1357 Value *S2 = getShadow(&I, 1); 1358 Value *V1 = I.getOperand(0); 1359 Value *V2 = I.getOperand(1); 1360 if (V1->getType() != S1->getType()) { 1361 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1362 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1363 } 1364 Value *S1S2 = IRB.CreateAnd(S1, S2); 1365 Value *V1S2 = IRB.CreateAnd(V1, S2); 1366 Value *S1V2 = IRB.CreateAnd(S1, V2); 1367 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1368 setOriginForNaryOp(I); 1369 } 1370 1371 void visitOr(BinaryOperator &I) { 1372 IRBuilder<> IRB(&I); 1373 // "Or" of 1 and a poisoned value results in unpoisoned value. 1374 // 1|1 => 1; 0|1 => 1; p|1 => 1; 1375 // 1|0 => 1; 0|0 => 0; p|0 => p; 1376 // 1|p => 1; 0|p => p; p|p => p; 1377 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2) 1378 Value *S1 = getShadow(&I, 0); 1379 Value *S2 = getShadow(&I, 1); 1380 Value *V1 = IRB.CreateNot(I.getOperand(0)); 1381 Value *V2 = IRB.CreateNot(I.getOperand(1)); 1382 if (V1->getType() != S1->getType()) { 1383 V1 = IRB.CreateIntCast(V1, S1->getType(), false); 1384 V2 = IRB.CreateIntCast(V2, S2->getType(), false); 1385 } 1386 Value *S1S2 = IRB.CreateAnd(S1, S2); 1387 Value *V1S2 = IRB.CreateAnd(V1, S2); 1388 Value *S1V2 = IRB.CreateAnd(S1, V2); 1389 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2))); 1390 setOriginForNaryOp(I); 1391 } 1392 1393 /// \brief Default propagation of shadow and/or origin. 1394 /// 1395 /// This class implements the general case of shadow propagation, used in all 1396 /// cases where we don't know and/or don't care about what the operation 1397 /// actually does. It converts all input shadow values to a common type 1398 /// (extending or truncating as necessary), and bitwise OR's them. 1399 /// 1400 /// This is much cheaper than inserting checks (i.e. requiring inputs to be 1401 /// fully initialized), and less prone to false positives. 1402 /// 1403 /// This class also implements the general case of origin propagation. For a 1404 /// Nary operation, result origin is set to the origin of an argument that is 1405 /// not entirely initialized. If there is more than one such arguments, the 1406 /// rightmost of them is picked. It does not matter which one is picked if all 1407 /// arguments are initialized. 1408 template <bool CombineShadow> 1409 class Combiner { 1410 Value *Shadow; 1411 Value *Origin; 1412 IRBuilder<> &IRB; 1413 MemorySanitizerVisitor *MSV; 1414 1415 public: 1416 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB) : 1417 Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {} 1418 1419 /// \brief Add a pair of shadow and origin values to the mix. 1420 Combiner &Add(Value *OpShadow, Value *OpOrigin) { 1421 if (CombineShadow) { 1422 assert(OpShadow); 1423 if (!Shadow) 1424 Shadow = OpShadow; 1425 else { 1426 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType()); 1427 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop"); 1428 } 1429 } 1430 1431 if (MSV->MS.TrackOrigins) { 1432 assert(OpOrigin); 1433 if (!Origin) { 1434 Origin = OpOrigin; 1435 } else { 1436 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin); 1437 // No point in adding something that might result in 0 origin value. 1438 if (!ConstOrigin || !ConstOrigin->isNullValue()) { 1439 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB); 1440 Value *Cond = 1441 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow)); 1442 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin); 1443 } 1444 } 1445 } 1446 return *this; 1447 } 1448 1449 /// \brief Add an application value to the mix. 1450 Combiner &Add(Value *V) { 1451 Value *OpShadow = MSV->getShadow(V); 1452 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr; 1453 return Add(OpShadow, OpOrigin); 1454 } 1455 1456 /// \brief Set the current combined values as the given instruction's shadow 1457 /// and origin. 1458 void Done(Instruction *I) { 1459 if (CombineShadow) { 1460 assert(Shadow); 1461 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I)); 1462 MSV->setShadow(I, Shadow); 1463 } 1464 if (MSV->MS.TrackOrigins) { 1465 assert(Origin); 1466 MSV->setOrigin(I, Origin); 1467 } 1468 } 1469 }; 1470 1471 typedef Combiner<true> ShadowAndOriginCombiner; 1472 typedef Combiner<false> OriginCombiner; 1473 1474 /// \brief Propagate origin for arbitrary operation. 1475 void setOriginForNaryOp(Instruction &I) { 1476 if (!MS.TrackOrigins) return; 1477 IRBuilder<> IRB(&I); 1478 OriginCombiner OC(this, IRB); 1479 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1480 OC.Add(OI->get()); 1481 OC.Done(&I); 1482 } 1483 1484 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) { 1485 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) && 1486 "Vector of pointers is not a valid shadow type"); 1487 return Ty->isVectorTy() ? 1488 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() : 1489 Ty->getPrimitiveSizeInBits(); 1490 } 1491 1492 /// \brief Cast between two shadow types, extending or truncating as 1493 /// necessary. 1494 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy, 1495 bool Signed = false) { 1496 Type *srcTy = V->getType(); 1497 if (dstTy->isIntegerTy() && srcTy->isIntegerTy()) 1498 return IRB.CreateIntCast(V, dstTy, Signed); 1499 if (dstTy->isVectorTy() && srcTy->isVectorTy() && 1500 dstTy->getVectorNumElements() == srcTy->getVectorNumElements()) 1501 return IRB.CreateIntCast(V, dstTy, Signed); 1502 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy); 1503 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy); 1504 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits)); 1505 Value *V2 = 1506 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed); 1507 return IRB.CreateBitCast(V2, dstTy); 1508 // TODO: handle struct types. 1509 } 1510 1511 /// \brief Cast an application value to the type of its own shadow. 1512 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) { 1513 Type *ShadowTy = getShadowTy(V); 1514 if (V->getType() == ShadowTy) 1515 return V; 1516 if (V->getType()->isPtrOrPtrVectorTy()) 1517 return IRB.CreatePtrToInt(V, ShadowTy); 1518 else 1519 return IRB.CreateBitCast(V, ShadowTy); 1520 } 1521 1522 /// \brief Propagate shadow for arbitrary operation. 1523 void handleShadowOr(Instruction &I) { 1524 IRBuilder<> IRB(&I); 1525 ShadowAndOriginCombiner SC(this, IRB); 1526 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI) 1527 SC.Add(OI->get()); 1528 SC.Done(&I); 1529 } 1530 1531 // \brief Handle multiplication by constant. 1532 // 1533 // Handle a special case of multiplication by constant that may have one or 1534 // more zeros in the lower bits. This makes corresponding number of lower bits 1535 // of the result zero as well. We model it by shifting the other operand 1536 // shadow left by the required number of bits. Effectively, we transform 1537 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B). 1538 // We use multiplication by 2**N instead of shift to cover the case of 1539 // multiplication by 0, which may occur in some elements of a vector operand. 1540 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg, 1541 Value *OtherArg) { 1542 Constant *ShadowMul; 1543 Type *Ty = ConstArg->getType(); 1544 if (Ty->isVectorTy()) { 1545 unsigned NumElements = Ty->getVectorNumElements(); 1546 Type *EltTy = Ty->getSequentialElementType(); 1547 SmallVector<Constant *, 16> Elements; 1548 for (unsigned Idx = 0; Idx < NumElements; ++Idx) { 1549 ConstantInt *Elt = 1550 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx)); 1551 APInt V = Elt->getValue(); 1552 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1553 Elements.push_back(ConstantInt::get(EltTy, V2)); 1554 } 1555 ShadowMul = ConstantVector::get(Elements); 1556 } else { 1557 ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg); 1558 APInt V = Elt->getValue(); 1559 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros(); 1560 ShadowMul = ConstantInt::get(Elt->getType(), V2); 1561 } 1562 1563 IRBuilder<> IRB(&I); 1564 setShadow(&I, 1565 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst")); 1566 setOrigin(&I, getOrigin(OtherArg)); 1567 } 1568 1569 void visitMul(BinaryOperator &I) { 1570 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1571 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1572 if (constOp0 && !constOp1) 1573 handleMulByConstant(I, constOp0, I.getOperand(1)); 1574 else if (constOp1 && !constOp0) 1575 handleMulByConstant(I, constOp1, I.getOperand(0)); 1576 else 1577 handleShadowOr(I); 1578 } 1579 1580 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); } 1581 void visitFSub(BinaryOperator &I) { handleShadowOr(I); } 1582 void visitFMul(BinaryOperator &I) { handleShadowOr(I); } 1583 void visitAdd(BinaryOperator &I) { handleShadowOr(I); } 1584 void visitSub(BinaryOperator &I) { handleShadowOr(I); } 1585 void visitXor(BinaryOperator &I) { handleShadowOr(I); } 1586 1587 void handleDiv(Instruction &I) { 1588 IRBuilder<> IRB(&I); 1589 // Strict on the second argument. 1590 insertShadowCheck(I.getOperand(1), &I); 1591 setShadow(&I, getShadow(&I, 0)); 1592 setOrigin(&I, getOrigin(&I, 0)); 1593 } 1594 1595 void visitUDiv(BinaryOperator &I) { handleDiv(I); } 1596 void visitSDiv(BinaryOperator &I) { handleDiv(I); } 1597 void visitFDiv(BinaryOperator &I) { handleDiv(I); } 1598 void visitURem(BinaryOperator &I) { handleDiv(I); } 1599 void visitSRem(BinaryOperator &I) { handleDiv(I); } 1600 void visitFRem(BinaryOperator &I) { handleDiv(I); } 1601 1602 /// \brief Instrument == and != comparisons. 1603 /// 1604 /// Sometimes the comparison result is known even if some of the bits of the 1605 /// arguments are not. 1606 void handleEqualityComparison(ICmpInst &I) { 1607 IRBuilder<> IRB(&I); 1608 Value *A = I.getOperand(0); 1609 Value *B = I.getOperand(1); 1610 Value *Sa = getShadow(A); 1611 Value *Sb = getShadow(B); 1612 1613 // Get rid of pointers and vectors of pointers. 1614 // For ints (and vectors of ints), types of A and Sa match, 1615 // and this is a no-op. 1616 A = IRB.CreatePointerCast(A, Sa->getType()); 1617 B = IRB.CreatePointerCast(B, Sb->getType()); 1618 1619 // A == B <==> (C = A^B) == 0 1620 // A != B <==> (C = A^B) != 0 1621 // Sc = Sa | Sb 1622 Value *C = IRB.CreateXor(A, B); 1623 Value *Sc = IRB.CreateOr(Sa, Sb); 1624 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now) 1625 // Result is defined if one of the following is true 1626 // * there is a defined 1 bit in C 1627 // * C is fully defined 1628 // Si = !(C & ~Sc) && Sc 1629 Value *Zero = Constant::getNullValue(Sc->getType()); 1630 Value *MinusOne = Constant::getAllOnesValue(Sc->getType()); 1631 Value *Si = 1632 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero), 1633 IRB.CreateICmpEQ( 1634 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero)); 1635 Si->setName("_msprop_icmp"); 1636 setShadow(&I, Si); 1637 setOriginForNaryOp(I); 1638 } 1639 1640 /// \brief Build the lowest possible value of V, taking into account V's 1641 /// uninitialized bits. 1642 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1643 bool isSigned) { 1644 if (isSigned) { 1645 // Split shadow into sign bit and other bits. 1646 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1647 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1648 // Maximise the undefined shadow bit, minimize other undefined bits. 1649 return 1650 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit); 1651 } else { 1652 // Minimize undefined bits. 1653 return IRB.CreateAnd(A, IRB.CreateNot(Sa)); 1654 } 1655 } 1656 1657 /// \brief Build the highest possible value of V, taking into account V's 1658 /// uninitialized bits. 1659 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa, 1660 bool isSigned) { 1661 if (isSigned) { 1662 // Split shadow into sign bit and other bits. 1663 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1); 1664 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits); 1665 // Minimise the undefined shadow bit, maximise other undefined bits. 1666 return 1667 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits); 1668 } else { 1669 // Maximize undefined bits. 1670 return IRB.CreateOr(A, Sa); 1671 } 1672 } 1673 1674 /// \brief Instrument relational comparisons. 1675 /// 1676 /// This function does exact shadow propagation for all relational 1677 /// comparisons of integers, pointers and vectors of those. 1678 /// FIXME: output seems suboptimal when one of the operands is a constant 1679 void handleRelationalComparisonExact(ICmpInst &I) { 1680 IRBuilder<> IRB(&I); 1681 Value *A = I.getOperand(0); 1682 Value *B = I.getOperand(1); 1683 Value *Sa = getShadow(A); 1684 Value *Sb = getShadow(B); 1685 1686 // Get rid of pointers and vectors of pointers. 1687 // For ints (and vectors of ints), types of A and Sa match, 1688 // and this is a no-op. 1689 A = IRB.CreatePointerCast(A, Sa->getType()); 1690 B = IRB.CreatePointerCast(B, Sb->getType()); 1691 1692 // Let [a0, a1] be the interval of possible values of A, taking into account 1693 // its undefined bits. Let [b0, b1] be the interval of possible values of B. 1694 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0). 1695 bool IsSigned = I.isSigned(); 1696 Value *S1 = IRB.CreateICmp(I.getPredicate(), 1697 getLowestPossibleValue(IRB, A, Sa, IsSigned), 1698 getHighestPossibleValue(IRB, B, Sb, IsSigned)); 1699 Value *S2 = IRB.CreateICmp(I.getPredicate(), 1700 getHighestPossibleValue(IRB, A, Sa, IsSigned), 1701 getLowestPossibleValue(IRB, B, Sb, IsSigned)); 1702 Value *Si = IRB.CreateXor(S1, S2); 1703 setShadow(&I, Si); 1704 setOriginForNaryOp(I); 1705 } 1706 1707 /// \brief Instrument signed relational comparisons. 1708 /// 1709 /// Handle (x<0) and (x>=0) comparisons (essentially, sign bit tests) by 1710 /// propagating the highest bit of the shadow. Everything else is delegated 1711 /// to handleShadowOr(). 1712 void handleSignedRelationalComparison(ICmpInst &I) { 1713 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0)); 1714 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1)); 1715 Value* op = nullptr; 1716 CmpInst::Predicate pre = I.getPredicate(); 1717 if (constOp0 && constOp0->isNullValue() && 1718 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE)) { 1719 op = I.getOperand(1); 1720 } else if (constOp1 && constOp1->isNullValue() && 1721 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) { 1722 op = I.getOperand(0); 1723 } 1724 if (op) { 1725 IRBuilder<> IRB(&I); 1726 Value* Shadow = 1727 IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op), "_msprop_icmpslt"); 1728 setShadow(&I, Shadow); 1729 setOrigin(&I, getOrigin(op)); 1730 } else { 1731 handleShadowOr(I); 1732 } 1733 } 1734 1735 void visitICmpInst(ICmpInst &I) { 1736 if (!ClHandleICmp) { 1737 handleShadowOr(I); 1738 return; 1739 } 1740 if (I.isEquality()) { 1741 handleEqualityComparison(I); 1742 return; 1743 } 1744 1745 assert(I.isRelational()); 1746 if (ClHandleICmpExact) { 1747 handleRelationalComparisonExact(I); 1748 return; 1749 } 1750 if (I.isSigned()) { 1751 handleSignedRelationalComparison(I); 1752 return; 1753 } 1754 1755 assert(I.isUnsigned()); 1756 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) { 1757 handleRelationalComparisonExact(I); 1758 return; 1759 } 1760 1761 handleShadowOr(I); 1762 } 1763 1764 void visitFCmpInst(FCmpInst &I) { 1765 handleShadowOr(I); 1766 } 1767 1768 void handleShift(BinaryOperator &I) { 1769 IRBuilder<> IRB(&I); 1770 // If any of the S2 bits are poisoned, the whole thing is poisoned. 1771 // Otherwise perform the same shift on S1. 1772 Value *S1 = getShadow(&I, 0); 1773 Value *S2 = getShadow(&I, 1); 1774 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), 1775 S2->getType()); 1776 Value *V2 = I.getOperand(1); 1777 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2); 1778 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 1779 setOriginForNaryOp(I); 1780 } 1781 1782 void visitShl(BinaryOperator &I) { handleShift(I); } 1783 void visitAShr(BinaryOperator &I) { handleShift(I); } 1784 void visitLShr(BinaryOperator &I) { handleShift(I); } 1785 1786 /// \brief Instrument llvm.memmove 1787 /// 1788 /// At this point we don't know if llvm.memmove will be inlined or not. 1789 /// If we don't instrument it and it gets inlined, 1790 /// our interceptor will not kick in and we will lose the memmove. 1791 /// If we instrument the call here, but it does not get inlined, 1792 /// we will memove the shadow twice: which is bad in case 1793 /// of overlapping regions. So, we simply lower the intrinsic to a call. 1794 /// 1795 /// Similar situation exists for memcpy and memset. 1796 void visitMemMoveInst(MemMoveInst &I) { 1797 IRBuilder<> IRB(&I); 1798 IRB.CreateCall3( 1799 MS.MemmoveFn, 1800 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1801 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1802 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1803 I.eraseFromParent(); 1804 } 1805 1806 // Similar to memmove: avoid copying shadow twice. 1807 // This is somewhat unfortunate as it may slowdown small constant memcpys. 1808 // FIXME: consider doing manual inline for small constant sizes and proper 1809 // alignment. 1810 void visitMemCpyInst(MemCpyInst &I) { 1811 IRBuilder<> IRB(&I); 1812 IRB.CreateCall3( 1813 MS.MemcpyFn, 1814 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1815 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()), 1816 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1817 I.eraseFromParent(); 1818 } 1819 1820 // Same as memcpy. 1821 void visitMemSetInst(MemSetInst &I) { 1822 IRBuilder<> IRB(&I); 1823 IRB.CreateCall3( 1824 MS.MemsetFn, 1825 IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()), 1826 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false), 1827 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)); 1828 I.eraseFromParent(); 1829 } 1830 1831 void visitVAStartInst(VAStartInst &I) { 1832 VAHelper->visitVAStartInst(I); 1833 } 1834 1835 void visitVACopyInst(VACopyInst &I) { 1836 VAHelper->visitVACopyInst(I); 1837 } 1838 1839 enum IntrinsicKind { 1840 IK_DoesNotAccessMemory, 1841 IK_OnlyReadsMemory, 1842 IK_WritesMemory 1843 }; 1844 1845 static IntrinsicKind getIntrinsicKind(Intrinsic::ID iid) { 1846 const int DoesNotAccessMemory = IK_DoesNotAccessMemory; 1847 const int OnlyReadsArgumentPointees = IK_OnlyReadsMemory; 1848 const int OnlyReadsMemory = IK_OnlyReadsMemory; 1849 const int OnlyAccessesArgumentPointees = IK_WritesMemory; 1850 const int UnknownModRefBehavior = IK_WritesMemory; 1851 #define GET_INTRINSIC_MODREF_BEHAVIOR 1852 #define ModRefBehavior IntrinsicKind 1853 #include "llvm/IR/Intrinsics.gen" 1854 #undef ModRefBehavior 1855 #undef GET_INTRINSIC_MODREF_BEHAVIOR 1856 } 1857 1858 /// \brief Handle vector store-like intrinsics. 1859 /// 1860 /// Instrument intrinsics that look like a simple SIMD store: writes memory, 1861 /// has 1 pointer argument and 1 vector argument, returns void. 1862 bool handleVectorStoreIntrinsic(IntrinsicInst &I) { 1863 IRBuilder<> IRB(&I); 1864 Value* Addr = I.getArgOperand(0); 1865 Value *Shadow = getShadow(&I, 1); 1866 Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB); 1867 1868 // We don't know the pointer alignment (could be unaligned SSE store!). 1869 // Have to assume to worst case. 1870 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1); 1871 1872 if (ClCheckAccessAddress) 1873 insertShadowCheck(Addr, &I); 1874 1875 // FIXME: use ClStoreCleanOrigin 1876 // FIXME: factor out common code from materializeStores 1877 if (MS.TrackOrigins) 1878 IRB.CreateStore(getOrigin(&I, 1), getOriginPtr(Addr, IRB, 1)); 1879 return true; 1880 } 1881 1882 /// \brief Handle vector load-like intrinsics. 1883 /// 1884 /// Instrument intrinsics that look like a simple SIMD load: reads memory, 1885 /// has 1 pointer argument, returns a vector. 1886 bool handleVectorLoadIntrinsic(IntrinsicInst &I) { 1887 IRBuilder<> IRB(&I); 1888 Value *Addr = I.getArgOperand(0); 1889 1890 Type *ShadowTy = getShadowTy(&I); 1891 if (PropagateShadow) { 1892 Value *ShadowPtr = getShadowPtr(Addr, ShadowTy, IRB); 1893 // We don't know the pointer alignment (could be unaligned SSE load!). 1894 // Have to assume to worst case. 1895 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, 1, "_msld")); 1896 } else { 1897 setShadow(&I, getCleanShadow(&I)); 1898 } 1899 1900 if (ClCheckAccessAddress) 1901 insertShadowCheck(Addr, &I); 1902 1903 if (MS.TrackOrigins) { 1904 if (PropagateShadow) 1905 setOrigin(&I, IRB.CreateLoad(getOriginPtr(Addr, IRB, 1))); 1906 else 1907 setOrigin(&I, getCleanOrigin()); 1908 } 1909 return true; 1910 } 1911 1912 /// \brief Handle (SIMD arithmetic)-like intrinsics. 1913 /// 1914 /// Instrument intrinsics with any number of arguments of the same type, 1915 /// equal to the return type. The type should be simple (no aggregates or 1916 /// pointers; vectors are fine). 1917 /// Caller guarantees that this intrinsic does not access memory. 1918 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) { 1919 Type *RetTy = I.getType(); 1920 if (!(RetTy->isIntOrIntVectorTy() || 1921 RetTy->isFPOrFPVectorTy() || 1922 RetTy->isX86_MMXTy())) 1923 return false; 1924 1925 unsigned NumArgOperands = I.getNumArgOperands(); 1926 1927 for (unsigned i = 0; i < NumArgOperands; ++i) { 1928 Type *Ty = I.getArgOperand(i)->getType(); 1929 if (Ty != RetTy) 1930 return false; 1931 } 1932 1933 IRBuilder<> IRB(&I); 1934 ShadowAndOriginCombiner SC(this, IRB); 1935 for (unsigned i = 0; i < NumArgOperands; ++i) 1936 SC.Add(I.getArgOperand(i)); 1937 SC.Done(&I); 1938 1939 return true; 1940 } 1941 1942 /// \brief Heuristically instrument unknown intrinsics. 1943 /// 1944 /// The main purpose of this code is to do something reasonable with all 1945 /// random intrinsics we might encounter, most importantly - SIMD intrinsics. 1946 /// We recognize several classes of intrinsics by their argument types and 1947 /// ModRefBehaviour and apply special intrumentation when we are reasonably 1948 /// sure that we know what the intrinsic does. 1949 /// 1950 /// We special-case intrinsics where this approach fails. See llvm.bswap 1951 /// handling as an example of that. 1952 bool handleUnknownIntrinsic(IntrinsicInst &I) { 1953 unsigned NumArgOperands = I.getNumArgOperands(); 1954 if (NumArgOperands == 0) 1955 return false; 1956 1957 Intrinsic::ID iid = I.getIntrinsicID(); 1958 IntrinsicKind IK = getIntrinsicKind(iid); 1959 bool OnlyReadsMemory = IK == IK_OnlyReadsMemory; 1960 bool WritesMemory = IK == IK_WritesMemory; 1961 assert(!(OnlyReadsMemory && WritesMemory)); 1962 1963 if (NumArgOperands == 2 && 1964 I.getArgOperand(0)->getType()->isPointerTy() && 1965 I.getArgOperand(1)->getType()->isVectorTy() && 1966 I.getType()->isVoidTy() && 1967 WritesMemory) { 1968 // This looks like a vector store. 1969 return handleVectorStoreIntrinsic(I); 1970 } 1971 1972 if (NumArgOperands == 1 && 1973 I.getArgOperand(0)->getType()->isPointerTy() && 1974 I.getType()->isVectorTy() && 1975 OnlyReadsMemory) { 1976 // This looks like a vector load. 1977 return handleVectorLoadIntrinsic(I); 1978 } 1979 1980 if (!OnlyReadsMemory && !WritesMemory) 1981 if (maybeHandleSimpleNomemIntrinsic(I)) 1982 return true; 1983 1984 // FIXME: detect and handle SSE maskstore/maskload 1985 return false; 1986 } 1987 1988 void handleBswap(IntrinsicInst &I) { 1989 IRBuilder<> IRB(&I); 1990 Value *Op = I.getArgOperand(0); 1991 Type *OpType = Op->getType(); 1992 Function *BswapFunc = Intrinsic::getDeclaration( 1993 F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1)); 1994 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op))); 1995 setOrigin(&I, getOrigin(Op)); 1996 } 1997 1998 // \brief Instrument vector convert instrinsic. 1999 // 2000 // This function instruments intrinsics like cvtsi2ss: 2001 // %Out = int_xxx_cvtyyy(%ConvertOp) 2002 // or 2003 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp) 2004 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same 2005 // number \p Out elements, and (if has 2 arguments) copies the rest of the 2006 // elements from \p CopyOp. 2007 // In most cases conversion involves floating-point value which may trigger a 2008 // hardware exception when not fully initialized. For this reason we require 2009 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise. 2010 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p 2011 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always 2012 // return a fully initialized value. 2013 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) { 2014 IRBuilder<> IRB(&I); 2015 Value *CopyOp, *ConvertOp; 2016 2017 switch (I.getNumArgOperands()) { 2018 case 2: 2019 CopyOp = I.getArgOperand(0); 2020 ConvertOp = I.getArgOperand(1); 2021 break; 2022 case 1: 2023 ConvertOp = I.getArgOperand(0); 2024 CopyOp = nullptr; 2025 break; 2026 default: 2027 llvm_unreachable("Cvt intrinsic with unsupported number of arguments."); 2028 } 2029 2030 // The first *NumUsedElements* elements of ConvertOp are converted to the 2031 // same number of output elements. The rest of the output is copied from 2032 // CopyOp, or (if not available) filled with zeroes. 2033 // Combine shadow for elements of ConvertOp that are used in this operation, 2034 // and insert a check. 2035 // FIXME: consider propagating shadow of ConvertOp, at least in the case of 2036 // int->any conversion. 2037 Value *ConvertShadow = getShadow(ConvertOp); 2038 Value *AggShadow = nullptr; 2039 if (ConvertOp->getType()->isVectorTy()) { 2040 AggShadow = IRB.CreateExtractElement( 2041 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0)); 2042 for (int i = 1; i < NumUsedElements; ++i) { 2043 Value *MoreShadow = IRB.CreateExtractElement( 2044 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i)); 2045 AggShadow = IRB.CreateOr(AggShadow, MoreShadow); 2046 } 2047 } else { 2048 AggShadow = ConvertShadow; 2049 } 2050 assert(AggShadow->getType()->isIntegerTy()); 2051 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I); 2052 2053 // Build result shadow by zero-filling parts of CopyOp shadow that come from 2054 // ConvertOp. 2055 if (CopyOp) { 2056 assert(CopyOp->getType() == I.getType()); 2057 assert(CopyOp->getType()->isVectorTy()); 2058 Value *ResultShadow = getShadow(CopyOp); 2059 Type *EltTy = ResultShadow->getType()->getVectorElementType(); 2060 for (int i = 0; i < NumUsedElements; ++i) { 2061 ResultShadow = IRB.CreateInsertElement( 2062 ResultShadow, ConstantInt::getNullValue(EltTy), 2063 ConstantInt::get(IRB.getInt32Ty(), i)); 2064 } 2065 setShadow(&I, ResultShadow); 2066 setOrigin(&I, getOrigin(CopyOp)); 2067 } else { 2068 setShadow(&I, getCleanShadow(&I)); 2069 setOrigin(&I, getCleanOrigin()); 2070 } 2071 } 2072 2073 // Given a scalar or vector, extract lower 64 bits (or less), and return all 2074 // zeroes if it is zero, and all ones otherwise. 2075 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) { 2076 if (S->getType()->isVectorTy()) 2077 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true); 2078 assert(S->getType()->getPrimitiveSizeInBits() <= 64); 2079 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2080 return CreateShadowCast(IRB, S2, T, /* Signed */ true); 2081 } 2082 2083 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) { 2084 Type *T = S->getType(); 2085 assert(T->isVectorTy()); 2086 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S)); 2087 return IRB.CreateSExt(S2, T); 2088 } 2089 2090 // \brief Instrument vector shift instrinsic. 2091 // 2092 // This function instruments intrinsics like int_x86_avx2_psll_w. 2093 // Intrinsic shifts %In by %ShiftSize bits. 2094 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift 2095 // size, and the rest is ignored. Behavior is defined even if shift size is 2096 // greater than register (or field) width. 2097 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) { 2098 assert(I.getNumArgOperands() == 2); 2099 IRBuilder<> IRB(&I); 2100 // If any of the S2 bits are poisoned, the whole thing is poisoned. 2101 // Otherwise perform the same shift on S1. 2102 Value *S1 = getShadow(&I, 0); 2103 Value *S2 = getShadow(&I, 1); 2104 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2) 2105 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I)); 2106 Value *V1 = I.getOperand(0); 2107 Value *V2 = I.getOperand(1); 2108 Value *Shift = IRB.CreateCall2(I.getCalledValue(), 2109 IRB.CreateBitCast(S1, V1->getType()), V2); 2110 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I)); 2111 setShadow(&I, IRB.CreateOr(Shift, S2Conv)); 2112 setOriginForNaryOp(I); 2113 } 2114 2115 // \brief Get an X86_MMX-sized vector type. 2116 Type *getMMXVectorTy(unsigned EltSizeInBits) { 2117 const unsigned X86_MMXSizeInBits = 64; 2118 return VectorType::get(IntegerType::get(*MS.C, EltSizeInBits), 2119 X86_MMXSizeInBits / EltSizeInBits); 2120 } 2121 2122 // \brief Returns a signed counterpart for an (un)signed-saturate-and-pack 2123 // intrinsic. 2124 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) { 2125 switch (id) { 2126 case llvm::Intrinsic::x86_sse2_packsswb_128: 2127 case llvm::Intrinsic::x86_sse2_packuswb_128: 2128 return llvm::Intrinsic::x86_sse2_packsswb_128; 2129 2130 case llvm::Intrinsic::x86_sse2_packssdw_128: 2131 case llvm::Intrinsic::x86_sse41_packusdw: 2132 return llvm::Intrinsic::x86_sse2_packssdw_128; 2133 2134 case llvm::Intrinsic::x86_avx2_packsswb: 2135 case llvm::Intrinsic::x86_avx2_packuswb: 2136 return llvm::Intrinsic::x86_avx2_packsswb; 2137 2138 case llvm::Intrinsic::x86_avx2_packssdw: 2139 case llvm::Intrinsic::x86_avx2_packusdw: 2140 return llvm::Intrinsic::x86_avx2_packssdw; 2141 2142 case llvm::Intrinsic::x86_mmx_packsswb: 2143 case llvm::Intrinsic::x86_mmx_packuswb: 2144 return llvm::Intrinsic::x86_mmx_packsswb; 2145 2146 case llvm::Intrinsic::x86_mmx_packssdw: 2147 return llvm::Intrinsic::x86_mmx_packssdw; 2148 default: 2149 llvm_unreachable("unexpected intrinsic id"); 2150 } 2151 } 2152 2153 // \brief Instrument vector pack instrinsic. 2154 // 2155 // This function instruments intrinsics like x86_mmx_packsswb, that 2156 // packs elements of 2 input vectors into half as many bits with saturation. 2157 // Shadow is propagated with the signed variant of the same intrinsic applied 2158 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer). 2159 // EltSizeInBits is used only for x86mmx arguments. 2160 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) { 2161 assert(I.getNumArgOperands() == 2); 2162 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2163 IRBuilder<> IRB(&I); 2164 Value *S1 = getShadow(&I, 0); 2165 Value *S2 = getShadow(&I, 1); 2166 assert(isX86_MMX || S1->getType()->isVectorTy()); 2167 2168 // SExt and ICmpNE below must apply to individual elements of input vectors. 2169 // In case of x86mmx arguments, cast them to appropriate vector types and 2170 // back. 2171 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType(); 2172 if (isX86_MMX) { 2173 S1 = IRB.CreateBitCast(S1, T); 2174 S2 = IRB.CreateBitCast(S2, T); 2175 } 2176 Value *S1_ext = IRB.CreateSExt( 2177 IRB.CreateICmpNE(S1, llvm::Constant::getNullValue(T)), T); 2178 Value *S2_ext = IRB.CreateSExt( 2179 IRB.CreateICmpNE(S2, llvm::Constant::getNullValue(T)), T); 2180 if (isX86_MMX) { 2181 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C); 2182 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy); 2183 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy); 2184 } 2185 2186 Function *ShadowFn = Intrinsic::getDeclaration( 2187 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID())); 2188 2189 Value *S = IRB.CreateCall2(ShadowFn, S1_ext, S2_ext, "_msprop_vector_pack"); 2190 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I)); 2191 setShadow(&I, S); 2192 setOriginForNaryOp(I); 2193 } 2194 2195 // \brief Instrument sum-of-absolute-differencies intrinsic. 2196 void handleVectorSadIntrinsic(IntrinsicInst &I) { 2197 const unsigned SignificantBitsPerResultElement = 16; 2198 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2199 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType(); 2200 unsigned ZeroBitsPerResultElement = 2201 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement; 2202 2203 IRBuilder<> IRB(&I); 2204 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2205 S = IRB.CreateBitCast(S, ResTy); 2206 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2207 ResTy); 2208 S = IRB.CreateLShr(S, ZeroBitsPerResultElement); 2209 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2210 setShadow(&I, S); 2211 setOriginForNaryOp(I); 2212 } 2213 2214 // \brief Instrument multiply-add intrinsic. 2215 void handleVectorPmaddIntrinsic(IntrinsicInst &I, 2216 unsigned EltSizeInBits = 0) { 2217 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy(); 2218 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType(); 2219 IRBuilder<> IRB(&I); 2220 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1)); 2221 S = IRB.CreateBitCast(S, ResTy); 2222 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)), 2223 ResTy); 2224 S = IRB.CreateBitCast(S, getShadowTy(&I)); 2225 setShadow(&I, S); 2226 setOriginForNaryOp(I); 2227 } 2228 2229 void visitIntrinsicInst(IntrinsicInst &I) { 2230 switch (I.getIntrinsicID()) { 2231 case llvm::Intrinsic::bswap: 2232 handleBswap(I); 2233 break; 2234 case llvm::Intrinsic::x86_avx512_cvtsd2usi64: 2235 case llvm::Intrinsic::x86_avx512_cvtsd2usi: 2236 case llvm::Intrinsic::x86_avx512_cvtss2usi64: 2237 case llvm::Intrinsic::x86_avx512_cvtss2usi: 2238 case llvm::Intrinsic::x86_avx512_cvttss2usi64: 2239 case llvm::Intrinsic::x86_avx512_cvttss2usi: 2240 case llvm::Intrinsic::x86_avx512_cvttsd2usi64: 2241 case llvm::Intrinsic::x86_avx512_cvttsd2usi: 2242 case llvm::Intrinsic::x86_avx512_cvtusi2sd: 2243 case llvm::Intrinsic::x86_avx512_cvtusi2ss: 2244 case llvm::Intrinsic::x86_avx512_cvtusi642sd: 2245 case llvm::Intrinsic::x86_avx512_cvtusi642ss: 2246 case llvm::Intrinsic::x86_sse2_cvtsd2si64: 2247 case llvm::Intrinsic::x86_sse2_cvtsd2si: 2248 case llvm::Intrinsic::x86_sse2_cvtsd2ss: 2249 case llvm::Intrinsic::x86_sse2_cvtsi2sd: 2250 case llvm::Intrinsic::x86_sse2_cvtsi642sd: 2251 case llvm::Intrinsic::x86_sse2_cvtss2sd: 2252 case llvm::Intrinsic::x86_sse2_cvttsd2si64: 2253 case llvm::Intrinsic::x86_sse2_cvttsd2si: 2254 case llvm::Intrinsic::x86_sse_cvtsi2ss: 2255 case llvm::Intrinsic::x86_sse_cvtsi642ss: 2256 case llvm::Intrinsic::x86_sse_cvtss2si64: 2257 case llvm::Intrinsic::x86_sse_cvtss2si: 2258 case llvm::Intrinsic::x86_sse_cvttss2si64: 2259 case llvm::Intrinsic::x86_sse_cvttss2si: 2260 handleVectorConvertIntrinsic(I, 1); 2261 break; 2262 case llvm::Intrinsic::x86_sse2_cvtdq2pd: 2263 case llvm::Intrinsic::x86_sse2_cvtps2pd: 2264 case llvm::Intrinsic::x86_sse_cvtps2pi: 2265 case llvm::Intrinsic::x86_sse_cvttps2pi: 2266 handleVectorConvertIntrinsic(I, 2); 2267 break; 2268 case llvm::Intrinsic::x86_avx2_psll_w: 2269 case llvm::Intrinsic::x86_avx2_psll_d: 2270 case llvm::Intrinsic::x86_avx2_psll_q: 2271 case llvm::Intrinsic::x86_avx2_pslli_w: 2272 case llvm::Intrinsic::x86_avx2_pslli_d: 2273 case llvm::Intrinsic::x86_avx2_pslli_q: 2274 case llvm::Intrinsic::x86_avx2_psrl_w: 2275 case llvm::Intrinsic::x86_avx2_psrl_d: 2276 case llvm::Intrinsic::x86_avx2_psrl_q: 2277 case llvm::Intrinsic::x86_avx2_psra_w: 2278 case llvm::Intrinsic::x86_avx2_psra_d: 2279 case llvm::Intrinsic::x86_avx2_psrli_w: 2280 case llvm::Intrinsic::x86_avx2_psrli_d: 2281 case llvm::Intrinsic::x86_avx2_psrli_q: 2282 case llvm::Intrinsic::x86_avx2_psrai_w: 2283 case llvm::Intrinsic::x86_avx2_psrai_d: 2284 case llvm::Intrinsic::x86_sse2_psll_w: 2285 case llvm::Intrinsic::x86_sse2_psll_d: 2286 case llvm::Intrinsic::x86_sse2_psll_q: 2287 case llvm::Intrinsic::x86_sse2_pslli_w: 2288 case llvm::Intrinsic::x86_sse2_pslli_d: 2289 case llvm::Intrinsic::x86_sse2_pslli_q: 2290 case llvm::Intrinsic::x86_sse2_psrl_w: 2291 case llvm::Intrinsic::x86_sse2_psrl_d: 2292 case llvm::Intrinsic::x86_sse2_psrl_q: 2293 case llvm::Intrinsic::x86_sse2_psra_w: 2294 case llvm::Intrinsic::x86_sse2_psra_d: 2295 case llvm::Intrinsic::x86_sse2_psrli_w: 2296 case llvm::Intrinsic::x86_sse2_psrli_d: 2297 case llvm::Intrinsic::x86_sse2_psrli_q: 2298 case llvm::Intrinsic::x86_sse2_psrai_w: 2299 case llvm::Intrinsic::x86_sse2_psrai_d: 2300 case llvm::Intrinsic::x86_mmx_psll_w: 2301 case llvm::Intrinsic::x86_mmx_psll_d: 2302 case llvm::Intrinsic::x86_mmx_psll_q: 2303 case llvm::Intrinsic::x86_mmx_pslli_w: 2304 case llvm::Intrinsic::x86_mmx_pslli_d: 2305 case llvm::Intrinsic::x86_mmx_pslli_q: 2306 case llvm::Intrinsic::x86_mmx_psrl_w: 2307 case llvm::Intrinsic::x86_mmx_psrl_d: 2308 case llvm::Intrinsic::x86_mmx_psrl_q: 2309 case llvm::Intrinsic::x86_mmx_psra_w: 2310 case llvm::Intrinsic::x86_mmx_psra_d: 2311 case llvm::Intrinsic::x86_mmx_psrli_w: 2312 case llvm::Intrinsic::x86_mmx_psrli_d: 2313 case llvm::Intrinsic::x86_mmx_psrli_q: 2314 case llvm::Intrinsic::x86_mmx_psrai_w: 2315 case llvm::Intrinsic::x86_mmx_psrai_d: 2316 handleVectorShiftIntrinsic(I, /* Variable */ false); 2317 break; 2318 case llvm::Intrinsic::x86_avx2_psllv_d: 2319 case llvm::Intrinsic::x86_avx2_psllv_d_256: 2320 case llvm::Intrinsic::x86_avx2_psllv_q: 2321 case llvm::Intrinsic::x86_avx2_psllv_q_256: 2322 case llvm::Intrinsic::x86_avx2_psrlv_d: 2323 case llvm::Intrinsic::x86_avx2_psrlv_d_256: 2324 case llvm::Intrinsic::x86_avx2_psrlv_q: 2325 case llvm::Intrinsic::x86_avx2_psrlv_q_256: 2326 case llvm::Intrinsic::x86_avx2_psrav_d: 2327 case llvm::Intrinsic::x86_avx2_psrav_d_256: 2328 handleVectorShiftIntrinsic(I, /* Variable */ true); 2329 break; 2330 2331 case llvm::Intrinsic::x86_sse2_packsswb_128: 2332 case llvm::Intrinsic::x86_sse2_packssdw_128: 2333 case llvm::Intrinsic::x86_sse2_packuswb_128: 2334 case llvm::Intrinsic::x86_sse41_packusdw: 2335 case llvm::Intrinsic::x86_avx2_packsswb: 2336 case llvm::Intrinsic::x86_avx2_packssdw: 2337 case llvm::Intrinsic::x86_avx2_packuswb: 2338 case llvm::Intrinsic::x86_avx2_packusdw: 2339 handleVectorPackIntrinsic(I); 2340 break; 2341 2342 case llvm::Intrinsic::x86_mmx_packsswb: 2343 case llvm::Intrinsic::x86_mmx_packuswb: 2344 handleVectorPackIntrinsic(I, 16); 2345 break; 2346 2347 case llvm::Intrinsic::x86_mmx_packssdw: 2348 handleVectorPackIntrinsic(I, 32); 2349 break; 2350 2351 case llvm::Intrinsic::x86_mmx_psad_bw: 2352 case llvm::Intrinsic::x86_sse2_psad_bw: 2353 case llvm::Intrinsic::x86_avx2_psad_bw: 2354 handleVectorSadIntrinsic(I); 2355 break; 2356 2357 case llvm::Intrinsic::x86_sse2_pmadd_wd: 2358 case llvm::Intrinsic::x86_avx2_pmadd_wd: 2359 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw_128: 2360 case llvm::Intrinsic::x86_avx2_pmadd_ub_sw: 2361 handleVectorPmaddIntrinsic(I); 2362 break; 2363 2364 case llvm::Intrinsic::x86_ssse3_pmadd_ub_sw: 2365 handleVectorPmaddIntrinsic(I, 8); 2366 break; 2367 2368 case llvm::Intrinsic::x86_mmx_pmadd_wd: 2369 handleVectorPmaddIntrinsic(I, 16); 2370 break; 2371 2372 default: 2373 if (!handleUnknownIntrinsic(I)) 2374 visitInstruction(I); 2375 break; 2376 } 2377 } 2378 2379 void visitCallSite(CallSite CS) { 2380 Instruction &I = *CS.getInstruction(); 2381 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite"); 2382 if (CS.isCall()) { 2383 CallInst *Call = cast<CallInst>(&I); 2384 2385 // For inline asm, do the usual thing: check argument shadow and mark all 2386 // outputs as clean. Note that any side effects of the inline asm that are 2387 // not immediately visible in its constraints are not handled. 2388 if (Call->isInlineAsm()) { 2389 visitInstruction(I); 2390 return; 2391 } 2392 2393 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere"); 2394 2395 // We are going to insert code that relies on the fact that the callee 2396 // will become a non-readonly function after it is instrumented by us. To 2397 // prevent this code from being optimized out, mark that function 2398 // non-readonly in advance. 2399 if (Function *Func = Call->getCalledFunction()) { 2400 // Clear out readonly/readnone attributes. 2401 AttrBuilder B; 2402 B.addAttribute(Attribute::ReadOnly) 2403 .addAttribute(Attribute::ReadNone); 2404 Func->removeAttributes(AttributeSet::FunctionIndex, 2405 AttributeSet::get(Func->getContext(), 2406 AttributeSet::FunctionIndex, 2407 B)); 2408 } 2409 } 2410 IRBuilder<> IRB(&I); 2411 2412 unsigned ArgOffset = 0; 2413 DEBUG(dbgs() << " CallSite: " << I << "\n"); 2414 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2415 ArgIt != End; ++ArgIt) { 2416 Value *A = *ArgIt; 2417 unsigned i = ArgIt - CS.arg_begin(); 2418 if (!A->getType()->isSized()) { 2419 DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n"); 2420 continue; 2421 } 2422 unsigned Size = 0; 2423 Value *Store = nullptr; 2424 // Compute the Shadow for arg even if it is ByVal, because 2425 // in that case getShadow() will copy the actual arg shadow to 2426 // __msan_param_tls. 2427 Value *ArgShadow = getShadow(A); 2428 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset); 2429 DEBUG(dbgs() << " Arg#" << i << ": " << *A << 2430 " Shadow: " << *ArgShadow << "\n"); 2431 bool ArgIsInitialized = false; 2432 const DataLayout &DL = F.getParent()->getDataLayout(); 2433 if (CS.paramHasAttr(i + 1, Attribute::ByVal)) { 2434 assert(A->getType()->isPointerTy() && 2435 "ByVal argument is not a pointer!"); 2436 Size = DL.getTypeAllocSize(A->getType()->getPointerElementType()); 2437 if (ArgOffset + Size > kParamTLSSize) break; 2438 unsigned ParamAlignment = CS.getParamAlignment(i + 1); 2439 unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment); 2440 Store = IRB.CreateMemCpy(ArgShadowBase, 2441 getShadowPtr(A, Type::getInt8Ty(*MS.C), IRB), 2442 Size, Alignment); 2443 } else { 2444 Size = DL.getTypeAllocSize(A->getType()); 2445 if (ArgOffset + Size > kParamTLSSize) break; 2446 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase, 2447 kShadowTLSAlignment); 2448 Constant *Cst = dyn_cast<Constant>(ArgShadow); 2449 if (Cst && Cst->isNullValue()) ArgIsInitialized = true; 2450 } 2451 if (MS.TrackOrigins && !ArgIsInitialized) 2452 IRB.CreateStore(getOrigin(A), 2453 getOriginPtrForArgument(A, IRB, ArgOffset)); 2454 (void)Store; 2455 assert(Size != 0 && Store != nullptr); 2456 DEBUG(dbgs() << " Param:" << *Store << "\n"); 2457 ArgOffset += RoundUpToAlignment(Size, 8); 2458 } 2459 DEBUG(dbgs() << " done with call args\n"); 2460 2461 FunctionType *FT = 2462 cast<FunctionType>(CS.getCalledValue()->getType()->getContainedType(0)); 2463 if (FT->isVarArg()) { 2464 VAHelper->visitCallSite(CS, IRB); 2465 } 2466 2467 // Now, get the shadow for the RetVal. 2468 if (!I.getType()->isSized()) return; 2469 IRBuilder<> IRBBefore(&I); 2470 // Until we have full dynamic coverage, make sure the retval shadow is 0. 2471 Value *Base = getShadowPtrForRetval(&I, IRBBefore); 2472 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment); 2473 Instruction *NextInsn = nullptr; 2474 if (CS.isCall()) { 2475 NextInsn = I.getNextNode(); 2476 } else { 2477 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest(); 2478 if (!NormalDest->getSinglePredecessor()) { 2479 // FIXME: this case is tricky, so we are just conservative here. 2480 // Perhaps we need to split the edge between this BB and NormalDest, 2481 // but a naive attempt to use SplitEdge leads to a crash. 2482 setShadow(&I, getCleanShadow(&I)); 2483 setOrigin(&I, getCleanOrigin()); 2484 return; 2485 } 2486 NextInsn = NormalDest->getFirstInsertionPt(); 2487 assert(NextInsn && 2488 "Could not find insertion point for retval shadow load"); 2489 } 2490 IRBuilder<> IRBAfter(NextInsn); 2491 Value *RetvalShadow = 2492 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter), 2493 kShadowTLSAlignment, "_msret"); 2494 setShadow(&I, RetvalShadow); 2495 if (MS.TrackOrigins) 2496 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter))); 2497 } 2498 2499 void visitReturnInst(ReturnInst &I) { 2500 IRBuilder<> IRB(&I); 2501 Value *RetVal = I.getReturnValue(); 2502 if (!RetVal) return; 2503 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB); 2504 if (CheckReturnValue) { 2505 insertShadowCheck(RetVal, &I); 2506 Value *Shadow = getCleanShadow(RetVal); 2507 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2508 } else { 2509 Value *Shadow = getShadow(RetVal); 2510 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment); 2511 // FIXME: make it conditional if ClStoreCleanOrigin==0 2512 if (MS.TrackOrigins) 2513 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB)); 2514 } 2515 } 2516 2517 void visitPHINode(PHINode &I) { 2518 IRBuilder<> IRB(&I); 2519 if (!PropagateShadow) { 2520 setShadow(&I, getCleanShadow(&I)); 2521 setOrigin(&I, getCleanOrigin()); 2522 return; 2523 } 2524 2525 ShadowPHINodes.push_back(&I); 2526 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(), 2527 "_msphi_s")); 2528 if (MS.TrackOrigins) 2529 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), 2530 "_msphi_o")); 2531 } 2532 2533 void visitAllocaInst(AllocaInst &I) { 2534 setShadow(&I, getCleanShadow(&I)); 2535 setOrigin(&I, getCleanOrigin()); 2536 IRBuilder<> IRB(I.getNextNode()); 2537 const DataLayout &DL = F.getParent()->getDataLayout(); 2538 uint64_t Size = DL.getTypeAllocSize(I.getAllocatedType()); 2539 if (PoisonStack && ClPoisonStackWithCall) { 2540 IRB.CreateCall2(MS.MsanPoisonStackFn, 2541 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2542 ConstantInt::get(MS.IntptrTy, Size)); 2543 } else { 2544 Value *ShadowBase = getShadowPtr(&I, Type::getInt8PtrTy(*MS.C), IRB); 2545 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0); 2546 IRB.CreateMemSet(ShadowBase, PoisonValue, Size, I.getAlignment()); 2547 } 2548 2549 if (PoisonStack && MS.TrackOrigins) { 2550 SmallString<2048> StackDescriptionStorage; 2551 raw_svector_ostream StackDescription(StackDescriptionStorage); 2552 // We create a string with a description of the stack allocation and 2553 // pass it into __msan_set_alloca_origin. 2554 // It will be printed by the run-time if stack-originated UMR is found. 2555 // The first 4 bytes of the string are set to '----' and will be replaced 2556 // by __msan_va_arg_overflow_size_tls at the first call. 2557 StackDescription << "----" << I.getName() << "@" << F.getName(); 2558 Value *Descr = 2559 createPrivateNonConstGlobalForString(*F.getParent(), 2560 StackDescription.str()); 2561 2562 IRB.CreateCall4(MS.MsanSetAllocaOrigin4Fn, 2563 IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), 2564 ConstantInt::get(MS.IntptrTy, Size), 2565 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()), 2566 IRB.CreatePointerCast(&F, MS.IntptrTy)); 2567 } 2568 } 2569 2570 void visitSelectInst(SelectInst& I) { 2571 IRBuilder<> IRB(&I); 2572 // a = select b, c, d 2573 Value *B = I.getCondition(); 2574 Value *C = I.getTrueValue(); 2575 Value *D = I.getFalseValue(); 2576 Value *Sb = getShadow(B); 2577 Value *Sc = getShadow(C); 2578 Value *Sd = getShadow(D); 2579 2580 // Result shadow if condition shadow is 0. 2581 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd); 2582 Value *Sa1; 2583 if (I.getType()->isAggregateType()) { 2584 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do 2585 // an extra "select". This results in much more compact IR. 2586 // Sa = select Sb, poisoned, (select b, Sc, Sd) 2587 Sa1 = getPoisonedShadow(getShadowTy(I.getType())); 2588 } else { 2589 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ] 2590 // If Sb (condition is poisoned), look for bits in c and d that are equal 2591 // and both unpoisoned. 2592 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd. 2593 2594 // Cast arguments to shadow-compatible type. 2595 C = CreateAppToShadowCast(IRB, C); 2596 D = CreateAppToShadowCast(IRB, D); 2597 2598 // Result shadow if condition shadow is 1. 2599 Sa1 = IRB.CreateOr(IRB.CreateXor(C, D), IRB.CreateOr(Sc, Sd)); 2600 } 2601 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select"); 2602 setShadow(&I, Sa); 2603 if (MS.TrackOrigins) { 2604 // Origins are always i32, so any vector conditions must be flattened. 2605 // FIXME: consider tracking vector origins for app vectors? 2606 if (B->getType()->isVectorTy()) { 2607 Type *FlatTy = getShadowTyNoVec(B->getType()); 2608 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy), 2609 ConstantInt::getNullValue(FlatTy)); 2610 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy), 2611 ConstantInt::getNullValue(FlatTy)); 2612 } 2613 // a = select b, c, d 2614 // Oa = Sb ? Ob : (b ? Oc : Od) 2615 setOrigin( 2616 &I, IRB.CreateSelect(Sb, getOrigin(I.getCondition()), 2617 IRB.CreateSelect(B, getOrigin(I.getTrueValue()), 2618 getOrigin(I.getFalseValue())))); 2619 } 2620 } 2621 2622 void visitLandingPadInst(LandingPadInst &I) { 2623 // Do nothing. 2624 // See http://code.google.com/p/memory-sanitizer/issues/detail?id=1 2625 setShadow(&I, getCleanShadow(&I)); 2626 setOrigin(&I, getCleanOrigin()); 2627 } 2628 2629 void visitGetElementPtrInst(GetElementPtrInst &I) { 2630 handleShadowOr(I); 2631 } 2632 2633 void visitExtractValueInst(ExtractValueInst &I) { 2634 IRBuilder<> IRB(&I); 2635 Value *Agg = I.getAggregateOperand(); 2636 DEBUG(dbgs() << "ExtractValue: " << I << "\n"); 2637 Value *AggShadow = getShadow(Agg); 2638 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2639 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices()); 2640 DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n"); 2641 setShadow(&I, ResShadow); 2642 setOriginForNaryOp(I); 2643 } 2644 2645 void visitInsertValueInst(InsertValueInst &I) { 2646 IRBuilder<> IRB(&I); 2647 DEBUG(dbgs() << "InsertValue: " << I << "\n"); 2648 Value *AggShadow = getShadow(I.getAggregateOperand()); 2649 Value *InsShadow = getShadow(I.getInsertedValueOperand()); 2650 DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n"); 2651 DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n"); 2652 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices()); 2653 DEBUG(dbgs() << " Res: " << *Res << "\n"); 2654 setShadow(&I, Res); 2655 setOriginForNaryOp(I); 2656 } 2657 2658 void dumpInst(Instruction &I) { 2659 if (CallInst *CI = dyn_cast<CallInst>(&I)) { 2660 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n"; 2661 } else { 2662 errs() << "ZZZ " << I.getOpcodeName() << "\n"; 2663 } 2664 errs() << "QQQ " << I << "\n"; 2665 } 2666 2667 void visitResumeInst(ResumeInst &I) { 2668 DEBUG(dbgs() << "Resume: " << I << "\n"); 2669 // Nothing to do here. 2670 } 2671 2672 void visitInstruction(Instruction &I) { 2673 // Everything else: stop propagating and check for poisoned shadow. 2674 if (ClDumpStrictInstructions) 2675 dumpInst(I); 2676 DEBUG(dbgs() << "DEFAULT: " << I << "\n"); 2677 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) 2678 insertShadowCheck(I.getOperand(i), &I); 2679 setShadow(&I, getCleanShadow(&I)); 2680 setOrigin(&I, getCleanOrigin()); 2681 } 2682 }; 2683 2684 /// \brief AMD64-specific implementation of VarArgHelper. 2685 struct VarArgAMD64Helper : public VarArgHelper { 2686 // An unfortunate workaround for asymmetric lowering of va_arg stuff. 2687 // See a comment in visitCallSite for more details. 2688 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7 2689 static const unsigned AMD64FpEndOffset = 176; 2690 2691 Function &F; 2692 MemorySanitizer &MS; 2693 MemorySanitizerVisitor &MSV; 2694 Value *VAArgTLSCopy; 2695 Value *VAArgOverflowSize; 2696 2697 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2698 2699 VarArgAMD64Helper(Function &F, MemorySanitizer &MS, 2700 MemorySanitizerVisitor &MSV) 2701 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(nullptr), 2702 VAArgOverflowSize(nullptr) {} 2703 2704 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory }; 2705 2706 ArgKind classifyArgument(Value* arg) { 2707 // A very rough approximation of X86_64 argument classification rules. 2708 Type *T = arg->getType(); 2709 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy()) 2710 return AK_FloatingPoint; 2711 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64) 2712 return AK_GeneralPurpose; 2713 if (T->isPointerTy()) 2714 return AK_GeneralPurpose; 2715 return AK_Memory; 2716 } 2717 2718 // For VarArg functions, store the argument shadow in an ABI-specific format 2719 // that corresponds to va_list layout. 2720 // We do this because Clang lowers va_arg in the frontend, and this pass 2721 // only sees the low level code that deals with va_list internals. 2722 // A much easier alternative (provided that Clang emits va_arg instructions) 2723 // would have been to associate each live instance of va_list with a copy of 2724 // MSanParamTLS, and extract shadow on va_arg() call in the argument list 2725 // order. 2726 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 2727 unsigned GpOffset = 0; 2728 unsigned FpOffset = AMD64GpEndOffset; 2729 unsigned OverflowOffset = AMD64FpEndOffset; 2730 const DataLayout &DL = F.getParent()->getDataLayout(); 2731 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end(); 2732 ArgIt != End; ++ArgIt) { 2733 Value *A = *ArgIt; 2734 unsigned ArgNo = CS.getArgumentNo(ArgIt); 2735 bool IsByVal = CS.paramHasAttr(ArgNo + 1, Attribute::ByVal); 2736 if (IsByVal) { 2737 // ByVal arguments always go to the overflow area. 2738 assert(A->getType()->isPointerTy()); 2739 Type *RealTy = A->getType()->getPointerElementType(); 2740 uint64_t ArgSize = DL.getTypeAllocSize(RealTy); 2741 Value *Base = getShadowPtrForVAArgument(RealTy, IRB, OverflowOffset); 2742 OverflowOffset += RoundUpToAlignment(ArgSize, 8); 2743 IRB.CreateMemCpy(Base, MSV.getShadowPtr(A, IRB.getInt8Ty(), IRB), 2744 ArgSize, kShadowTLSAlignment); 2745 } else { 2746 ArgKind AK = classifyArgument(A); 2747 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset) 2748 AK = AK_Memory; 2749 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset) 2750 AK = AK_Memory; 2751 Value *Base; 2752 switch (AK) { 2753 case AK_GeneralPurpose: 2754 Base = getShadowPtrForVAArgument(A->getType(), IRB, GpOffset); 2755 GpOffset += 8; 2756 break; 2757 case AK_FloatingPoint: 2758 Base = getShadowPtrForVAArgument(A->getType(), IRB, FpOffset); 2759 FpOffset += 16; 2760 break; 2761 case AK_Memory: 2762 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 2763 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset); 2764 OverflowOffset += RoundUpToAlignment(ArgSize, 8); 2765 } 2766 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 2767 } 2768 } 2769 Constant *OverflowSize = 2770 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset); 2771 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS); 2772 } 2773 2774 /// \brief Compute the shadow address for a given va_arg. 2775 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 2776 int ArgOffset) { 2777 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 2778 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 2779 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 2780 "_msarg"); 2781 } 2782 2783 void visitVAStartInst(VAStartInst &I) override { 2784 IRBuilder<> IRB(&I); 2785 VAStartInstrumentationList.push_back(&I); 2786 Value *VAListTag = I.getArgOperand(0); 2787 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2788 2789 // Unpoison the whole __va_list_tag. 2790 // FIXME: magic ABI constants. 2791 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2792 /* size */24, /* alignment */8, false); 2793 } 2794 2795 void visitVACopyInst(VACopyInst &I) override { 2796 IRBuilder<> IRB(&I); 2797 Value *VAListTag = I.getArgOperand(0); 2798 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2799 2800 // Unpoison the whole __va_list_tag. 2801 // FIXME: magic ABI constants. 2802 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2803 /* size */24, /* alignment */8, false); 2804 } 2805 2806 void finalizeInstrumentation() override { 2807 assert(!VAArgOverflowSize && !VAArgTLSCopy && 2808 "finalizeInstrumentation called twice"); 2809 if (!VAStartInstrumentationList.empty()) { 2810 // If there is a va_start in this function, make a backup copy of 2811 // va_arg_tls somewhere in the function entry block. 2812 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 2813 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 2814 Value *CopySize = 2815 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), 2816 VAArgOverflowSize); 2817 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 2818 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 2819 } 2820 2821 // Instrument va_start. 2822 // Copy va_list shadow from the backup copy of the TLS contents. 2823 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 2824 CallInst *OrigInst = VAStartInstrumentationList[i]; 2825 IRBuilder<> IRB(OrigInst->getNextNode()); 2826 Value *VAListTag = OrigInst->getArgOperand(0); 2827 2828 Value *RegSaveAreaPtrPtr = 2829 IRB.CreateIntToPtr( 2830 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2831 ConstantInt::get(MS.IntptrTy, 16)), 2832 Type::getInt64PtrTy(*MS.C)); 2833 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 2834 Value *RegSaveAreaShadowPtr = 2835 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 2836 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, 2837 AMD64FpEndOffset, 16); 2838 2839 Value *OverflowArgAreaPtrPtr = 2840 IRB.CreateIntToPtr( 2841 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2842 ConstantInt::get(MS.IntptrTy, 8)), 2843 Type::getInt64PtrTy(*MS.C)); 2844 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr); 2845 Value *OverflowArgAreaShadowPtr = 2846 MSV.getShadowPtr(OverflowArgAreaPtr, IRB.getInt8Ty(), IRB); 2847 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy, 2848 AMD64FpEndOffset); 2849 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, SrcPtr, VAArgOverflowSize, 16); 2850 } 2851 } 2852 }; 2853 2854 /// \brief MIPS64-specific implementation of VarArgHelper. 2855 struct VarArgMIPS64Helper : public VarArgHelper { 2856 Function &F; 2857 MemorySanitizer &MS; 2858 MemorySanitizerVisitor &MSV; 2859 Value *VAArgTLSCopy; 2860 Value *VAArgSize; 2861 2862 SmallVector<CallInst*, 16> VAStartInstrumentationList; 2863 2864 VarArgMIPS64Helper(Function &F, MemorySanitizer &MS, 2865 MemorySanitizerVisitor &MSV) 2866 : F(F), MS(MS), MSV(MSV), VAArgTLSCopy(nullptr), 2867 VAArgSize(nullptr) {} 2868 2869 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override { 2870 unsigned VAArgOffset = 0; 2871 const DataLayout &DL = F.getParent()->getDataLayout(); 2872 for (CallSite::arg_iterator ArgIt = CS.arg_begin() + 1, End = CS.arg_end(); 2873 ArgIt != End; ++ArgIt) { 2874 Value *A = *ArgIt; 2875 Value *Base; 2876 uint64_t ArgSize = DL.getTypeAllocSize(A->getType()); 2877 #if defined(__MIPSEB__) || defined(MIPSEB) 2878 // Adjusting the shadow for argument with size < 8 to match the placement 2879 // of bits in big endian system 2880 if (ArgSize < 8) 2881 VAArgOffset += (8 - ArgSize); 2882 #endif 2883 Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset); 2884 VAArgOffset += ArgSize; 2885 VAArgOffset = RoundUpToAlignment(VAArgOffset, 8); 2886 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment); 2887 } 2888 2889 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset); 2890 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of 2891 // a new class member i.e. it is the total size of all VarArgs. 2892 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS); 2893 } 2894 2895 /// \brief Compute the shadow address for a given va_arg. 2896 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, 2897 int ArgOffset) { 2898 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy); 2899 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset)); 2900 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0), 2901 "_msarg"); 2902 } 2903 2904 void visitVAStartInst(VAStartInst &I) override { 2905 IRBuilder<> IRB(&I); 2906 VAStartInstrumentationList.push_back(&I); 2907 Value *VAListTag = I.getArgOperand(0); 2908 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2909 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2910 /* size */8, /* alignment */8, false); 2911 } 2912 2913 void visitVACopyInst(VACopyInst &I) override { 2914 IRBuilder<> IRB(&I); 2915 Value *VAListTag = I.getArgOperand(0); 2916 Value *ShadowPtr = MSV.getShadowPtr(VAListTag, IRB.getInt8Ty(), IRB); 2917 // Unpoison the whole __va_list_tag. 2918 // FIXME: magic ABI constants. 2919 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()), 2920 /* size */8, /* alignment */8, false); 2921 } 2922 2923 void finalizeInstrumentation() override { 2924 assert(!VAArgSize && !VAArgTLSCopy && 2925 "finalizeInstrumentation called twice"); 2926 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 2927 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS); 2928 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0), 2929 VAArgSize); 2930 2931 if (!VAStartInstrumentationList.empty()) { 2932 // If there is a va_start in this function, make a backup copy of 2933 // va_arg_tls somewhere in the function entry block. 2934 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize); 2935 IRB.CreateMemCpy(VAArgTLSCopy, MS.VAArgTLS, CopySize, 8); 2936 } 2937 2938 // Instrument va_start. 2939 // Copy va_list shadow from the backup copy of the TLS contents. 2940 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) { 2941 CallInst *OrigInst = VAStartInstrumentationList[i]; 2942 IRBuilder<> IRB(OrigInst->getNextNode()); 2943 Value *VAListTag = OrigInst->getArgOperand(0); 2944 Value *RegSaveAreaPtrPtr = 2945 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy), 2946 Type::getInt64PtrTy(*MS.C)); 2947 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr); 2948 Value *RegSaveAreaShadowPtr = 2949 MSV.getShadowPtr(RegSaveAreaPtr, IRB.getInt8Ty(), IRB); 2950 IRB.CreateMemCpy(RegSaveAreaShadowPtr, VAArgTLSCopy, CopySize, 8); 2951 } 2952 } 2953 }; 2954 2955 /// \brief A no-op implementation of VarArgHelper. 2956 struct VarArgNoOpHelper : public VarArgHelper { 2957 VarArgNoOpHelper(Function &F, MemorySanitizer &MS, 2958 MemorySanitizerVisitor &MSV) {} 2959 2960 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {} 2961 2962 void visitVAStartInst(VAStartInst &I) override {} 2963 2964 void visitVACopyInst(VACopyInst &I) override {} 2965 2966 void finalizeInstrumentation() override {} 2967 }; 2968 2969 VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, 2970 MemorySanitizerVisitor &Visitor) { 2971 // VarArg handling is only implemented on AMD64. False positives are possible 2972 // on other platforms. 2973 llvm::Triple TargetTriple(Func.getParent()->getTargetTriple()); 2974 if (TargetTriple.getArch() == llvm::Triple::x86_64) 2975 return new VarArgAMD64Helper(Func, Msan, Visitor); 2976 else if (TargetTriple.getArch() == llvm::Triple::mips64 || 2977 TargetTriple.getArch() == llvm::Triple::mips64el) 2978 return new VarArgMIPS64Helper(Func, Msan, Visitor); 2979 else 2980 return new VarArgNoOpHelper(Func, Msan, Visitor); 2981 } 2982 2983 } // namespace 2984 2985 bool MemorySanitizer::runOnFunction(Function &F) { 2986 MemorySanitizerVisitor Visitor(F, *this); 2987 2988 // Clear out readonly/readnone attributes. 2989 AttrBuilder B; 2990 B.addAttribute(Attribute::ReadOnly) 2991 .addAttribute(Attribute::ReadNone); 2992 F.removeAttributes(AttributeSet::FunctionIndex, 2993 AttributeSet::get(F.getContext(), 2994 AttributeSet::FunctionIndex, B)); 2995 2996 return Visitor.runOnFunction(); 2997 } 2998
