1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2018 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
41 #include "gimple-pretty-print.h"
43 #include "fold-const.h"
46 #include "gimple-iterator.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
57 #include "langhooks.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
65 #include "tree-inline.h"
67 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
68 with <2x slowdown on average.
70 The tool consists of two parts:
71 instrumentation module (this file) and a run-time library.
72 The instrumentation module adds a run-time check before every memory insn.
73 For a 8- or 16- byte load accessing address X:
74 ShadowAddr = (X >> 3) + Offset
75 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
77 __asan_report_load8(X);
78 For a load of N bytes (N=1, 2 or 4) from address X:
79 ShadowAddr = (X >> 3) + Offset
80 ShadowValue = *(char*)ShadowAddr;
82 if ((X & 7) + N - 1 > ShadowValue)
83 __asan_report_loadN(X);
84 Stores are instrumented similarly, but using __asan_report_storeN functions.
85 A call too __asan_init_vN() is inserted to the list of module CTORs.
86 N is the version number of the AddressSanitizer API. The changes between the
87 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
89 The run-time library redefines malloc (so that redzone are inserted around
90 the allocated memory) and free (so that reuse of free-ed memory is delayed),
91 provides __asan_report* and __asan_init_vN functions.
94 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
96 The current implementation supports detection of out-of-bounds and
97 use-after-free in the heap, on the stack and for global variables.
99 [Protection of stack variables]
101 To understand how detection of out-of-bounds and use-after-free works
102 for stack variables, lets look at this example on x86_64 where the
103 stack grows downward:
117 For this function, the stack protected by asan will be organized as
118 follows, from the top of the stack to the bottom:
120 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
122 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
123 the next slot be 32 bytes aligned; this one is called Partial
124 Redzone; this 32 bytes alignment is an asan constraint]
126 Slot 3/ [24 bytes for variable 'a']
128 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
130 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
132 Slot 6/ [8 bytes for variable 'b']
134 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 1/ The first 8 bytes contain a magical asan number that is always
143 2/ The following 8 bytes contains a pointer to a string (to be
144 parsed at runtime by the runtime asan library), which format is
147 "<function-name> <space> <num-of-variables-on-the-stack>
148 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
149 <length-of-var-in-bytes> ){n} "
151 where '(...){n}' means the content inside the parenthesis occurs 'n'
152 times, with 'n' being the number of variables on the stack.
154 3/ The following 8 bytes contain the PC of the current function which
155 will be used by the run-time library to print an error message.
157 4/ The following 8 bytes are reserved for internal use by the run-time.
159 The shadow memory for that stack layout is going to look like this:
161 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
162 The F1 byte pattern is a magic number called
163 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
164 the memory for that shadow byte is part of a the LEFT red zone
165 intended to seat at the bottom of the variables on the stack.
167 - content of shadow memory 8 bytes for slots 6 and 5:
168 0xF4F4F400. The F4 byte pattern is a magic number
169 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
170 memory region for this shadow byte is a PARTIAL red zone
171 intended to pad a variable A, so that the slot following
172 {A,padding} is 32 bytes aligned.
174 Note that the fact that the least significant byte of this
175 shadow memory content is 00 means that 8 bytes of its
176 corresponding memory (which corresponds to the memory of
177 variable 'b') is addressable.
179 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
180 The F2 byte pattern is a magic number called
181 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
182 region for this shadow byte is a MIDDLE red zone intended to
183 seat between two 32 aligned slots of {variable,padding}.
185 - content of shadow memory 8 bytes for slot 3 and 2:
186 0xF4000000. This represents is the concatenation of
187 variable 'a' and the partial red zone following it, like what we
188 had for variable 'b'. The least significant 3 bytes being 00
189 means that the 3 bytes of variable 'a' are addressable.
191 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
192 The F3 byte pattern is a magic number called
193 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
194 region for this shadow byte is a RIGHT red zone intended to seat
195 at the top of the variables of the stack.
197 Note that the real variable layout is done in expand_used_vars in
198 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
199 stack variables as well as the different red zones, emits some
200 prologue code to populate the shadow memory as to poison (mark as
201 non-accessible) the regions of the red zones and mark the regions of
202 stack variables as accessible, and emit some epilogue code to
203 un-poison (mark as accessible) the regions of red zones right before
206 [Protection of global variables]
208 The basic idea is to insert a red zone between two global variables
209 and install a constructor function that calls the asan runtime to do
210 the populating of the relevant shadow memory regions at load time.
212 So the global variables are laid out as to insert a red zone between
213 them. The size of the red zones is so that each variable starts on a
216 Then a constructor function is installed so that, for each global
217 variable, it calls the runtime asan library function
218 __asan_register_globals_with an instance of this type:
222 // Address of the beginning of the global variable.
225 // Initial size of the global variable.
228 // Size of the global variable + size of the red zone. This
229 // size is 32 bytes aligned.
230 uptr __size_with_redzone;
232 // Name of the global variable.
235 // Name of the module where the global variable is declared.
236 const void *__module_name;
238 // 1 if it has dynamic initialization, 0 otherwise.
239 uptr __has_dynamic_init;
241 // A pointer to struct that contains source location, could be NULL.
242 __asan_global_source_location *__location;
245 A destructor function that calls the runtime asan library function
246 _asan_unregister_globals is also installed. */
248 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
249 static bool asan_shadow_offset_computed;
250 static vec<char *> sanitized_sections;
251 static tree last_alloca_addr;
253 /* Set of variable declarations that are going to be guarded by
254 use-after-scope sanitizer. */
256 hash_set<tree> *asan_handled_variables = NULL;
258 hash_set <tree> *asan_used_labels = NULL;
260 /* Sets shadow offset to value in string VAL. */
263 set_asan_shadow_offset (const char *val)
268 #ifdef HAVE_LONG_LONG
269 asan_shadow_offset_value = strtoull (val, &endp, 0);
271 asan_shadow_offset_value = strtoul (val, &endp, 0);
273 if (!(*val != '\0' && *endp == '\0' && errno == 0))
276 asan_shadow_offset_computed = true;
281 /* Set list of user-defined sections that need to be sanitized. */
284 set_sanitized_sections (const char *sections)
288 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
290 sanitized_sections.truncate (0);
292 for (const char *s = sections; *s; )
295 for (end = s; *end && *end != ','; ++end);
296 size_t len = end - s;
297 sanitized_sections.safe_push (xstrndup (s, len));
298 s = *end ? end + 1 : end;
303 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
305 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
306 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
310 asan_sanitize_stack_p (void)
312 return (sanitize_flags_p (SANITIZE_ADDRESS) && ASAN_STACK);
316 asan_sanitize_allocas_p (void)
318 return (asan_sanitize_stack_p () && ASAN_PROTECT_ALLOCAS);
321 /* Checks whether section SEC should be sanitized. */
324 section_sanitized_p (const char *sec)
328 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
329 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
334 /* Returns Asan shadow offset. */
336 static unsigned HOST_WIDE_INT
337 asan_shadow_offset ()
339 if (!asan_shadow_offset_computed)
341 asan_shadow_offset_computed = true;
342 asan_shadow_offset_value = targetm.asan_shadow_offset ();
344 return asan_shadow_offset_value;
347 alias_set_type asan_shadow_set = -1;
349 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
350 alias set is used for all shadow memory accesses. */
351 static GTY(()) tree shadow_ptr_types[3];
353 /* Decl for __asan_option_detect_stack_use_after_return. */
354 static GTY(()) tree asan_detect_stack_use_after_return;
356 /* Hashtable support for memory references used by gimple
359 /* This type represents a reference to a memory region. */
362 /* The expression of the beginning of the memory region. */
365 /* The size of the access. */
366 HOST_WIDE_INT access_size;
369 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
371 /* Initializes an instance of asan_mem_ref. */
374 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
377 ref->access_size = access_size;
380 /* Allocates memory for an instance of asan_mem_ref into the memory
381 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
382 START is the address of (or the expression pointing to) the
383 beginning of memory reference. ACCESS_SIZE is the size of the
384 access to the referenced memory. */
387 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
389 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
391 asan_mem_ref_init (ref, start, access_size);
395 /* This builds and returns a pointer to the end of the memory region
396 that starts at START and of length LEN. */
399 asan_mem_ref_get_end (tree start, tree len)
401 if (len == NULL_TREE || integer_zerop (len))
404 if (!ptrofftype_p (len))
405 len = convert_to_ptrofftype (len);
407 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
410 /* Return a tree expression that represents the end of the referenced
411 memory region. Beware that this function can actually build a new
415 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
417 return asan_mem_ref_get_end (ref->start, len);
420 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
422 static inline hashval_t hash (const asan_mem_ref *);
423 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
426 /* Hash a memory reference. */
429 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
431 return iterative_hash_expr (mem_ref->start, 0);
434 /* Compare two memory references. We accept the length of either
435 memory references to be NULL_TREE. */
438 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
439 const asan_mem_ref *m2)
441 return operand_equal_p (m1->start, m2->start, 0);
444 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
446 /* Returns a reference to the hash table containing memory references.
447 This function ensures that the hash table is created. Note that
448 this hash table is updated by the function
449 update_mem_ref_hash_table. */
451 static hash_table<asan_mem_ref_hasher> *
452 get_mem_ref_hash_table ()
454 if (!asan_mem_ref_ht)
455 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
457 return asan_mem_ref_ht;
460 /* Clear all entries from the memory references hash table. */
463 empty_mem_ref_hash_table ()
466 asan_mem_ref_ht->empty ();
469 /* Free the memory references hash table. */
472 free_mem_ref_resources ()
474 delete asan_mem_ref_ht;
475 asan_mem_ref_ht = NULL;
477 asan_mem_ref_pool.release ();
480 /* Return true iff the memory reference REF has been instrumented. */
483 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
486 asan_mem_ref_init (&r, ref, access_size);
488 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
489 return saved_ref && saved_ref->access_size >= access_size;
492 /* Return true iff the memory reference REF has been instrumented. */
495 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
497 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
500 /* Return true iff access to memory region starting at REF and of
501 length LEN has been instrumented. */
504 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
506 HOST_WIDE_INT size_in_bytes
507 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
509 return size_in_bytes != -1
510 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
513 /* Set REF to the memory reference present in a gimple assignment
514 ASSIGNMENT. Return true upon successful completion, false
518 get_mem_ref_of_assignment (const gassign *assignment,
522 gcc_assert (gimple_assign_single_p (assignment));
524 if (gimple_store_p (assignment)
525 && !gimple_clobber_p (assignment))
527 ref->start = gimple_assign_lhs (assignment);
528 *ref_is_store = true;
530 else if (gimple_assign_load_p (assignment))
532 ref->start = gimple_assign_rhs1 (assignment);
533 *ref_is_store = false;
538 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
542 /* Return address of last allocated dynamic alloca. */
545 get_last_alloca_addr ()
547 if (last_alloca_addr)
548 return last_alloca_addr;
550 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
551 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
552 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
553 gsi_insert_on_edge_immediate (e, g);
554 return last_alloca_addr;
557 /* Insert __asan_allocas_unpoison (top, bottom) call before
558 __builtin_stack_restore (new_sp) call.
559 The pseudocode of this routine should look like this:
560 top = last_alloca_addr;
562 __asan_allocas_unpoison (top, bot);
563 last_alloca_addr = new_sp;
564 __builtin_stack_restore (new_sp);
565 In general, we can't use new_sp as bot parameter because on some
566 architectures SP has non zero offset from dynamic stack area. Moreover, on
567 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
568 particular function only after all callees were expanded to rtl.
569 The most noticeable example is PowerPC{,64}, see
570 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
571 To overcome the issue we use following trick: pass new_sp as a second
572 parameter to __asan_allocas_unpoison and rewrite it during expansion with
573 new_sp + (virtual_dynamic_stack_rtx - sp) later in
574 expand_asan_emit_allocas_unpoison function. */
577 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
579 if (!iter || !asan_sanitize_allocas_p ())
582 tree last_alloca = get_last_alloca_addr ();
583 tree restored_stack = gimple_call_arg (call, 0);
584 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
585 gimple *g = gimple_build_call (fn, 2, last_alloca, restored_stack);
586 gsi_insert_before (iter, g, GSI_SAME_STMT);
587 g = gimple_build_assign (last_alloca, restored_stack);
588 gsi_insert_before (iter, g, GSI_SAME_STMT);
591 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
592 should replace this call with another one with changed parameters and
593 replace all its uses with new address, so
594 addr = __builtin_alloca (old_size, align);
596 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
597 Following two statements are optimized out if we know that
598 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
600 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
601 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
602 right_redzone_size = ASAN_RED_ZONE_SIZE;
603 additional_size = left_redzone_size + partial_redzone_size +
605 new_size = old_size + additional_size;
606 new_alloca = __builtin_alloca (new_size, max (align, 32))
607 __asan_alloca_poison (new_alloca, old_size)
608 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
609 last_alloca_addr = new_alloca;
610 ADDITIONAL_SIZE is added to make new memory allocation contain not only
611 requested memory, but also left, partial and right redzones as well as some
612 additional space, required by alignment. */
615 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
617 if (!iter || !asan_sanitize_allocas_p ())
622 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
624 tree last_alloca = get_last_alloca_addr ();
625 tree callee = gimple_call_fndecl (call);
626 tree old_size = gimple_call_arg (call, 0);
627 tree ptr_type = gimple_call_lhs (call) ? TREE_TYPE (gimple_call_lhs (call))
629 tree partial_size = NULL_TREE;
631 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
632 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
634 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
635 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
637 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
639 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
640 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
642 /* Extract lower bits from old_size. */
643 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
645 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
646 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
648 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
649 redzone. Otherwise, compute its size here. */
650 if (wi::ne_p (old_size_lower_bits, 0))
652 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
653 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
654 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
655 BIT_AND_EXPR, old_size, alloca_rz_mask);
656 gsi_insert_before (iter, g, GSI_SAME_STMT);
657 tree misalign = gimple_assign_lhs (g);
658 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
659 redzone_size, misalign);
660 gsi_insert_before (iter, g, GSI_SAME_STMT);
661 partial_size = gimple_assign_lhs (g);
664 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
665 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
666 + ASAN_RED_ZONE_SIZE);
667 /* If alloca has partial redzone, include it to additional_size too. */
670 /* additional_size += partial_size. */
671 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
672 partial_size, additional_size);
673 gsi_insert_before (iter, g, GSI_SAME_STMT);
674 additional_size = gimple_assign_lhs (g);
677 /* new_size = old_size + additional_size. */
678 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
680 gsi_insert_before (iter, g, GSI_SAME_STMT);
681 tree new_size = gimple_assign_lhs (g);
683 /* Build new __builtin_alloca call:
684 new_alloca_with_rz = __builtin_alloca (new_size, align). */
685 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
686 gg = gimple_build_call (fn, 2, new_size,
687 build_int_cst (size_type_node, align));
688 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
689 gimple_call_set_lhs (gg, new_alloca_with_rz);
690 gsi_insert_before (iter, gg, GSI_SAME_STMT);
692 /* new_alloca = new_alloca_with_rz + align. */
693 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
695 build_int_cst (size_type_node,
696 align / BITS_PER_UNIT));
697 gsi_insert_before (iter, g, GSI_SAME_STMT);
698 tree new_alloca = gimple_assign_lhs (g);
700 /* Poison newly created alloca redzones:
701 __asan_alloca_poison (new_alloca, old_size). */
702 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
703 gg = gimple_build_call (fn, 2, new_alloca, old_size);
704 gsi_insert_before (iter, gg, GSI_SAME_STMT);
706 /* Save new_alloca_with_rz value into last_alloca to use it during
707 allocas unpoisoning. */
708 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
709 gsi_insert_before (iter, g, GSI_SAME_STMT);
711 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
712 replace_call_with_value (iter, new_alloca);
715 /* Return the memory references contained in a gimple statement
716 representing a builtin call that has to do with memory access. */
719 get_mem_refs_of_builtin_call (gcall *call,
731 gimple_stmt_iterator *iter = NULL)
733 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
735 tree callee = gimple_call_fndecl (call);
736 tree source0 = NULL_TREE, source1 = NULL_TREE,
737 dest = NULL_TREE, len = NULL_TREE;
738 bool is_store = true, got_reference_p = false;
739 HOST_WIDE_INT access_size = 1;
741 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
743 switch (DECL_FUNCTION_CODE (callee))
745 /* (s, s, n) style memops. */
747 case BUILT_IN_MEMCMP:
748 source0 = gimple_call_arg (call, 0);
749 source1 = gimple_call_arg (call, 1);
750 len = gimple_call_arg (call, 2);
753 /* (src, dest, n) style memops. */
755 source0 = gimple_call_arg (call, 0);
756 dest = gimple_call_arg (call, 1);
757 len = gimple_call_arg (call, 2);
760 /* (dest, src, n) style memops. */
761 case BUILT_IN_MEMCPY:
762 case BUILT_IN_MEMCPY_CHK:
763 case BUILT_IN_MEMMOVE:
764 case BUILT_IN_MEMMOVE_CHK:
765 case BUILT_IN_MEMPCPY:
766 case BUILT_IN_MEMPCPY_CHK:
767 dest = gimple_call_arg (call, 0);
768 source0 = gimple_call_arg (call, 1);
769 len = gimple_call_arg (call, 2);
772 /* (dest, n) style memops. */
774 dest = gimple_call_arg (call, 0);
775 len = gimple_call_arg (call, 1);
778 /* (dest, x, n) style memops*/
779 case BUILT_IN_MEMSET:
780 case BUILT_IN_MEMSET_CHK:
781 dest = gimple_call_arg (call, 0);
782 len = gimple_call_arg (call, 2);
785 case BUILT_IN_STRLEN:
786 source0 = gimple_call_arg (call, 0);
787 len = gimple_call_lhs (call);
790 case BUILT_IN_STACK_RESTORE:
791 handle_builtin_stack_restore (call, iter);
794 CASE_BUILT_IN_ALLOCA:
795 handle_builtin_alloca (call, iter);
797 /* And now the __atomic* and __sync builtins.
798 These are handled differently from the classical memory memory
799 access builtins above. */
801 case BUILT_IN_ATOMIC_LOAD_1:
804 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
805 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
806 case BUILT_IN_SYNC_FETCH_AND_OR_1:
807 case BUILT_IN_SYNC_FETCH_AND_AND_1:
808 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
809 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
810 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
811 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
812 case BUILT_IN_SYNC_OR_AND_FETCH_1:
813 case BUILT_IN_SYNC_AND_AND_FETCH_1:
814 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
815 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
816 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
817 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
818 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
819 case BUILT_IN_SYNC_LOCK_RELEASE_1:
820 case BUILT_IN_ATOMIC_EXCHANGE_1:
821 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
822 case BUILT_IN_ATOMIC_STORE_1:
823 case BUILT_IN_ATOMIC_ADD_FETCH_1:
824 case BUILT_IN_ATOMIC_SUB_FETCH_1:
825 case BUILT_IN_ATOMIC_AND_FETCH_1:
826 case BUILT_IN_ATOMIC_NAND_FETCH_1:
827 case BUILT_IN_ATOMIC_XOR_FETCH_1:
828 case BUILT_IN_ATOMIC_OR_FETCH_1:
829 case BUILT_IN_ATOMIC_FETCH_ADD_1:
830 case BUILT_IN_ATOMIC_FETCH_SUB_1:
831 case BUILT_IN_ATOMIC_FETCH_AND_1:
832 case BUILT_IN_ATOMIC_FETCH_NAND_1:
833 case BUILT_IN_ATOMIC_FETCH_XOR_1:
834 case BUILT_IN_ATOMIC_FETCH_OR_1:
838 case BUILT_IN_ATOMIC_LOAD_2:
841 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
842 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
843 case BUILT_IN_SYNC_FETCH_AND_OR_2:
844 case BUILT_IN_SYNC_FETCH_AND_AND_2:
845 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
846 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
847 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
848 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
849 case BUILT_IN_SYNC_OR_AND_FETCH_2:
850 case BUILT_IN_SYNC_AND_AND_FETCH_2:
851 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
852 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
853 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
854 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
855 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
856 case BUILT_IN_SYNC_LOCK_RELEASE_2:
857 case BUILT_IN_ATOMIC_EXCHANGE_2:
858 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
859 case BUILT_IN_ATOMIC_STORE_2:
860 case BUILT_IN_ATOMIC_ADD_FETCH_2:
861 case BUILT_IN_ATOMIC_SUB_FETCH_2:
862 case BUILT_IN_ATOMIC_AND_FETCH_2:
863 case BUILT_IN_ATOMIC_NAND_FETCH_2:
864 case BUILT_IN_ATOMIC_XOR_FETCH_2:
865 case BUILT_IN_ATOMIC_OR_FETCH_2:
866 case BUILT_IN_ATOMIC_FETCH_ADD_2:
867 case BUILT_IN_ATOMIC_FETCH_SUB_2:
868 case BUILT_IN_ATOMIC_FETCH_AND_2:
869 case BUILT_IN_ATOMIC_FETCH_NAND_2:
870 case BUILT_IN_ATOMIC_FETCH_XOR_2:
871 case BUILT_IN_ATOMIC_FETCH_OR_2:
875 case BUILT_IN_ATOMIC_LOAD_4:
878 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
879 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
880 case BUILT_IN_SYNC_FETCH_AND_OR_4:
881 case BUILT_IN_SYNC_FETCH_AND_AND_4:
882 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
883 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
884 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
885 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
886 case BUILT_IN_SYNC_OR_AND_FETCH_4:
887 case BUILT_IN_SYNC_AND_AND_FETCH_4:
888 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
889 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
890 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
891 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
892 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
893 case BUILT_IN_SYNC_LOCK_RELEASE_4:
894 case BUILT_IN_ATOMIC_EXCHANGE_4:
895 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
896 case BUILT_IN_ATOMIC_STORE_4:
897 case BUILT_IN_ATOMIC_ADD_FETCH_4:
898 case BUILT_IN_ATOMIC_SUB_FETCH_4:
899 case BUILT_IN_ATOMIC_AND_FETCH_4:
900 case BUILT_IN_ATOMIC_NAND_FETCH_4:
901 case BUILT_IN_ATOMIC_XOR_FETCH_4:
902 case BUILT_IN_ATOMIC_OR_FETCH_4:
903 case BUILT_IN_ATOMIC_FETCH_ADD_4:
904 case BUILT_IN_ATOMIC_FETCH_SUB_4:
905 case BUILT_IN_ATOMIC_FETCH_AND_4:
906 case BUILT_IN_ATOMIC_FETCH_NAND_4:
907 case BUILT_IN_ATOMIC_FETCH_XOR_4:
908 case BUILT_IN_ATOMIC_FETCH_OR_4:
912 case BUILT_IN_ATOMIC_LOAD_8:
915 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
916 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
917 case BUILT_IN_SYNC_FETCH_AND_OR_8:
918 case BUILT_IN_SYNC_FETCH_AND_AND_8:
919 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
920 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
921 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
922 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
923 case BUILT_IN_SYNC_OR_AND_FETCH_8:
924 case BUILT_IN_SYNC_AND_AND_FETCH_8:
925 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
926 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
927 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
928 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
929 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
930 case BUILT_IN_SYNC_LOCK_RELEASE_8:
931 case BUILT_IN_ATOMIC_EXCHANGE_8:
932 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
933 case BUILT_IN_ATOMIC_STORE_8:
934 case BUILT_IN_ATOMIC_ADD_FETCH_8:
935 case BUILT_IN_ATOMIC_SUB_FETCH_8:
936 case BUILT_IN_ATOMIC_AND_FETCH_8:
937 case BUILT_IN_ATOMIC_NAND_FETCH_8:
938 case BUILT_IN_ATOMIC_XOR_FETCH_8:
939 case BUILT_IN_ATOMIC_OR_FETCH_8:
940 case BUILT_IN_ATOMIC_FETCH_ADD_8:
941 case BUILT_IN_ATOMIC_FETCH_SUB_8:
942 case BUILT_IN_ATOMIC_FETCH_AND_8:
943 case BUILT_IN_ATOMIC_FETCH_NAND_8:
944 case BUILT_IN_ATOMIC_FETCH_XOR_8:
945 case BUILT_IN_ATOMIC_FETCH_OR_8:
949 case BUILT_IN_ATOMIC_LOAD_16:
952 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
953 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
954 case BUILT_IN_SYNC_FETCH_AND_OR_16:
955 case BUILT_IN_SYNC_FETCH_AND_AND_16:
956 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
957 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
958 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
959 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
960 case BUILT_IN_SYNC_OR_AND_FETCH_16:
961 case BUILT_IN_SYNC_AND_AND_FETCH_16:
962 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
963 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
964 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
965 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
966 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
967 case BUILT_IN_SYNC_LOCK_RELEASE_16:
968 case BUILT_IN_ATOMIC_EXCHANGE_16:
969 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
970 case BUILT_IN_ATOMIC_STORE_16:
971 case BUILT_IN_ATOMIC_ADD_FETCH_16:
972 case BUILT_IN_ATOMIC_SUB_FETCH_16:
973 case BUILT_IN_ATOMIC_AND_FETCH_16:
974 case BUILT_IN_ATOMIC_NAND_FETCH_16:
975 case BUILT_IN_ATOMIC_XOR_FETCH_16:
976 case BUILT_IN_ATOMIC_OR_FETCH_16:
977 case BUILT_IN_ATOMIC_FETCH_ADD_16:
978 case BUILT_IN_ATOMIC_FETCH_SUB_16:
979 case BUILT_IN_ATOMIC_FETCH_AND_16:
980 case BUILT_IN_ATOMIC_FETCH_NAND_16:
981 case BUILT_IN_ATOMIC_FETCH_XOR_16:
982 case BUILT_IN_ATOMIC_FETCH_OR_16:
987 dest = gimple_call_arg (call, 0);
988 /* DEST represents the address of a memory location.
989 instrument_derefs wants the memory location, so lets
990 dereference the address DEST before handing it to
991 instrument_derefs. */
992 tree type = build_nonstandard_integer_type (access_size
994 dest = build2 (MEM_REF, type, dest,
995 build_int_cst (build_pointer_type (char_type_node), 0));
1000 /* The other builtins memory access are not instrumented in this
1001 function because they either don't have any length parameter,
1002 or their length parameter is just a limit. */
1006 if (len != NULL_TREE)
1008 if (source0 != NULL_TREE)
1010 src0->start = source0;
1011 src0->access_size = access_size;
1013 *src0_is_store = false;
1016 if (source1 != NULL_TREE)
1018 src1->start = source1;
1019 src1->access_size = access_size;
1021 *src1_is_store = false;
1024 if (dest != NULL_TREE)
1027 dst->access_size = access_size;
1029 *dst_is_store = true;
1032 got_reference_p = true;
1037 dst->access_size = access_size;
1038 *dst_len = NULL_TREE;
1039 *dst_is_store = is_store;
1040 *dest_is_deref = true;
1041 got_reference_p = true;
1044 return got_reference_p;
1047 /* Return true iff a given gimple statement has been instrumented.
1048 Note that the statement is "defined" by the memory references it
1052 has_stmt_been_instrumented_p (gimple *stmt)
1054 if (gimple_assign_single_p (stmt))
1058 asan_mem_ref_init (&r, NULL, 1);
1060 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1062 return has_mem_ref_been_instrumented (&r);
1064 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1066 asan_mem_ref src0, src1, dest;
1067 asan_mem_ref_init (&src0, NULL, 1);
1068 asan_mem_ref_init (&src1, NULL, 1);
1069 asan_mem_ref_init (&dest, NULL, 1);
1071 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1072 bool src0_is_store = false, src1_is_store = false,
1073 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1074 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1075 &src0, &src0_len, &src0_is_store,
1076 &src1, &src1_len, &src1_is_store,
1077 &dest, &dest_len, &dest_is_store,
1078 &dest_is_deref, &intercepted_p))
1080 if (src0.start != NULL_TREE
1081 && !has_mem_ref_been_instrumented (&src0, src0_len))
1084 if (src1.start != NULL_TREE
1085 && !has_mem_ref_been_instrumented (&src1, src1_len))
1088 if (dest.start != NULL_TREE
1089 && !has_mem_ref_been_instrumented (&dest, dest_len))
1095 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1098 asan_mem_ref_init (&r, NULL, 1);
1100 r.start = gimple_call_lhs (stmt);
1101 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1102 return has_mem_ref_been_instrumented (&r);
1108 /* Insert a memory reference into the hash table. */
1111 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1113 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1116 asan_mem_ref_init (&r, ref, access_size);
1118 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1119 if (*slot == NULL || (*slot)->access_size < access_size)
1120 *slot = asan_mem_ref_new (ref, access_size);
1123 /* Initialize shadow_ptr_types array. */
1126 asan_init_shadow_ptr_types (void)
1128 asan_shadow_set = new_alias_set ();
1129 tree types[3] = { signed_char_type_node, short_integer_type_node,
1130 integer_type_node };
1132 for (unsigned i = 0; i < 3; i++)
1134 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1135 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1136 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1139 initialize_sanitizer_builtins ();
1142 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1145 asan_pp_string (pretty_printer *pp)
1147 const char *buf = pp_formatted_text (pp);
1148 size_t len = strlen (buf);
1149 tree ret = build_string (len + 1, buf);
1151 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1152 build_index_type (size_int (len)));
1153 TREE_READONLY (ret) = 1;
1154 TREE_STATIC (ret) = 1;
1155 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1158 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
1161 asan_shadow_cst (unsigned char shadow_bytes[4])
1164 unsigned HOST_WIDE_INT val = 0;
1165 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1166 for (i = 0; i < 4; i++)
1167 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
1168 << (BITS_PER_UNIT * i);
1169 return gen_int_mode (val, SImode);
1172 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1176 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1178 rtx_insn *insn, *insns, *jump;
1179 rtx_code_label *top_label;
1183 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1184 insns = get_insns ();
1186 for (insn = insns; insn; insn = NEXT_INSN (insn))
1189 if (insn == NULL_RTX)
1195 gcc_assert ((len & 3) == 0);
1196 top_label = gen_label_rtx ();
1197 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1198 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1199 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1200 emit_label (top_label);
1202 emit_move_insn (shadow_mem, const0_rtx);
1203 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1204 true, OPTAB_LIB_WIDEN);
1206 emit_move_insn (addr, tmp);
1207 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1208 jump = get_last_insn ();
1209 gcc_assert (JUMP_P (jump));
1210 add_reg_br_prob_note (jump,
1211 profile_probability::guessed_always ()
1212 .apply_scale (80, 100));
1216 asan_function_start (void)
1218 section *fnsec = function_section (current_function_decl);
1219 switch_to_section (fnsec);
1220 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1221 current_function_funcdef_no);
1224 /* Return number of shadow bytes that are occupied by a local variable
1227 static unsigned HOST_WIDE_INT
1228 shadow_mem_size (unsigned HOST_WIDE_INT size)
1230 /* It must be possible to align stack variables to granularity
1231 of shadow memory. */
1232 gcc_assert (BITS_PER_UNIT
1233 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1235 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1238 /* Insert code to protect stack vars. The prologue sequence should be emitted
1239 directly, epilogue sequence returned. BASE is the register holding the
1240 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1241 array contains pairs of offsets in reverse order, always the end offset
1242 of some gap that needs protection followed by starting offset,
1243 and DECLS is an array of representative decls for each var partition.
1244 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1245 elements long (OFFSETS include gap before the first variable as well
1246 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1247 register which stack vars DECL_RTLs are based on. Either BASE should be
1248 assigned to PBASE, when not doing use after return protection, or
1249 corresponding address based on __asan_stack_malloc* return value. */
1252 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1253 HOST_WIDE_INT *offsets, tree *decls, int length)
1255 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1256 rtx_code_label *lab;
1259 unsigned char shadow_bytes[4];
1260 HOST_WIDE_INT base_offset = offsets[length - 1];
1261 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1262 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1263 HOST_WIDE_INT last_offset, last_size;
1265 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1266 tree str_cst, decl, id;
1267 int use_after_return_class = -1;
1269 if (shadow_ptr_types[0] == NULL_TREE)
1270 asan_init_shadow_ptr_types ();
1272 /* First of all, prepare the description string. */
1273 pretty_printer asan_pp;
1275 pp_decimal_int (&asan_pp, length / 2 - 1);
1276 pp_space (&asan_pp);
1277 for (l = length - 2; l; l -= 2)
1279 tree decl = decls[l / 2 - 1];
1280 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1281 pp_space (&asan_pp);
1282 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1283 pp_space (&asan_pp);
1284 if (DECL_P (decl) && DECL_NAME (decl))
1286 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1287 pp_space (&asan_pp);
1288 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1291 pp_string (&asan_pp, "9 <unknown>");
1292 pp_space (&asan_pp);
1294 str_cst = asan_pp_string (&asan_pp);
1296 /* Emit the prologue sequence. */
1297 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1298 && ASAN_USE_AFTER_RETURN)
1300 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1301 /* __asan_stack_malloc_N guarantees alignment
1302 N < 6 ? (64 << N) : 4096 bytes. */
1303 if (alignb > (use_after_return_class < 6
1304 ? (64U << use_after_return_class) : 4096U))
1305 use_after_return_class = -1;
1306 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1307 base_align_bias = ((asan_frame_size + alignb - 1)
1308 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1310 /* Align base if target is STRICT_ALIGNMENT. */
1311 if (STRICT_ALIGNMENT)
1312 base = expand_binop (Pmode, and_optab, base,
1313 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1314 << ASAN_SHADOW_SHIFT)
1315 / BITS_PER_UNIT), Pmode), NULL_RTX,
1318 if (use_after_return_class == -1 && pbase)
1319 emit_move_insn (pbase, base);
1321 base = expand_binop (Pmode, add_optab, base,
1322 gen_int_mode (base_offset - base_align_bias, Pmode),
1323 NULL_RTX, 1, OPTAB_DIRECT);
1324 orig_base = NULL_RTX;
1325 if (use_after_return_class != -1)
1327 if (asan_detect_stack_use_after_return == NULL_TREE)
1329 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1330 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1332 SET_DECL_ASSEMBLER_NAME (decl, id);
1333 TREE_ADDRESSABLE (decl) = 1;
1334 DECL_ARTIFICIAL (decl) = 1;
1335 DECL_IGNORED_P (decl) = 1;
1336 DECL_EXTERNAL (decl) = 1;
1337 TREE_STATIC (decl) = 1;
1338 TREE_PUBLIC (decl) = 1;
1339 TREE_USED (decl) = 1;
1340 asan_detect_stack_use_after_return = decl;
1342 orig_base = gen_reg_rtx (Pmode);
1343 emit_move_insn (orig_base, base);
1344 ret = expand_normal (asan_detect_stack_use_after_return);
1345 lab = gen_label_rtx ();
1346 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1348 profile_probability::very_likely ());
1349 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1350 use_after_return_class);
1351 ret = init_one_libfunc (buf);
1352 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1353 GEN_INT (asan_frame_size
1355 TYPE_MODE (pointer_sized_int_node));
1356 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1357 and NULL otherwise. Check RET value is NULL here and jump over the
1358 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1359 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1361 profile_probability:: very_unlikely ());
1362 ret = convert_memory_address (Pmode, ret);
1363 emit_move_insn (base, ret);
1365 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1366 gen_int_mode (base_align_bias
1367 - base_offset, Pmode),
1368 NULL_RTX, 1, OPTAB_DIRECT));
1370 mem = gen_rtx_MEM (ptr_mode, base);
1371 mem = adjust_address (mem, VOIDmode, base_align_bias);
1372 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1373 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1374 emit_move_insn (mem, expand_normal (str_cst));
1375 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1376 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1377 id = get_identifier (buf);
1378 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1379 VAR_DECL, id, char_type_node);
1380 SET_DECL_ASSEMBLER_NAME (decl, id);
1381 TREE_ADDRESSABLE (decl) = 1;
1382 TREE_READONLY (decl) = 1;
1383 DECL_ARTIFICIAL (decl) = 1;
1384 DECL_IGNORED_P (decl) = 1;
1385 TREE_STATIC (decl) = 1;
1386 TREE_PUBLIC (decl) = 0;
1387 TREE_USED (decl) = 1;
1388 DECL_INITIAL (decl) = decl;
1389 TREE_ASM_WRITTEN (decl) = 1;
1390 TREE_ASM_WRITTEN (id) = 1;
1391 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1392 shadow_base = expand_binop (Pmode, lshr_optab, base,
1393 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
1394 NULL_RTX, 1, OPTAB_DIRECT);
1396 = plus_constant (Pmode, shadow_base,
1397 asan_shadow_offset ()
1398 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1399 gcc_assert (asan_shadow_set != -1
1400 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1401 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1402 set_mem_alias_set (shadow_mem, asan_shadow_set);
1403 if (STRICT_ALIGNMENT)
1404 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1405 prev_offset = base_offset;
1406 for (l = length; l; l -= 2)
1409 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1410 offset = offsets[l - 1];
1411 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1415 = base_offset + ((offset - base_offset)
1416 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1417 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1418 (aoff - prev_offset)
1419 >> ASAN_SHADOW_SHIFT);
1421 for (i = 0; i < 4; i++, aoff += ASAN_SHADOW_GRANULARITY)
1424 if (aoff < offset - (HOST_WIDE_INT)ASAN_SHADOW_GRANULARITY + 1)
1425 shadow_bytes[i] = 0;
1427 shadow_bytes[i] = offset - aoff;
1430 shadow_bytes[i] = ASAN_STACK_MAGIC_MIDDLE;
1431 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1434 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1436 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1437 (offset - prev_offset)
1438 >> ASAN_SHADOW_SHIFT);
1439 prev_offset = offset;
1440 memset (shadow_bytes, cur_shadow_byte, 4);
1441 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1442 offset += ASAN_RED_ZONE_SIZE;
1444 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1446 do_pending_stack_adjust ();
1448 /* Construct epilogue sequence. */
1452 if (use_after_return_class != -1)
1454 rtx_code_label *lab2 = gen_label_rtx ();
1455 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1456 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1458 profile_probability::very_likely ());
1459 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1460 set_mem_alias_set (shadow_mem, asan_shadow_set);
1461 mem = gen_rtx_MEM (ptr_mode, base);
1462 mem = adjust_address (mem, VOIDmode, base_align_bias);
1463 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1464 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1465 if (use_after_return_class < 5
1466 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1467 BITS_PER_UNIT, true))
1468 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1469 BITS_PER_UNIT, true, 0);
1470 else if (use_after_return_class >= 5
1471 || !set_storage_via_setmem (shadow_mem,
1473 gen_int_mode (c, QImode),
1474 BITS_PER_UNIT, BITS_PER_UNIT,
1477 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1478 use_after_return_class);
1479 ret = init_one_libfunc (buf);
1480 rtx addr = convert_memory_address (ptr_mode, base);
1481 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1482 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
1483 GEN_INT (asan_frame_size + base_align_bias),
1484 TYPE_MODE (pointer_sized_int_node),
1485 orig_addr, ptr_mode);
1487 lab = gen_label_rtx ();
1492 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1493 set_mem_alias_set (shadow_mem, asan_shadow_set);
1495 if (STRICT_ALIGNMENT)
1496 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1498 prev_offset = base_offset;
1499 last_offset = base_offset;
1501 for (l = length; l; l -= 2)
1503 offset = base_offset + ((offsets[l - 1] - base_offset)
1504 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1505 if (last_offset + last_size != offset)
1507 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1508 (last_offset - prev_offset)
1509 >> ASAN_SHADOW_SHIFT);
1510 prev_offset = last_offset;
1511 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1512 last_offset = offset;
1515 last_size += base_offset + ((offsets[l - 2] - base_offset)
1516 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1519 /* Unpoison shadow memory that corresponds to a variable that is
1520 is subject of use-after-return sanitization. */
1523 decl = decls[l / 2 - 2];
1524 if (asan_handled_variables != NULL
1525 && asan_handled_variables->contains (decl))
1527 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
1528 if (dump_file && (dump_flags & TDF_DETAILS))
1530 const char *n = (DECL_NAME (decl)
1531 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1533 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1534 "%s (%" PRId64 " B)\n", n, size);
1537 last_size += size & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
1543 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1544 (last_offset - prev_offset)
1545 >> ASAN_SHADOW_SHIFT);
1546 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1549 /* Clean-up set with instrumented stack variables. */
1550 delete asan_handled_variables;
1551 asan_handled_variables = NULL;
1552 delete asan_used_labels;
1553 asan_used_labels = NULL;
1555 do_pending_stack_adjust ();
1559 insns = get_insns ();
1564 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
1565 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
1566 indicates whether we're emitting new instructions sequence or not. */
1569 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
1572 push_to_sequence (before);
1575 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
1576 top = convert_memory_address (ptr_mode, top);
1577 bot = convert_memory_address (ptr_mode, bot);
1578 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1579 top, ptr_mode, bot, ptr_mode);
1581 do_pending_stack_adjust ();
1582 rtx_insn *insns = get_insns ();
1587 /* Return true if DECL, a global var, might be overridden and needs
1588 therefore a local alias. */
1591 asan_needs_local_alias (tree decl)
1593 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1596 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1597 therefore doesn't need protection. */
1600 is_odr_indicator (tree decl)
1602 return (DECL_ARTIFICIAL (decl)
1603 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1606 /* Return true if DECL is a VAR_DECL that should be protected
1607 by Address Sanitizer, by appending a red zone with protected
1608 shadow memory after it and aligning it to at least
1609 ASAN_RED_ZONE_SIZE bytes. */
1612 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
1619 if (TREE_CODE (decl) == STRING_CST)
1621 /* Instrument all STRING_CSTs except those created
1622 by asan_pp_string here. */
1623 if (shadow_ptr_types[0] != NULL_TREE
1624 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1625 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1630 /* TLS vars aren't statically protectable. */
1631 || DECL_THREAD_LOCAL_P (decl)
1632 /* Externs will be protected elsewhere. */
1633 || DECL_EXTERNAL (decl)
1634 /* PR sanitizer/81697: For architectures that use section anchors first
1635 call to asan_protect_global may occur before DECL_RTL (decl) is set.
1636 We should ignore DECL_RTL_SET_P then, because otherwise the first call
1637 to asan_protect_global will return FALSE and the following calls on the
1638 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
1639 up with inconsistency at runtime. */
1640 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
1641 /* Comdat vars pose an ABI problem, we can't know if
1642 the var that is selected by the linker will have
1644 || DECL_ONE_ONLY (decl)
1645 /* Similarly for common vars. People can use -fno-common.
1646 Note: Linux kernel is built with -fno-common, so we do instrument
1647 globals there even if it is C. */
1648 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1649 /* Don't protect if using user section, often vars placed
1650 into user section from multiple TUs are then assumed
1651 to be an array of such vars, putting padding in there
1652 breaks this assumption. */
1653 || (DECL_SECTION_NAME (decl) != NULL
1654 && !symtab_node::get (decl)->implicit_section
1655 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1656 || DECL_SIZE (decl) == 0
1657 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1658 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
1659 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1660 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1661 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1662 || is_odr_indicator (decl))
1665 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
1668 rtl = DECL_RTL (decl);
1669 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1671 symbol = XEXP (rtl, 0);
1673 if (CONSTANT_POOL_ADDRESS_P (symbol)
1674 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1678 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1681 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
1687 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1688 IS_STORE is either 1 (for a store) or 0 (for a load). */
1691 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1694 static enum built_in_function report[2][2][6]
1695 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1696 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1697 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1698 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1699 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1700 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1701 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1702 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1703 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1704 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1705 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1706 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1707 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1708 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1709 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1710 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1711 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1712 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1713 if (size_in_bytes == -1)
1716 return builtin_decl_implicit (report[recover_p][is_store][5]);
1719 int size_log2 = exact_log2 (size_in_bytes);
1720 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1723 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1724 IS_STORE is either 1 (for a store) or 0 (for a load). */
1727 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1730 static enum built_in_function check[2][2][6]
1731 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1732 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1733 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1734 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1735 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1736 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1737 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1738 BUILT_IN_ASAN_LOAD2_NOABORT,
1739 BUILT_IN_ASAN_LOAD4_NOABORT,
1740 BUILT_IN_ASAN_LOAD8_NOABORT,
1741 BUILT_IN_ASAN_LOAD16_NOABORT,
1742 BUILT_IN_ASAN_LOADN_NOABORT },
1743 { BUILT_IN_ASAN_STORE1_NOABORT,
1744 BUILT_IN_ASAN_STORE2_NOABORT,
1745 BUILT_IN_ASAN_STORE4_NOABORT,
1746 BUILT_IN_ASAN_STORE8_NOABORT,
1747 BUILT_IN_ASAN_STORE16_NOABORT,
1748 BUILT_IN_ASAN_STOREN_NOABORT } } };
1749 if (size_in_bytes == -1)
1752 return builtin_decl_implicit (check[recover_p][is_store][5]);
1755 int size_log2 = exact_log2 (size_in_bytes);
1756 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1759 /* Split the current basic block and create a condition statement
1760 insertion point right before or after the statement pointed to by
1761 ITER. Return an iterator to the point at which the caller might
1762 safely insert the condition statement.
1764 THEN_BLOCK must be set to the address of an uninitialized instance
1765 of basic_block. The function will then set *THEN_BLOCK to the
1766 'then block' of the condition statement to be inserted by the
1769 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1770 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1772 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1773 block' of the condition statement to be inserted by the caller.
1775 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1776 statements starting from *ITER, and *THEN_BLOCK is a new empty
1779 *ITER is adjusted to point to always point to the first statement
1780 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1781 same as what ITER was pointing to prior to calling this function,
1782 if BEFORE_P is true; otherwise, it is its following statement. */
1784 gimple_stmt_iterator
1785 create_cond_insert_point (gimple_stmt_iterator *iter,
1787 bool then_more_likely_p,
1788 bool create_then_fallthru_edge,
1789 basic_block *then_block,
1790 basic_block *fallthrough_block)
1792 gimple_stmt_iterator gsi = *iter;
1794 if (!gsi_end_p (gsi) && before_p)
1797 basic_block cur_bb = gsi_bb (*iter);
1799 edge e = split_block (cur_bb, gsi_stmt (gsi));
1801 /* Get a hold on the 'condition block', the 'then block' and the
1803 basic_block cond_bb = e->src;
1804 basic_block fallthru_bb = e->dest;
1805 basic_block then_bb = create_empty_bb (cond_bb);
1808 add_bb_to_loop (then_bb, cond_bb->loop_father);
1809 loops_state_set (LOOPS_NEED_FIXUP);
1812 /* Set up the newly created 'then block'. */
1813 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1814 profile_probability fallthrough_probability
1815 = then_more_likely_p
1816 ? profile_probability::very_unlikely ()
1817 : profile_probability::very_likely ();
1818 e->probability = fallthrough_probability.invert ();
1819 then_bb->count = e->count ();
1820 if (create_then_fallthru_edge)
1821 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1823 /* Set up the fallthrough basic block. */
1824 e = find_edge (cond_bb, fallthru_bb);
1825 e->flags = EDGE_FALSE_VALUE;
1826 e->probability = fallthrough_probability;
1828 /* Update dominance info for the newly created then_bb; note that
1829 fallthru_bb's dominance info has already been updated by
1831 if (dom_info_available_p (CDI_DOMINATORS))
1832 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1834 *then_block = then_bb;
1835 *fallthrough_block = fallthru_bb;
1836 *iter = gsi_start_bb (fallthru_bb);
1838 return gsi_last_bb (cond_bb);
1841 /* Insert an if condition followed by a 'then block' right before the
1842 statement pointed to by ITER. The fallthrough block -- which is the
1843 else block of the condition as well as the destination of the
1844 outcoming edge of the 'then block' -- starts with the statement
1847 COND is the condition of the if.
1849 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1850 'then block' is higher than the probability of the edge to the
1853 Upon completion of the function, *THEN_BB is set to the newly
1854 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1857 *ITER is adjusted to still point to the same statement it was
1858 pointing to initially. */
1861 insert_if_then_before_iter (gcond *cond,
1862 gimple_stmt_iterator *iter,
1863 bool then_more_likely_p,
1864 basic_block *then_bb,
1865 basic_block *fallthrough_bb)
1867 gimple_stmt_iterator cond_insert_point =
1868 create_cond_insert_point (iter,
1871 /*create_then_fallthru_edge=*/true,
1874 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1877 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
1878 If RETURN_ADDRESS is set to true, return memory location instread
1879 of a value in the shadow memory. */
1882 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1883 tree base_addr, tree shadow_ptr_type,
1884 bool return_address = false)
1886 tree t, uintptr_type = TREE_TYPE (base_addr);
1887 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1890 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1891 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1893 gimple_set_location (g, location);
1894 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1896 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1897 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1898 gimple_assign_lhs (g), t);
1899 gimple_set_location (g, location);
1900 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1902 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1903 gimple_assign_lhs (g));
1904 gimple_set_location (g, location);
1905 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1907 if (!return_address)
1909 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1910 build_int_cst (shadow_ptr_type, 0));
1911 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1912 gimple_set_location (g, location);
1913 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1916 return gimple_assign_lhs (g);
1919 /* BASE can already be an SSA_NAME; in that case, do not create a
1920 new SSA_NAME for it. */
1923 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1926 if (TREE_CODE (base) == SSA_NAME)
1928 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1929 TREE_CODE (base), base);
1930 gimple_set_location (g, loc);
1932 gsi_insert_before (iter, g, GSI_SAME_STMT);
1934 gsi_insert_after (iter, g, GSI_NEW_STMT);
1935 return gimple_assign_lhs (g);
1938 /* LEN can already have necessary size and precision;
1939 in that case, do not create a new variable. */
1942 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1945 if (ptrofftype_p (len))
1947 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1949 gimple_set_location (g, loc);
1951 gsi_insert_before (iter, g, GSI_SAME_STMT);
1953 gsi_insert_after (iter, g, GSI_NEW_STMT);
1954 return gimple_assign_lhs (g);
1957 /* Instrument the memory access instruction BASE. Insert new
1958 statements before or after ITER.
1960 Note that the memory access represented by BASE can be either an
1961 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1962 location. IS_STORE is TRUE for a store, FALSE for a load.
1963 BEFORE_P is TRUE for inserting the instrumentation code before
1964 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1965 for a scalar memory access and FALSE for memory region access.
1966 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1967 length. ALIGN tells alignment of accessed memory object.
1969 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1970 memory region have already been instrumented.
1972 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1973 statement it was pointing to prior to calling this function,
1974 otherwise, it points to the statement logically following it. */
1977 build_check_stmt (location_t loc, tree base, tree len,
1978 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1979 bool is_non_zero_len, bool before_p, bool is_store,
1980 bool is_scalar_access, unsigned int align = 0)
1982 gimple_stmt_iterator gsi = *iter;
1985 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1989 base = unshare_expr (base);
1990 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1994 len = unshare_expr (len);
1995 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1999 gcc_assert (size_in_bytes != -1);
2000 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2003 if (size_in_bytes > 1)
2005 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2006 || size_in_bytes > 16)
2007 is_scalar_access = false;
2008 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2010 /* On non-strict alignment targets, if
2011 16-byte access is just 8-byte aligned,
2012 this will result in misaligned shadow
2013 memory 2 byte load, but otherwise can
2014 be handled using one read. */
2015 if (size_in_bytes != 16
2017 || align < 8 * BITS_PER_UNIT)
2018 is_scalar_access = false;
2022 HOST_WIDE_INT flags = 0;
2024 flags |= ASAN_CHECK_STORE;
2025 if (is_non_zero_len)
2026 flags |= ASAN_CHECK_NON_ZERO_LEN;
2027 if (is_scalar_access)
2028 flags |= ASAN_CHECK_SCALAR_ACCESS;
2030 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
2031 build_int_cst (integer_type_node, flags),
2033 build_int_cst (integer_type_node,
2034 align / BITS_PER_UNIT));
2035 gimple_set_location (g, loc);
2037 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
2040 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2046 /* If T represents a memory access, add instrumentation code before ITER.
2047 LOCATION is source code location.
2048 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2051 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2052 location_t location, bool is_store)
2054 if (is_store && !ASAN_INSTRUMENT_WRITES)
2056 if (!is_store && !ASAN_INSTRUMENT_READS)
2060 HOST_WIDE_INT size_in_bytes;
2061 if (location == UNKNOWN_LOCATION)
2062 location = EXPR_LOCATION (t);
2064 type = TREE_TYPE (t);
2065 switch (TREE_CODE (t))
2079 size_in_bytes = int_size_in_bytes (type);
2080 if (size_in_bytes <= 0)
2083 poly_int64 bitsize, bitpos;
2086 int unsignedp, reversep, volatilep = 0;
2087 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2088 &unsignedp, &reversep, &volatilep);
2090 if (TREE_CODE (t) == COMPONENT_REF
2091 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2093 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2094 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2095 TREE_OPERAND (t, 0), repr,
2096 TREE_OPERAND (t, 2)),
2097 location, is_store);
2101 if (!multiple_p (bitpos, BITS_PER_UNIT)
2102 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2105 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2108 poly_int64 decl_size;
2110 && offset == NULL_TREE
2111 && DECL_SIZE (inner)
2112 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2113 && known_subrange_p (bitpos, bitsize, 0, decl_size))
2115 if (DECL_THREAD_LOCAL_P (inner))
2117 if (!ASAN_GLOBALS && is_global_var (inner))
2119 if (!TREE_STATIC (inner))
2121 /* Automatic vars in the current function will be always
2123 if (decl_function_context (inner) == current_function_decl
2124 && (!asan_sanitize_use_after_scope ()
2125 || !TREE_ADDRESSABLE (inner)))
2128 /* Always instrument external vars, they might be dynamically
2130 else if (!DECL_EXTERNAL (inner))
2132 /* For static vars if they are known not to be dynamically
2133 initialized, they will be always accessible. */
2134 varpool_node *vnode = varpool_node::get (inner);
2135 if (vnode && !vnode->dynamically_initialized)
2140 base = build_fold_addr_expr (t);
2141 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2143 unsigned int align = get_object_alignment (t);
2144 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2145 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2146 is_store, /*is_scalar_access*/true, align);
2147 update_mem_ref_hash_table (base, size_in_bytes);
2148 update_mem_ref_hash_table (t, size_in_bytes);
2153 /* Insert a memory reference into the hash table if access length
2154 can be determined in compile time. */
2157 maybe_update_mem_ref_hash_table (tree base, tree len)
2159 if (!POINTER_TYPE_P (TREE_TYPE (base))
2160 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2163 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2165 if (size_in_bytes != -1)
2166 update_mem_ref_hash_table (base, size_in_bytes);
2169 /* Instrument an access to a contiguous memory region that starts at
2170 the address pointed to by BASE, over a length of LEN (expressed in
2171 the sizeof (*BASE) bytes). ITER points to the instruction before
2172 which the instrumentation instructions must be inserted. LOCATION
2173 is the source location that the instrumentation instructions must
2174 have. If IS_STORE is true, then the memory access is a store;
2175 otherwise, it's a load. */
2178 instrument_mem_region_access (tree base, tree len,
2179 gimple_stmt_iterator *iter,
2180 location_t location, bool is_store)
2182 if (!POINTER_TYPE_P (TREE_TYPE (base))
2183 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2184 || integer_zerop (len))
2187 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2189 if ((size_in_bytes == -1)
2190 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2192 build_check_stmt (location, base, len, size_in_bytes, iter,
2193 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2194 is_store, /*is_scalar_access*/false, /*align*/0);
2197 maybe_update_mem_ref_hash_table (base, len);
2198 *iter = gsi_for_stmt (gsi_stmt (*iter));
2201 /* Instrument the call to a built-in memory access function that is
2202 pointed to by the iterator ITER.
2204 Upon completion, return TRUE iff *ITER has been advanced to the
2205 statement following the one it was originally pointing to. */
2208 instrument_builtin_call (gimple_stmt_iterator *iter)
2210 if (!ASAN_MEMINTRIN)
2213 bool iter_advanced_p = false;
2214 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2216 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2218 location_t loc = gimple_location (call);
2220 asan_mem_ref src0, src1, dest;
2221 asan_mem_ref_init (&src0, NULL, 1);
2222 asan_mem_ref_init (&src1, NULL, 1);
2223 asan_mem_ref_init (&dest, NULL, 1);
2225 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2226 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2227 dest_is_deref = false, intercepted_p = true;
2229 if (get_mem_refs_of_builtin_call (call,
2230 &src0, &src0_len, &src0_is_store,
2231 &src1, &src1_len, &src1_is_store,
2232 &dest, &dest_len, &dest_is_store,
2233 &dest_is_deref, &intercepted_p, iter))
2237 instrument_derefs (iter, dest.start, loc, dest_is_store);
2239 iter_advanced_p = true;
2241 else if (!intercepted_p
2242 && (src0_len || src1_len || dest_len))
2244 if (src0.start != NULL_TREE)
2245 instrument_mem_region_access (src0.start, src0_len,
2246 iter, loc, /*is_store=*/false);
2247 if (src1.start != NULL_TREE)
2248 instrument_mem_region_access (src1.start, src1_len,
2249 iter, loc, /*is_store=*/false);
2250 if (dest.start != NULL_TREE)
2251 instrument_mem_region_access (dest.start, dest_len,
2252 iter, loc, /*is_store=*/true);
2254 *iter = gsi_for_stmt (call);
2256 iter_advanced_p = true;
2260 if (src0.start != NULL_TREE)
2261 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2262 if (src1.start != NULL_TREE)
2263 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2264 if (dest.start != NULL_TREE)
2265 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2268 return iter_advanced_p;
2271 /* Instrument the assignment statement ITER if it is subject to
2272 instrumentation. Return TRUE iff instrumentation actually
2273 happened. In that case, the iterator ITER is advanced to the next
2274 logical expression following the one initially pointed to by ITER,
2275 and the relevant memory reference that which access has been
2276 instrumented is added to the memory references hash table. */
2279 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2281 gimple *s = gsi_stmt (*iter);
2283 gcc_assert (gimple_assign_single_p (s));
2285 tree ref_expr = NULL_TREE;
2286 bool is_store, is_instrumented = false;
2288 if (gimple_store_p (s))
2290 ref_expr = gimple_assign_lhs (s);
2292 instrument_derefs (iter, ref_expr,
2293 gimple_location (s),
2295 is_instrumented = true;
2298 if (gimple_assign_load_p (s))
2300 ref_expr = gimple_assign_rhs1 (s);
2302 instrument_derefs (iter, ref_expr,
2303 gimple_location (s),
2305 is_instrumented = true;
2308 if (is_instrumented)
2311 return is_instrumented;
2314 /* Instrument the function call pointed to by the iterator ITER, if it
2315 is subject to instrumentation. At the moment, the only function
2316 calls that are instrumented are some built-in functions that access
2317 memory. Look at instrument_builtin_call to learn more.
2319 Upon completion return TRUE iff *ITER was advanced to the statement
2320 following the one it was originally pointing to. */
2323 maybe_instrument_call (gimple_stmt_iterator *iter)
2325 gimple *stmt = gsi_stmt (*iter);
2326 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2328 if (is_builtin && instrument_builtin_call (iter))
2331 if (gimple_call_noreturn_p (stmt))
2335 tree callee = gimple_call_fndecl (stmt);
2336 switch (DECL_FUNCTION_CODE (callee))
2338 case BUILT_IN_UNREACHABLE:
2340 /* Don't instrument these. */
2346 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2347 gimple *g = gimple_build_call (decl, 0);
2348 gimple_set_location (g, gimple_location (stmt));
2349 gsi_insert_before (iter, g, GSI_SAME_STMT);
2352 bool instrumented = false;
2353 if (gimple_store_p (stmt))
2355 tree ref_expr = gimple_call_lhs (stmt);
2356 instrument_derefs (iter, ref_expr,
2357 gimple_location (stmt),
2360 instrumented = true;
2363 /* Walk through gimple_call arguments and check them id needed. */
2364 unsigned args_num = gimple_call_num_args (stmt);
2365 for (unsigned i = 0; i < args_num; ++i)
2367 tree arg = gimple_call_arg (stmt, i);
2368 /* If ARG is not a non-aggregate register variable, compiler in general
2369 creates temporary for it and pass it as argument to gimple call.
2370 But in some cases, e.g. when we pass by value a small structure that
2371 fits to register, compiler can avoid extra overhead by pulling out
2372 these temporaries. In this case, we should check the argument. */
2373 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2375 instrument_derefs (iter, arg,
2376 gimple_location (stmt),
2377 /*is_store=*/false);
2378 instrumented = true;
2383 return instrumented;
2386 /* Walk each instruction of all basic block and instrument those that
2387 represent memory references: loads, stores, or function calls.
2388 In a given basic block, this function avoids instrumenting memory
2389 references that have already been instrumented. */
2392 transform_statements (void)
2394 basic_block bb, last_bb = NULL;
2395 gimple_stmt_iterator i;
2396 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2398 FOR_EACH_BB_FN (bb, cfun)
2400 basic_block prev_bb = bb;
2402 if (bb->index >= saved_last_basic_block) continue;
2404 /* Flush the mem ref hash table, if current bb doesn't have
2405 exactly one predecessor, or if that predecessor (skipping
2406 over asan created basic blocks) isn't the last processed
2407 basic block. Thus we effectively flush on extended basic
2408 block boundaries. */
2409 while (single_pred_p (prev_bb))
2411 prev_bb = single_pred (prev_bb);
2412 if (prev_bb->index < saved_last_basic_block)
2415 if (prev_bb != last_bb)
2416 empty_mem_ref_hash_table ();
2419 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2421 gimple *s = gsi_stmt (i);
2423 if (has_stmt_been_instrumented_p (s))
2425 else if (gimple_assign_single_p (s)
2426 && !gimple_clobber_p (s)
2427 && maybe_instrument_assignment (&i))
2428 /* Nothing to do as maybe_instrument_assignment advanced
2430 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2431 /* Nothing to do as maybe_instrument_call
2432 advanced the iterator I. */;
2435 /* No instrumentation happened.
2437 If the current instruction is a function call that
2438 might free something, let's forget about the memory
2439 references that got instrumented. Otherwise we might
2440 miss some instrumentation opportunities. Do the same
2441 for a ASAN_MARK poisoning internal function. */
2442 if (is_gimple_call (s)
2443 && (!nonfreeing_call_p (s)
2444 || asan_mark_p (s, ASAN_MARK_POISON)))
2445 empty_mem_ref_hash_table ();
2451 free_mem_ref_resources ();
2455 __asan_before_dynamic_init (module_name)
2457 __asan_after_dynamic_init ()
2461 asan_dynamic_init_call (bool after_p)
2463 if (shadow_ptr_types[0] == NULL_TREE)
2464 asan_init_shadow_ptr_types ();
2466 tree fn = builtin_decl_implicit (after_p
2467 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2468 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2469 tree module_name_cst = NULL_TREE;
2472 pretty_printer module_name_pp;
2473 pp_string (&module_name_pp, main_input_filename);
2475 module_name_cst = asan_pp_string (&module_name_pp);
2476 module_name_cst = fold_convert (const_ptr_type_node,
2480 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2484 struct __asan_global
2488 uptr __size_with_redzone;
2490 const void *__module_name;
2491 uptr __has_dynamic_init;
2492 __asan_global_source_location *__location;
2493 char *__odr_indicator;
2497 asan_global_struct (void)
2499 static const char *field_names[]
2500 = { "__beg", "__size", "__size_with_redzone",
2501 "__name", "__module_name", "__has_dynamic_init", "__location",
2502 "__odr_indicator" };
2503 tree fields[ARRAY_SIZE (field_names)], ret;
2506 ret = make_node (RECORD_TYPE);
2507 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2510 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2511 get_identifier (field_names[i]),
2512 (i == 0 || i == 3) ? const_ptr_type_node
2513 : pointer_sized_int_node);
2514 DECL_CONTEXT (fields[i]) = ret;
2516 DECL_CHAIN (fields[i - 1]) = fields[i];
2518 tree type_decl = build_decl (input_location, TYPE_DECL,
2519 get_identifier ("__asan_global"), ret);
2520 DECL_IGNORED_P (type_decl) = 1;
2521 DECL_ARTIFICIAL (type_decl) = 1;
2522 TYPE_FIELDS (ret) = fields[0];
2523 TYPE_NAME (ret) = type_decl;
2524 TYPE_STUB_DECL (ret) = type_decl;
2529 /* Create and return odr indicator symbol for DECL.
2530 TYPE is __asan_global struct type as returned by asan_global_struct. */
2533 create_odr_indicator (tree decl, tree type)
2536 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2538 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2539 : DECL_NAME (decl));
2540 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2541 if (decl_name == NULL_TREE)
2542 return build_int_cst (uptr, 0);
2543 const char *dname = IDENTIFIER_POINTER (decl_name);
2544 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
2545 dname = targetm.strip_name_encoding (dname);
2546 size_t len = strlen (dname) + sizeof ("__odr_asan_");
2547 name = XALLOCAVEC (char, len);
2548 snprintf (name, len, "__odr_asan_%s", dname);
2549 #ifndef NO_DOT_IN_LABEL
2550 name[sizeof ("__odr_asan") - 1] = '.';
2551 #elif !defined(NO_DOLLAR_IN_LABEL)
2552 name[sizeof ("__odr_asan") - 1] = '$';
2554 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2556 TREE_ADDRESSABLE (var) = 1;
2557 TREE_READONLY (var) = 0;
2558 TREE_THIS_VOLATILE (var) = 1;
2559 DECL_GIMPLE_REG_P (var) = 0;
2560 DECL_ARTIFICIAL (var) = 1;
2561 DECL_IGNORED_P (var) = 1;
2562 TREE_STATIC (var) = 1;
2563 TREE_PUBLIC (var) = 1;
2564 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2565 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2567 TREE_USED (var) = 1;
2568 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2569 build_int_cst (unsigned_type_node, 0));
2570 TREE_CONSTANT (ctor) = 1;
2571 TREE_STATIC (ctor) = 1;
2572 DECL_INITIAL (var) = ctor;
2573 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2574 NULL, DECL_ATTRIBUTES (var));
2575 make_decl_rtl (var);
2576 varpool_node::finalize_decl (var);
2577 return fold_convert (uptr, build_fold_addr_expr (var));
2580 /* Return true if DECL, a global var, might be overridden and needs
2581 an additional odr indicator symbol. */
2584 asan_needs_odr_indicator_p (tree decl)
2586 /* Don't emit ODR indicators for kernel because:
2587 a) Kernel is written in C thus doesn't need ODR indicators.
2588 b) Some kernel code may have assumptions about symbols containing specific
2589 patterns in their names. Since ODR indicators contain original names
2590 of symbols they are emitted for, these assumptions would be broken for
2591 ODR indicator symbols. */
2592 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2593 && !DECL_ARTIFICIAL (decl)
2594 && !DECL_WEAK (decl)
2595 && TREE_PUBLIC (decl));
2598 /* Append description of a single global DECL into vector V.
2599 TYPE is __asan_global struct type as returned by asan_global_struct. */
2602 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2604 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2605 unsigned HOST_WIDE_INT size;
2606 tree str_cst, module_name_cst, refdecl = decl;
2607 vec<constructor_elt, va_gc> *vinner = NULL;
2609 pretty_printer asan_pp, module_name_pp;
2611 if (DECL_NAME (decl))
2612 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2614 pp_string (&asan_pp, "<unknown>");
2615 str_cst = asan_pp_string (&asan_pp);
2617 pp_string (&module_name_pp, main_input_filename);
2618 module_name_cst = asan_pp_string (&module_name_pp);
2620 if (asan_needs_local_alias (decl))
2623 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2624 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2625 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2626 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2627 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2628 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2629 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2630 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2631 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2632 TREE_STATIC (refdecl) = 1;
2633 TREE_PUBLIC (refdecl) = 0;
2634 TREE_USED (refdecl) = 1;
2635 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2638 tree odr_indicator_ptr
2639 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2640 : build_int_cst (uptr, 0));
2641 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2642 fold_convert (const_ptr_type_node,
2643 build_fold_addr_expr (refdecl)));
2644 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2645 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2646 size += asan_red_zone_size (size);
2647 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2648 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2649 fold_convert (const_ptr_type_node, str_cst));
2650 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2651 fold_convert (const_ptr_type_node, module_name_cst));
2652 varpool_node *vnode = varpool_node::get (decl);
2653 int has_dynamic_init = 0;
2654 /* FIXME: Enable initialization order fiasco detection in LTO mode once
2655 proper fix for PR 79061 will be applied. */
2657 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2658 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2659 build_int_cst (uptr, has_dynamic_init));
2660 tree locptr = NULL_TREE;
2661 location_t loc = DECL_SOURCE_LOCATION (decl);
2662 expanded_location xloc = expand_location (loc);
2663 if (xloc.file != NULL)
2665 static int lasanloccnt = 0;
2667 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2668 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2669 ubsan_get_source_location_type ());
2670 TREE_STATIC (var) = 1;
2671 TREE_PUBLIC (var) = 0;
2672 DECL_ARTIFICIAL (var) = 1;
2673 DECL_IGNORED_P (var) = 1;
2674 pretty_printer filename_pp;
2675 pp_string (&filename_pp, xloc.file);
2676 tree str = asan_pp_string (&filename_pp);
2677 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2678 NULL_TREE, str, NULL_TREE,
2679 build_int_cst (unsigned_type_node,
2680 xloc.line), NULL_TREE,
2681 build_int_cst (unsigned_type_node,
2683 TREE_CONSTANT (ctor) = 1;
2684 TREE_STATIC (ctor) = 1;
2685 DECL_INITIAL (var) = ctor;
2686 varpool_node::finalize_decl (var);
2687 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2690 locptr = build_int_cst (uptr, 0);
2691 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2692 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2693 init = build_constructor (type, vinner);
2694 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2697 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2699 initialize_sanitizer_builtins (void)
2703 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2706 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2708 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2709 tree BT_FN_VOID_CONST_PTR
2710 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2711 tree BT_FN_VOID_PTR_PTR
2712 = build_function_type_list (void_type_node, ptr_type_node,
2713 ptr_type_node, NULL_TREE);
2714 tree BT_FN_VOID_PTR_PTR_PTR
2715 = build_function_type_list (void_type_node, ptr_type_node,
2716 ptr_type_node, ptr_type_node, NULL_TREE);
2717 tree BT_FN_VOID_PTR_PTRMODE
2718 = build_function_type_list (void_type_node, ptr_type_node,
2719 pointer_sized_int_node, NULL_TREE);
2721 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2722 tree BT_FN_SIZE_CONST_PTR_INT
2723 = build_function_type_list (size_type_node, const_ptr_type_node,
2724 integer_type_node, NULL_TREE);
2726 tree BT_FN_VOID_UINT8_UINT8
2727 = build_function_type_list (void_type_node, unsigned_char_type_node,
2728 unsigned_char_type_node, NULL_TREE);
2729 tree BT_FN_VOID_UINT16_UINT16
2730 = build_function_type_list (void_type_node, uint16_type_node,
2731 uint16_type_node, NULL_TREE);
2732 tree BT_FN_VOID_UINT32_UINT32
2733 = build_function_type_list (void_type_node, uint32_type_node,
2734 uint32_type_node, NULL_TREE);
2735 tree BT_FN_VOID_UINT64_UINT64
2736 = build_function_type_list (void_type_node, uint64_type_node,
2737 uint64_type_node, NULL_TREE);
2738 tree BT_FN_VOID_FLOAT_FLOAT
2739 = build_function_type_list (void_type_node, float_type_node,
2740 float_type_node, NULL_TREE);
2741 tree BT_FN_VOID_DOUBLE_DOUBLE
2742 = build_function_type_list (void_type_node, double_type_node,
2743 double_type_node, NULL_TREE);
2744 tree BT_FN_VOID_UINT64_PTR
2745 = build_function_type_list (void_type_node, uint64_type_node,
2746 ptr_type_node, NULL_TREE);
2748 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2749 tree BT_FN_IX_CONST_VPTR_INT[5];
2750 tree BT_FN_IX_VPTR_IX_INT[5];
2751 tree BT_FN_VOID_VPTR_IX_INT[5];
2753 = build_pointer_type (build_qualified_type (void_type_node,
2754 TYPE_QUAL_VOLATILE));
2756 = build_pointer_type (build_qualified_type (void_type_node,
2760 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2762 for (i = 0; i < 5; i++)
2764 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2765 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2766 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2767 integer_type_node, integer_type_node,
2769 BT_FN_IX_CONST_VPTR_INT[i]
2770 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2771 BT_FN_IX_VPTR_IX_INT[i]
2772 = build_function_type_list (ix, vptr, ix, integer_type_node,
2774 BT_FN_VOID_VPTR_IX_INT[i]
2775 = build_function_type_list (void_type_node, vptr, ix,
2776 integer_type_node, NULL_TREE);
2778 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2779 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2780 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2781 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2782 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2783 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2784 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2785 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2786 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2787 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2788 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2789 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2790 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2791 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2792 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2793 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2794 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2795 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2796 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2797 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2798 #undef ATTR_NOTHROW_LEAF_LIST
2799 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2800 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2801 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2802 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2803 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2804 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2805 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2806 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2807 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2808 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2809 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2810 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2811 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2812 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2813 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2814 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2815 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2816 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2817 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2818 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2819 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2820 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2821 #undef DEF_BUILTIN_STUB
2822 #define DEF_BUILTIN_STUB(ENUM, NAME)
2823 #undef DEF_SANITIZER_BUILTIN_1
2824 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
2826 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2827 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2828 set_call_expr_flags (decl, ATTRS); \
2829 set_builtin_decl (ENUM, decl, true); \
2831 #undef DEF_SANITIZER_BUILTIN
2832 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2833 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
2835 #include "sanitizer.def"
2837 /* -fsanitize=object-size uses __builtin_object_size, but that might
2838 not be available for e.g. Fortran at this point. We use
2839 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2840 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2841 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2842 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
2843 BT_FN_SIZE_CONST_PTR_INT,
2844 ATTR_PURE_NOTHROW_LEAF_LIST);
2846 #undef DEF_SANITIZER_BUILTIN_1
2847 #undef DEF_SANITIZER_BUILTIN
2848 #undef DEF_BUILTIN_STUB
2851 /* Called via htab_traverse. Count number of emitted
2852 STRING_CSTs in the constant hash table. */
2855 count_string_csts (constant_descriptor_tree **slot,
2856 unsigned HOST_WIDE_INT *data)
2858 struct constant_descriptor_tree *desc = *slot;
2859 if (TREE_CODE (desc->value) == STRING_CST
2860 && TREE_ASM_WRITTEN (desc->value)
2861 && asan_protect_global (desc->value))
2866 /* Helper structure to pass two parameters to
2869 struct asan_add_string_csts_data
2872 vec<constructor_elt, va_gc> *v;
2875 /* Called via hash_table::traverse. Call asan_add_global
2876 on emitted STRING_CSTs from the constant hash table. */
2879 add_string_csts (constant_descriptor_tree **slot,
2880 asan_add_string_csts_data *aascd)
2882 struct constant_descriptor_tree *desc = *slot;
2883 if (TREE_CODE (desc->value) == STRING_CST
2884 && TREE_ASM_WRITTEN (desc->value)
2885 && asan_protect_global (desc->value))
2887 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2888 aascd->type, aascd->v);
2893 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2894 invoke ggc_collect. */
2895 static GTY(()) tree asan_ctor_statements;
2897 /* Module-level instrumentation.
2898 - Insert __asan_init_vN() into the list of CTORs.
2899 - TODO: insert redzones around globals.
2903 asan_finish_file (void)
2905 varpool_node *vnode;
2906 unsigned HOST_WIDE_INT gcount = 0;
2908 if (shadow_ptr_types[0] == NULL_TREE)
2909 asan_init_shadow_ptr_types ();
2910 /* Avoid instrumenting code in the asan ctors/dtors.
2911 We don't need to insert padding after the description strings,
2912 nor after .LASAN* array. */
2913 flag_sanitize &= ~SANITIZE_ADDRESS;
2915 /* For user-space we want asan constructors to run first.
2916 Linux kernel does not support priorities other than default, and the only
2917 other user of constructors is coverage. So we run with the default
2919 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2920 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2922 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2924 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2925 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2926 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
2927 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2929 FOR_EACH_DEFINED_VARIABLE (vnode)
2930 if (TREE_ASM_WRITTEN (vnode->decl)
2931 && asan_protect_global (vnode->decl))
2933 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2934 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2938 tree type = asan_global_struct (), var, ctor;
2939 tree dtor_statements = NULL_TREE;
2940 vec<constructor_elt, va_gc> *v;
2943 type = build_array_type_nelts (type, gcount);
2944 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2945 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2947 TREE_STATIC (var) = 1;
2948 TREE_PUBLIC (var) = 0;
2949 DECL_ARTIFICIAL (var) = 1;
2950 DECL_IGNORED_P (var) = 1;
2951 vec_alloc (v, gcount);
2952 FOR_EACH_DEFINED_VARIABLE (vnode)
2953 if (TREE_ASM_WRITTEN (vnode->decl)
2954 && asan_protect_global (vnode->decl))
2955 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2956 struct asan_add_string_csts_data aascd;
2957 aascd.type = TREE_TYPE (type);
2959 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2961 ctor = build_constructor (type, v);
2962 TREE_CONSTANT (ctor) = 1;
2963 TREE_STATIC (ctor) = 1;
2964 DECL_INITIAL (var) = ctor;
2965 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
2966 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
2968 varpool_node::finalize_decl (var);
2970 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2971 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2972 append_to_statement_list (build_call_expr (fn, 2,
2973 build_fold_addr_expr (var),
2975 &asan_ctor_statements);
2977 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2978 append_to_statement_list (build_call_expr (fn, 2,
2979 build_fold_addr_expr (var),
2982 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2984 if (asan_ctor_statements)
2985 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2986 flag_sanitize |= SANITIZE_ADDRESS;
2989 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
2990 on SHADOW address. Newly added statements will be added to ITER with
2991 given location LOC. We mark SIZE bytes in shadow memory, where
2992 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
2993 end of a variable. */
2996 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
2998 unsigned HOST_WIDE_INT base_addr_offset,
2999 bool is_clobber, unsigned size,
3000 unsigned last_chunk_size)
3002 tree shadow_ptr_type;
3007 shadow_ptr_type = shadow_ptr_types[0];
3010 shadow_ptr_type = shadow_ptr_types[1];
3013 shadow_ptr_type = shadow_ptr_types[2];
3019 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3020 unsigned HOST_WIDE_INT val = 0;
3021 unsigned last_pos = size;
3022 if (last_chunk_size && !is_clobber)
3023 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
3024 for (unsigned i = 0; i < size; ++i)
3026 unsigned char shadow_c = c;
3028 shadow_c = last_chunk_size;
3029 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3032 /* Handle last chunk in unpoisoning. */
3033 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3035 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3036 build_int_cst (shadow_ptr_type, base_addr_offset));
3038 gimple *g = gimple_build_assign (dest, magic);
3039 gimple_set_location (g, loc);
3040 gsi_insert_after (iter, g, GSI_NEW_STMT);
3043 /* Expand the ASAN_MARK builtins. */
3046 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3048 gimple *g = gsi_stmt (*iter);
3049 location_t loc = gimple_location (g);
3050 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3051 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3053 tree base = gimple_call_arg (g, 1);
3054 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3055 tree decl = TREE_OPERAND (base, 0);
3057 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3058 if (TREE_CODE (decl) == COMPONENT_REF
3059 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3060 decl = TREE_OPERAND (decl, 0);
3062 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3066 if (asan_handled_variables == NULL)
3067 asan_handled_variables = new hash_set<tree> (16);
3068 asan_handled_variables->add (decl);
3070 tree len = gimple_call_arg (g, 2);
3072 gcc_assert (tree_fits_shwi_p (len));
3073 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3074 gcc_assert (size_in_bytes);
3076 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3078 gimple_set_location (g, loc);
3079 gsi_replace (iter, g, false);
3080 tree base_addr = gimple_assign_lhs (g);
3082 /* Generate direct emission if size_in_bytes is small. */
3083 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
3085 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
3087 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3088 shadow_ptr_types[0], true);
3090 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3093 if (shadow_size - offset >= 4)
3095 else if (shadow_size - offset >= 2)
3098 unsigned HOST_WIDE_INT last_chunk_size = 0;
3099 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3100 if (s > size_in_bytes)
3101 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3103 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3104 size, last_chunk_size);
3110 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3112 gimple_set_location (g, loc);
3113 gsi_insert_before (iter, g, GSI_SAME_STMT);
3114 tree sz_arg = gimple_assign_lhs (g);
3117 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3118 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3119 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3120 gimple_set_location (g, loc);
3121 gsi_insert_after (iter, g, GSI_NEW_STMT);
3127 /* Expand the ASAN_{LOAD,STORE} builtins. */
3130 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3132 gimple *g = gsi_stmt (*iter);
3133 location_t loc = gimple_location (g);
3135 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3136 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3138 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3140 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3141 gcc_assert (flags < ASAN_CHECK_LAST);
3142 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3143 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3144 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3146 tree base = gimple_call_arg (g, 1);
3147 tree len = gimple_call_arg (g, 2);
3148 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3150 HOST_WIDE_INT size_in_bytes
3151 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3155 /* Instrument using callbacks. */
3156 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3158 gimple_set_location (g, loc);
3159 gsi_insert_before (iter, g, GSI_SAME_STMT);
3160 tree base_addr = gimple_assign_lhs (g);
3163 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3165 g = gimple_build_call (fun, 1, base_addr);
3168 gcc_assert (nargs == 2);
3169 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3171 gimple_set_location (g, loc);
3172 gsi_insert_before (iter, g, GSI_SAME_STMT);
3173 tree sz_arg = gimple_assign_lhs (g);
3174 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3176 gimple_set_location (g, loc);
3177 gsi_replace (iter, g, false);
3181 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3183 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3184 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3186 gimple_stmt_iterator gsi = *iter;
3188 if (!is_non_zero_len)
3190 /* So, the length of the memory area to asan-protect is
3191 non-constant. Let's guard the generated instrumentation code
3196 //asan instrumentation code goes here.
3198 // falltrough instructions, starting with *ITER. */
3200 g = gimple_build_cond (NE_EXPR,
3202 build_int_cst (TREE_TYPE (len), 0),
3203 NULL_TREE, NULL_TREE);
3204 gimple_set_location (g, loc);
3206 basic_block then_bb, fallthrough_bb;
3207 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3208 /*then_more_likely_p=*/true,
3209 &then_bb, &fallthrough_bb);
3210 /* Note that fallthrough_bb starts with the statement that was
3211 pointed to by ITER. */
3213 /* The 'then block' of the 'if (len != 0) condition is where
3214 we'll generate the asan instrumentation code now. */
3215 gsi = gsi_last_bb (then_bb);
3218 /* Get an iterator on the point where we can add the condition
3219 statement for the instrumentation. */
3220 basic_block then_bb, else_bb;
3221 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3222 /*then_more_likely_p=*/false,
3223 /*create_then_fallthru_edge*/recover_p,
3227 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3229 gimple_set_location (g, loc);
3230 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3231 tree base_addr = gimple_assign_lhs (g);
3234 if (real_size_in_bytes >= 8)
3236 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3242 /* Slow path for 1, 2 and 4 byte accesses. */
3243 /* Test (shadow != 0)
3244 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3245 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3247 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3248 gimple_seq seq = NULL;
3249 gimple_seq_add_stmt (&seq, shadow_test);
3250 /* Aligned (>= 8 bytes) can test just
3251 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3255 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3257 gimple_seq_add_stmt (&seq,
3258 build_type_cast (shadow_type,
3259 gimple_seq_last (seq)));
3260 if (real_size_in_bytes > 1)
3261 gimple_seq_add_stmt (&seq,
3262 build_assign (PLUS_EXPR,
3263 gimple_seq_last (seq),
3264 real_size_in_bytes - 1));
3265 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3268 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3269 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3270 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3271 gimple_seq_last (seq)));
3272 t = gimple_assign_lhs (gimple_seq_last (seq));
3273 gimple_seq_set_location (seq, loc);
3274 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3276 /* For non-constant, misaligned or otherwise weird access sizes,
3277 check first and last byte. */
3278 if (size_in_bytes == -1)
3280 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3282 build_int_cst (pointer_sized_int_node, 1));
3283 gimple_set_location (g, loc);
3284 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3285 tree last = gimple_assign_lhs (g);
3286 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3287 PLUS_EXPR, base_addr, last);
3288 gimple_set_location (g, loc);
3289 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3290 tree base_end_addr = gimple_assign_lhs (g);
3292 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3294 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3295 gimple_seq seq = NULL;
3296 gimple_seq_add_stmt (&seq, shadow_test);
3297 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3299 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3300 gimple_seq_last (seq)));
3301 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3302 gimple_seq_last (seq),
3304 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3305 gimple_seq_last (seq)));
3306 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3307 gimple_seq_last (seq)));
3308 t = gimple_assign_lhs (gimple_seq_last (seq));
3309 gimple_seq_set_location (seq, loc);
3310 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3314 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3315 NULL_TREE, NULL_TREE);
3316 gimple_set_location (g, loc);
3317 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3319 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3320 gsi = gsi_start_bb (then_bb);
3322 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3323 g = gimple_build_call (fun, nargs, base_addr, len);
3324 gimple_set_location (g, loc);
3325 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3327 gsi_remove (iter, true);
3328 *iter = gsi_start_bb (else_bb);
3333 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3334 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3337 create_asan_shadow_var (tree var_decl,
3338 hash_map<tree, tree> &shadow_vars_mapping)
3340 tree *slot = shadow_vars_mapping.get (var_decl);
3343 tree shadow_var = copy_node (var_decl);
3346 memset (&id, 0, sizeof (copy_body_data));
3347 id.src_fn = id.dst_fn = current_function_decl;
3348 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3350 DECL_ARTIFICIAL (shadow_var) = 1;
3351 DECL_IGNORED_P (shadow_var) = 1;
3352 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3353 gimple_add_tmp_var (shadow_var);
3355 shadow_vars_mapping.put (var_decl, shadow_var);
3362 /* Expand ASAN_POISON ifn. */
3365 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3366 bool *need_commit_edge_insert,
3367 hash_map<tree, tree> &shadow_vars_mapping)
3369 gimple *g = gsi_stmt (*iter);
3370 tree poisoned_var = gimple_call_lhs (g);
3371 if (!poisoned_var || has_zero_uses (poisoned_var))
3373 gsi_remove (iter, true);
3377 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
3378 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
3379 create_tmp_var (TREE_TYPE (poisoned_var)));
3381 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3382 shadow_vars_mapping);
3385 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3386 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3388 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3389 tree size = DECL_SIZE_UNIT (shadow_var);
3391 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3392 build_int_cst (integer_type_node,
3394 build_fold_addr_expr (shadow_var), size);
3397 imm_use_iterator imm_iter;
3398 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3400 if (is_gimple_debug (use))
3404 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3405 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3408 gcall *call = gimple_build_call (fun, 1,
3409 build_fold_addr_expr (shadow_var));
3410 gimple_set_location (call, gimple_location (use));
3411 gimple *call_to_insert = call;
3413 /* The USE can be a gimple PHI node. If so, insert the call on
3414 all edges leading to the PHI node. */
3415 if (is_a <gphi *> (use))
3417 gphi *phi = dyn_cast<gphi *> (use);
3418 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3419 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3421 edge e = gimple_phi_arg_edge (phi, i);
3423 /* Do not insert on an edge we can't split. */
3424 if (e->flags & EDGE_ABNORMAL)
3427 if (call_to_insert == NULL)
3428 call_to_insert = gimple_copy (call);
3430 gsi_insert_seq_on_edge (e, call_to_insert);
3431 *need_commit_edge_insert = true;
3432 call_to_insert = NULL;
3437 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3439 gsi_replace (&gsi, call, true);
3441 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3445 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3446 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3447 gsi_replace (iter, poison_call, false);
3452 /* Instrument the current function. */
3455 asan_instrument (void)
3457 if (shadow_ptr_types[0] == NULL_TREE)
3458 asan_init_shadow_ptr_types ();
3459 transform_statements ();
3460 last_alloca_addr = NULL_TREE;
3467 return sanitize_flags_p (SANITIZE_ADDRESS);
3472 const pass_data pass_data_asan =
3474 GIMPLE_PASS, /* type */
3476 OPTGROUP_NONE, /* optinfo_flags */
3477 TV_NONE, /* tv_id */
3478 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3479 0, /* properties_provided */
3480 0, /* properties_destroyed */
3481 0, /* todo_flags_start */
3482 TODO_update_ssa, /* todo_flags_finish */
3485 class pass_asan : public gimple_opt_pass
3488 pass_asan (gcc::context *ctxt)
3489 : gimple_opt_pass (pass_data_asan, ctxt)
3492 /* opt_pass methods: */
3493 opt_pass * clone () { return new pass_asan (m_ctxt); }
3494 virtual bool gate (function *) { return gate_asan (); }
3495 virtual unsigned int execute (function *) { return asan_instrument (); }
3497 }; // class pass_asan
3502 make_pass_asan (gcc::context *ctxt)
3504 return new pass_asan (ctxt);
3509 const pass_data pass_data_asan_O0 =
3511 GIMPLE_PASS, /* type */
3513 OPTGROUP_NONE, /* optinfo_flags */
3514 TV_NONE, /* tv_id */
3515 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3516 0, /* properties_provided */
3517 0, /* properties_destroyed */
3518 0, /* todo_flags_start */
3519 TODO_update_ssa, /* todo_flags_finish */
3522 class pass_asan_O0 : public gimple_opt_pass
3525 pass_asan_O0 (gcc::context *ctxt)
3526 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3529 /* opt_pass methods: */
3530 virtual bool gate (function *) { return !optimize && gate_asan (); }
3531 virtual unsigned int execute (function *) { return asan_instrument (); }
3533 }; // class pass_asan_O0
3538 make_pass_asan_O0 (gcc::context *ctxt)
3540 return new pass_asan_O0 (ctxt);
3543 #include "gt-asan.h"
projects / dragonfly.git / blob