Home | History | Annotate | Download | only in Instrumentation

Lines Matching refs:Shadow

14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every
15 /// byte of the application memory, poison the shadow of the malloc-ed
16 /// or alloca-ed memory, load the shadow bits on every memory read,
17 /// propagate the shadow bits through some of the arithmetic
18 /// instruction (including MOV), store the shadow bits on every memory
20 /// associated shadow is poisoned.
30 /// Another difference from Memcheck is that we use 8 shadow bits per
31 /// byte of application memory and use a direct shadow mapping. This
33 /// shadow updates (Memcheck is single-threaded so races are not a
34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
37 /// The default value of shadow is 0, which means "clean" (not poisoned).
40 /// shadow memory is ready. On error, __msan_warning is called. Since
42 /// specialized thread-local shadow for return values
52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
77 /// not the other way around. We load the shadow _after_ the application load,
78 /// and we store the shadow _before_ the app store. Also, we always store clean
79 /// shadow (if the application store is atomic). This way, if the store-load
80 /// pair constitutes a happens-before arc, shadow store and load are correctly
86 /// must store the new shadow before the app operation, and load the shadow
90 /// clean shadow.
157        cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
164 // This flag controls whether we check the shadow of the address
171        cl::desc("report accesses through a pointer which has poisoned shadow"),
186 // This is an experiment to enable handling of cases where shadow is a non-zero
189 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
190        cl::desc("Insert checks for constant shadow values"),
204 // Memory map parameters used in application-to-shadow address calculation.
206 // Shadow = ShadowBase + Offset
336   /// \brief Thread-local shadow storage for function parameters.
340   /// \brief Thread-local shadow storage for function return value.
344   /// \brief Thread-local shadow storage for in-register va_arg function
347   /// \brief Thread-local shadow storage for va_arg overflow area
371   /// \brief Memory map parameters used in application-to-shadow calculation.
582 /// necessary to propagate argument shadow through VarArg function
617 /// instructions store and load corresponding shadow and origin
618 /// values. Most instructions propagate shadow from arguments to their
620 /// test their argument shadow and print reports (with a runtime call) if it's
639     Value *Shadow;
643       : Shadow(S), Origin(O), OrigIns(I) { }
711   void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
715     unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
716     if (Shadow->getType()->isAggregateType()) {
721       Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
759       Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val);
760       Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
763           IRB.CreateAlignedStore(Shadow, ShadowPtr, SI->getAlignment());
774         storeOrigin(IRB, Addr, Shadow, getOrigin(Val), SI->getAlignment(),
779   void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
782     DEBUG(dbgs() << "  SHAD0 : " << *Shadow << "\n");
783     Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
834       Value *Shadow = ShadowData.Shadow;
836       materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
847     // blocks, such nodes will not have any shadow value associated with them.
848     // It's easier to remove unreachable blocks than deal with missing shadow.
851     // Iterate all BBs in depth-first order and create shadow instructions
853     // For PHI nodes we create dummy shadow PHIs which will be finalized later.
879     // Insert shadow value checks.
885   /// \brief Compute the shadow type that corresponds to a given Value.
890   /// \brief Compute the shadow type that corresponds to a given Type.
895     // For integer type, shadow is the same as the original type.
928   /// \brief Convert a shadow value to it's flattened variant.
936   /// \brief Compute the integer shadow offset that corresponds to a given
955   /// \brief Compute the shadow address that corresponds to a given application
958   /// Shadow = ShadowBase + Offset
990   /// \brief Compute the shadow address for a given function argument.
992   /// Shadow = ParamTLS+ArgOffset.
1011   /// \brief Compute the shadow address for a retval.
1024   /// \brief Set SV to be the shadow value for V.
1026     assert(!ShadowMap.count(V) && "Values may only have one shadow");
1038   /// \brief Create a clean shadow value for a given value.
1040   /// Clean shadow (all zeroes) means all bits of the value are defined
1049   /// \brief Create a dirty shadow of a given shadow type.
1065     llvm_unreachable("Unexpected shadow type");
1068   /// \brief Create a dirty shadow for a given value.
1081   /// \brief Get the shadow value for a given Value.
1088       // For instructions the shadow is already stored in the map.
1089       Value *Shadow = ShadowMap[V];
1090       if (!Shadow) {
1091         DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1093         assert(Shadow && "No shadow for a value");
1095       return Shadow;
1104       // For arguments we compute the shadow on demand and store it in the map.
1125             // ByVal pointer itself has clean shadow. We copy the actual
1126             // argument shadow to the underlying memory.
1168       assert(*ShadowPtr && "Could not find shadow for an argument");
1171     // For everything else the shadow is zero.
1175   /// \brief Get the shadow for i-th argument of the instruction I.
1197   /// \brief Remember the place where a shadow check should be inserted.
1200   /// UMR warning in runtime if the shadow value is not 0.
1201   void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
1202     assert(Shadow);
1205     Type *ShadowTy = Shadow->getType();
1207            "Can only insert checks for integer and vector shadow types");
1210         ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
1213   /// \brief Remember the place where a shadow check should be inserted.
1219     Value *Shadow, *Origin;
1221       Shadow = getShadow(Val);
1222       if (!Shadow) return;
1225       Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
1226       if (!Shadow) return;
1229     insertShadowCheck(Shadow, Origin, OrigIns);
1270   /// Loads the corresponding shadow and (optionally) origin.
1305   /// Stores the corresponding shadow and (optionally) origin.
1420   /// \brief Propagate shadow for bitwise AND.
1424   /// corresponding bit in B don't affect the resulting shadow.
1469   /// \brief Default propagation of shadow and/or origin.
1471   /// This class implements the general case of shadow propagation, used in all
1473   /// actually does. It converts all input shadow values to a common type
1486     Value *Shadow;
1493       Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {}
1495     /// \brief Add a pair of shadow and origin values to the mix.
1499         if (!Shadow)
1500           Shadow = OpShadow;
1502           OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
1503           Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
1532     /// \brief Set the current combined values as the given instruction's shadow
1536         assert(Shadow);
1537         Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
1538         MSV->setShadow(I, Shadow);
1562            "Vector of pointers is not a valid shadow type");
1568   /// \brief Cast between two shadow types, extending or truncating as
1587   /// \brief Cast an application value to the type of its own shadow.
1598   /// \brief Propagate shadow for arbitrary operation.
1612   // shadow left by the required number of bits. Effectively, we transform
1727       // Split shadow into sign bit and other bits.
1730       // Maximise the undefined shadow bit, minimize other undefined bits.
1744       // Split shadow into sign bit and other bits.
1747       // Minimise the undefined shadow bit, maximise other undefined bits.
1758   /// This function does exact shadow propagation for all relational
1792   /// bit of the shadow. Everything else is delegated to handleShadowOr().
1813       Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
1815       setShadow(&I, Shadow);
1879   /// we will memove the shadow twice: which is bad in case
1893   // Similar to memmove: avoid copying shadow twice.
1933     Value *Shadow = getShadow(&I, 1);
1934     Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
1938     IRB.CreateAlignedStore(Shadow, ShadowPtr, 1);
2072   // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
2097     // Combine shadow for elements of ConvertOp that are used in this operation,
2099     // FIXME: consider propagating shadow of ConvertOp, at least in the case of
2117     // Build result shadow by zero-filling parts of CopyOp shadow that come from
2229   // Shadow is propagated with the signed variant of the same intrinsic applied
2304   // all-ones shadow.
2517       // For inline asm, do the usual thing: check argument shadow and mark all
2558       // Compute the Shadow for arg even if it is ByVal, because
2559       // in that case getShadow() will copy the actual arg shadow to
2564             " Shadow: " << *ArgShadow << "\n");
2601     // Now, get the shadow for the RetVal.
2606     // Until we have full dynamic coverage, make sure the retval shadow is 0.
2625              "Could not find insertion point for retval shadow load");
2655       Value *Shadow = getCleanShadow(RetVal);
2656       IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2658       Value *Shadow = getShadow(RetVal);
2659       IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2729     // Result shadow if condition shadow is 0.
2743       // Cast arguments to shadow-compatible type.
2747       // Result shadow if condition shadow is 1.
2842     // Everything else: stop propagating and check for poisoned shadow.
2887   // For VarArg functions, store the argument shadow in an ABI-specific format
2893   // MSanParamTLS, and extract shadow on va_arg() call in the argument list
2954   /// \brief Compute the shadow
3006     // Copy va_list shadow from the backup copy of the TLS contents.
3064         // Adjusting the shadow for argument with size < 8 to match the placement
3081   /// \brief Compute the shadow address for a given va_arg.
3125     // Copy va_list shadow from the backup copy of the TLS contents.
3180   // The instrumentation stores the argument shadow in a non ABI-specific
3226       // bother to actually store a shadow.
3236   /// Compute the shadow address for a given va_arg.
3305     // Instrument va_start, copy va_list shadow from the backup copy of
3316       // We need then to propagate the shadow arguments on both regions
3318       // The remaning arguments are saved on shadow for 'va::stack'.
3321       // saved. So to copy the shadow values from the va_arg TLS array
3344       // argument by ignoring the bytes of shadow from named arguments.
3460           // Adjusting the shadow for argument with size < 8 to match the placement
3484   /// \brief Compute the shadow address for a given va_arg.
3528     // Copy va_list shadow from the backup copy of the TLS contents.