1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2015 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
28 #include "double-int.h"
36 #include "fold-const.h"
37 #include "hash-table.h"
40 #include "hard-reg-set.h"
42 #include "dominance.h"
45 #include "basic-block.h"
46 #include "tree-ssa-alias.h"
47 #include "internal-fn.h"
48 #include "gimple-expr.h"
52 #include "gimple-iterator.h"
55 #include "stor-layout.h"
56 #include "tree-iterator.h"
58 #include "plugin-api.h"
61 #include "stringpool.h"
62 #include "tree-ssanames.h"
63 #include "tree-pass.h"
65 #include "gimple-pretty-print.h"
70 #include "statistics.h"
72 #include "fixed-value.h"
73 #include "insn-config.h"
80 #include "insn-codes.h"
84 #include "langhooks.h"
85 #include "alloc-pool.h"
87 #include "gimple-builder.h"
92 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
93 with <2x slowdown on average.
95 The tool consists of two parts:
96 instrumentation module (this file) and a run-time library.
97 The instrumentation module adds a run-time check before every memory insn.
98 For a 8- or 16- byte load accessing address X:
99 ShadowAddr = (X >> 3) + Offset
100 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
102 __asan_report_load8(X);
103 For a load of N bytes (N=1, 2 or 4) from address X:
104 ShadowAddr = (X >> 3) + Offset
105 ShadowValue = *(char*)ShadowAddr;
107 if ((X & 7) + N - 1 > ShadowValue)
108 __asan_report_loadN(X);
109 Stores are instrumented similarly, but using __asan_report_storeN functions.
110 A call too __asan_init_vN() is inserted to the list of module CTORs.
111 N is the version number of the AddressSanitizer API. The changes between the
112 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
114 The run-time library redefines malloc (so that redzone are inserted around
115 the allocated memory) and free (so that reuse of free-ed memory is delayed),
116 provides __asan_report* and __asan_init_vN functions.
119 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
121 The current implementation supports detection of out-of-bounds and
122 use-after-free in the heap, on the stack and for global variables.
124 [Protection of stack variables]
126 To understand how detection of out-of-bounds and use-after-free works
127 for stack variables, lets look at this example on x86_64 where the
128 stack grows downward:
142 For this function, the stack protected by asan will be organized as
143 follows, from the top of the stack to the bottom:
145 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
147 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
148 the next slot be 32 bytes aligned; this one is called Partial
149 Redzone; this 32 bytes alignment is an asan constraint]
151 Slot 3/ [24 bytes for variable 'a']
153 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
155 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
157 Slot 6/ [8 bytes for variable 'b']
159 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
162 The 32 bytes of LEFT red zone at the bottom of the stack can be
165 1/ The first 8 bytes contain a magical asan number that is always
168 2/ The following 8 bytes contains a pointer to a string (to be
169 parsed at runtime by the runtime asan library), which format is
172 "<function-name> <space> <num-of-variables-on-the-stack>
173 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
174 <length-of-var-in-bytes> ){n} "
176 where '(...){n}' means the content inside the parenthesis occurs 'n'
177 times, with 'n' being the number of variables on the stack.
179 3/ The following 8 bytes contain the PC of the current function which
180 will be used by the run-time library to print an error message.
182 4/ The following 8 bytes are reserved for internal use by the run-time.
184 The shadow memory for that stack layout is going to look like this:
186 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
187 The F1 byte pattern is a magic number called
188 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
189 the memory for that shadow byte is part of a the LEFT red zone
190 intended to seat at the bottom of the variables on the stack.
192 - content of shadow memory 8 bytes for slots 6 and 5:
193 0xF4F4F400. The F4 byte pattern is a magic number
194 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
195 memory region for this shadow byte is a PARTIAL red zone
196 intended to pad a variable A, so that the slot following
197 {A,padding} is 32 bytes aligned.
199 Note that the fact that the least significant byte of this
200 shadow memory content is 00 means that 8 bytes of its
201 corresponding memory (which corresponds to the memory of
202 variable 'b') is addressable.
204 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
205 The F2 byte pattern is a magic number called
206 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
207 region for this shadow byte is a MIDDLE red zone intended to
208 seat between two 32 aligned slots of {variable,padding}.
210 - content of shadow memory 8 bytes for slot 3 and 2:
211 0xF4000000. This represents is the concatenation of
212 variable 'a' and the partial red zone following it, like what we
213 had for variable 'b'. The least significant 3 bytes being 00
214 means that the 3 bytes of variable 'a' are addressable.
216 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
217 The F3 byte pattern is a magic number called
218 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
219 region for this shadow byte is a RIGHT red zone intended to seat
220 at the top of the variables of the stack.
222 Note that the real variable layout is done in expand_used_vars in
223 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
224 stack variables as well as the different red zones, emits some
225 prologue code to populate the shadow memory as to poison (mark as
226 non-accessible) the regions of the red zones and mark the regions of
227 stack variables as accessible, and emit some epilogue code to
228 un-poison (mark as accessible) the regions of red zones right before
231 [Protection of global variables]
233 The basic idea is to insert a red zone between two global variables
234 and install a constructor function that calls the asan runtime to do
235 the populating of the relevant shadow memory regions at load time.
237 So the global variables are laid out as to insert a red zone between
238 them. The size of the red zones is so that each variable starts on a
241 Then a constructor function is installed so that, for each global
242 variable, it calls the runtime asan library function
243 __asan_register_globals_with an instance of this type:
247 // Address of the beginning of the global variable.
250 // Initial size of the global variable.
253 // Size of the global variable + size of the red zone. This
254 // size is 32 bytes aligned.
255 uptr __size_with_redzone;
257 // Name of the global variable.
260 // Name of the module where the global variable is declared.
261 const void *__module_name;
263 // 1 if it has dynamic initialization, 0 otherwise.
264 uptr __has_dynamic_init;
266 // A pointer to struct that contains source location, could be NULL.
267 __asan_global_source_location *__location;
270 A destructor function that calls the runtime asan library function
271 _asan_unregister_globals is also installed. */
273 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
274 static bool asan_shadow_offset_computed;
276 /* Sets shadow offset to value in string VAL. */
279 set_asan_shadow_offset (const char *val)
284 #ifdef HAVE_LONG_LONG
285 asan_shadow_offset_value = strtoull (val, &endp, 0);
287 asan_shadow_offset_value = strtoul (val, &endp, 0);
289 if (!(*val != '\0' && *endp == '\0' && errno == 0))
292 asan_shadow_offset_computed = true;
297 /* Returns Asan shadow offset. */
299 static unsigned HOST_WIDE_INT
300 asan_shadow_offset ()
302 if (!asan_shadow_offset_computed)
304 asan_shadow_offset_computed = true;
305 asan_shadow_offset_value = targetm.asan_shadow_offset ();
307 return asan_shadow_offset_value;
310 alias_set_type asan_shadow_set = -1;
312 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
313 alias set is used for all shadow memory accesses. */
314 static GTY(()) tree shadow_ptr_types[2];
316 /* Decl for __asan_option_detect_stack_use_after_return. */
317 static GTY(()) tree asan_detect_stack_use_after_return;
319 /* Various flags for Asan builtins. */
320 enum asan_check_flags
322 ASAN_CHECK_STORE = 1 << 0,
323 ASAN_CHECK_SCALAR_ACCESS = 1 << 1,
324 ASAN_CHECK_NON_ZERO_LEN = 1 << 2,
325 ASAN_CHECK_LAST = 1 << 3
328 /* Hashtable support for memory references used by gimple
331 /* This type represents a reference to a memory region. */
334 /* The expression of the beginning of the memory region. */
337 /* The size of the access. */
338 HOST_WIDE_INT access_size;
341 static alloc_pool asan_mem_ref_alloc_pool;
343 /* This creates the alloc pool used to store the instances of
344 asan_mem_ref that are stored in the hash table asan_mem_ref_ht. */
347 asan_mem_ref_get_alloc_pool ()
349 if (asan_mem_ref_alloc_pool == NULL)
350 asan_mem_ref_alloc_pool = create_alloc_pool ("asan_mem_ref",
351 sizeof (asan_mem_ref),
353 return asan_mem_ref_alloc_pool;
357 /* Initializes an instance of asan_mem_ref. */
360 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
363 ref->access_size = access_size;
366 /* Allocates memory for an instance of asan_mem_ref into the memory
367 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
368 START is the address of (or the expression pointing to) the
369 beginning of memory reference. ACCESS_SIZE is the size of the
370 access to the referenced memory. */
373 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
376 (asan_mem_ref *) pool_alloc (asan_mem_ref_get_alloc_pool ());
378 asan_mem_ref_init (ref, start, access_size);
382 /* This builds and returns a pointer to the end of the memory region
383 that starts at START and of length LEN. */
386 asan_mem_ref_get_end (tree start, tree len)
388 if (len == NULL_TREE || integer_zerop (len))
391 if (!ptrofftype_p (len))
392 len = convert_to_ptrofftype (len);
394 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
397 /* Return a tree expression that represents the end of the referenced
398 memory region. Beware that this function can actually build a new
402 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
404 return asan_mem_ref_get_end (ref->start, len);
407 struct asan_mem_ref_hasher
408 : typed_noop_remove <asan_mem_ref>
410 typedef asan_mem_ref value_type;
411 typedef asan_mem_ref compare_type;
413 static inline hashval_t hash (const value_type *);
414 static inline bool equal (const value_type *, const compare_type *);
417 /* Hash a memory reference. */
420 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
422 return iterative_hash_expr (mem_ref->start, 0);
425 /* Compare two memory references. We accept the length of either
426 memory references to be NULL_TREE. */
429 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
430 const asan_mem_ref *m2)
432 return operand_equal_p (m1->start, m2->start, 0);
435 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
437 /* Returns a reference to the hash table containing memory references.
438 This function ensures that the hash table is created. Note that
439 this hash table is updated by the function
440 update_mem_ref_hash_table. */
442 static hash_table<asan_mem_ref_hasher> *
443 get_mem_ref_hash_table ()
445 if (!asan_mem_ref_ht)
446 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
448 return asan_mem_ref_ht;
451 /* Clear all entries from the memory references hash table. */
454 empty_mem_ref_hash_table ()
457 asan_mem_ref_ht->empty ();
460 /* Free the memory references hash table. */
463 free_mem_ref_resources ()
465 delete asan_mem_ref_ht;
466 asan_mem_ref_ht = NULL;
468 if (asan_mem_ref_alloc_pool)
470 free_alloc_pool (asan_mem_ref_alloc_pool);
471 asan_mem_ref_alloc_pool = NULL;
475 /* Return true iff the memory reference REF has been instrumented. */
478 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
481 asan_mem_ref_init (&r, ref, access_size);
483 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
484 return saved_ref && saved_ref->access_size >= access_size;
487 /* Return true iff the memory reference REF has been instrumented. */
490 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
492 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
495 /* Return true iff access to memory region starting at REF and of
496 length LEN has been instrumented. */
499 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
501 HOST_WIDE_INT size_in_bytes
502 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
504 return size_in_bytes != -1
505 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
508 /* Set REF to the memory reference present in a gimple assignment
509 ASSIGNMENT. Return true upon successful completion, false
513 get_mem_ref_of_assignment (const gassign *assignment,
517 gcc_assert (gimple_assign_single_p (assignment));
519 if (gimple_store_p (assignment)
520 && !gimple_clobber_p (assignment))
522 ref->start = gimple_assign_lhs (assignment);
523 *ref_is_store = true;
525 else if (gimple_assign_load_p (assignment))
527 ref->start = gimple_assign_rhs1 (assignment);
528 *ref_is_store = false;
533 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
537 /* Return the memory references contained in a gimple statement
538 representing a builtin call that has to do with memory access. */
541 get_mem_refs_of_builtin_call (const gcall *call,
554 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
556 tree callee = gimple_call_fndecl (call);
557 tree source0 = NULL_TREE, source1 = NULL_TREE,
558 dest = NULL_TREE, len = NULL_TREE;
559 bool is_store = true, got_reference_p = false;
560 HOST_WIDE_INT access_size = 1;
562 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
564 switch (DECL_FUNCTION_CODE (callee))
566 /* (s, s, n) style memops. */
568 case BUILT_IN_MEMCMP:
569 source0 = gimple_call_arg (call, 0);
570 source1 = gimple_call_arg (call, 1);
571 len = gimple_call_arg (call, 2);
574 /* (src, dest, n) style memops. */
576 source0 = gimple_call_arg (call, 0);
577 dest = gimple_call_arg (call, 1);
578 len = gimple_call_arg (call, 2);
581 /* (dest, src, n) style memops. */
582 case BUILT_IN_MEMCPY:
583 case BUILT_IN_MEMCPY_CHK:
584 case BUILT_IN_MEMMOVE:
585 case BUILT_IN_MEMMOVE_CHK:
586 case BUILT_IN_MEMPCPY:
587 case BUILT_IN_MEMPCPY_CHK:
588 dest = gimple_call_arg (call, 0);
589 source0 = gimple_call_arg (call, 1);
590 len = gimple_call_arg (call, 2);
593 /* (dest, n) style memops. */
595 dest = gimple_call_arg (call, 0);
596 len = gimple_call_arg (call, 1);
599 /* (dest, x, n) style memops*/
600 case BUILT_IN_MEMSET:
601 case BUILT_IN_MEMSET_CHK:
602 dest = gimple_call_arg (call, 0);
603 len = gimple_call_arg (call, 2);
606 case BUILT_IN_STRLEN:
607 source0 = gimple_call_arg (call, 0);
608 len = gimple_call_lhs (call);
611 /* And now the __atomic* and __sync builtins.
612 These are handled differently from the classical memory memory
613 access builtins above. */
615 case BUILT_IN_ATOMIC_LOAD_1:
616 case BUILT_IN_ATOMIC_LOAD_2:
617 case BUILT_IN_ATOMIC_LOAD_4:
618 case BUILT_IN_ATOMIC_LOAD_8:
619 case BUILT_IN_ATOMIC_LOAD_16:
623 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
624 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
625 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
626 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
627 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
629 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
630 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
631 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
632 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
633 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
635 case BUILT_IN_SYNC_FETCH_AND_OR_1:
636 case BUILT_IN_SYNC_FETCH_AND_OR_2:
637 case BUILT_IN_SYNC_FETCH_AND_OR_4:
638 case BUILT_IN_SYNC_FETCH_AND_OR_8:
639 case BUILT_IN_SYNC_FETCH_AND_OR_16:
641 case BUILT_IN_SYNC_FETCH_AND_AND_1:
642 case BUILT_IN_SYNC_FETCH_AND_AND_2:
643 case BUILT_IN_SYNC_FETCH_AND_AND_4:
644 case BUILT_IN_SYNC_FETCH_AND_AND_8:
645 case BUILT_IN_SYNC_FETCH_AND_AND_16:
647 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
648 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
649 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
650 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
651 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
653 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
654 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
655 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
656 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
658 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
659 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
660 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
661 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
662 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
664 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
665 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
666 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
667 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
668 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
670 case BUILT_IN_SYNC_OR_AND_FETCH_1:
671 case BUILT_IN_SYNC_OR_AND_FETCH_2:
672 case BUILT_IN_SYNC_OR_AND_FETCH_4:
673 case BUILT_IN_SYNC_OR_AND_FETCH_8:
674 case BUILT_IN_SYNC_OR_AND_FETCH_16:
676 case BUILT_IN_SYNC_AND_AND_FETCH_1:
677 case BUILT_IN_SYNC_AND_AND_FETCH_2:
678 case BUILT_IN_SYNC_AND_AND_FETCH_4:
679 case BUILT_IN_SYNC_AND_AND_FETCH_8:
680 case BUILT_IN_SYNC_AND_AND_FETCH_16:
682 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
683 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
684 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
685 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
686 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
688 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
689 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
690 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
691 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
693 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
694 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
695 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
696 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
697 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
699 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
700 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
701 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
702 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
703 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
705 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
706 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
707 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
708 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
709 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
711 case BUILT_IN_SYNC_LOCK_RELEASE_1:
712 case BUILT_IN_SYNC_LOCK_RELEASE_2:
713 case BUILT_IN_SYNC_LOCK_RELEASE_4:
714 case BUILT_IN_SYNC_LOCK_RELEASE_8:
715 case BUILT_IN_SYNC_LOCK_RELEASE_16:
717 case BUILT_IN_ATOMIC_EXCHANGE_1:
718 case BUILT_IN_ATOMIC_EXCHANGE_2:
719 case BUILT_IN_ATOMIC_EXCHANGE_4:
720 case BUILT_IN_ATOMIC_EXCHANGE_8:
721 case BUILT_IN_ATOMIC_EXCHANGE_16:
723 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
724 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
725 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
726 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
727 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
729 case BUILT_IN_ATOMIC_STORE_1:
730 case BUILT_IN_ATOMIC_STORE_2:
731 case BUILT_IN_ATOMIC_STORE_4:
732 case BUILT_IN_ATOMIC_STORE_8:
733 case BUILT_IN_ATOMIC_STORE_16:
735 case BUILT_IN_ATOMIC_ADD_FETCH_1:
736 case BUILT_IN_ATOMIC_ADD_FETCH_2:
737 case BUILT_IN_ATOMIC_ADD_FETCH_4:
738 case BUILT_IN_ATOMIC_ADD_FETCH_8:
739 case BUILT_IN_ATOMIC_ADD_FETCH_16:
741 case BUILT_IN_ATOMIC_SUB_FETCH_1:
742 case BUILT_IN_ATOMIC_SUB_FETCH_2:
743 case BUILT_IN_ATOMIC_SUB_FETCH_4:
744 case BUILT_IN_ATOMIC_SUB_FETCH_8:
745 case BUILT_IN_ATOMIC_SUB_FETCH_16:
747 case BUILT_IN_ATOMIC_AND_FETCH_1:
748 case BUILT_IN_ATOMIC_AND_FETCH_2:
749 case BUILT_IN_ATOMIC_AND_FETCH_4:
750 case BUILT_IN_ATOMIC_AND_FETCH_8:
751 case BUILT_IN_ATOMIC_AND_FETCH_16:
753 case BUILT_IN_ATOMIC_NAND_FETCH_1:
754 case BUILT_IN_ATOMIC_NAND_FETCH_2:
755 case BUILT_IN_ATOMIC_NAND_FETCH_4:
756 case BUILT_IN_ATOMIC_NAND_FETCH_8:
757 case BUILT_IN_ATOMIC_NAND_FETCH_16:
759 case BUILT_IN_ATOMIC_XOR_FETCH_1:
760 case BUILT_IN_ATOMIC_XOR_FETCH_2:
761 case BUILT_IN_ATOMIC_XOR_FETCH_4:
762 case BUILT_IN_ATOMIC_XOR_FETCH_8:
763 case BUILT_IN_ATOMIC_XOR_FETCH_16:
765 case BUILT_IN_ATOMIC_OR_FETCH_1:
766 case BUILT_IN_ATOMIC_OR_FETCH_2:
767 case BUILT_IN_ATOMIC_OR_FETCH_4:
768 case BUILT_IN_ATOMIC_OR_FETCH_8:
769 case BUILT_IN_ATOMIC_OR_FETCH_16:
771 case BUILT_IN_ATOMIC_FETCH_ADD_1:
772 case BUILT_IN_ATOMIC_FETCH_ADD_2:
773 case BUILT_IN_ATOMIC_FETCH_ADD_4:
774 case BUILT_IN_ATOMIC_FETCH_ADD_8:
775 case BUILT_IN_ATOMIC_FETCH_ADD_16:
777 case BUILT_IN_ATOMIC_FETCH_SUB_1:
778 case BUILT_IN_ATOMIC_FETCH_SUB_2:
779 case BUILT_IN_ATOMIC_FETCH_SUB_4:
780 case BUILT_IN_ATOMIC_FETCH_SUB_8:
781 case BUILT_IN_ATOMIC_FETCH_SUB_16:
783 case BUILT_IN_ATOMIC_FETCH_AND_1:
784 case BUILT_IN_ATOMIC_FETCH_AND_2:
785 case BUILT_IN_ATOMIC_FETCH_AND_4:
786 case BUILT_IN_ATOMIC_FETCH_AND_8:
787 case BUILT_IN_ATOMIC_FETCH_AND_16:
789 case BUILT_IN_ATOMIC_FETCH_NAND_1:
790 case BUILT_IN_ATOMIC_FETCH_NAND_2:
791 case BUILT_IN_ATOMIC_FETCH_NAND_4:
792 case BUILT_IN_ATOMIC_FETCH_NAND_8:
793 case BUILT_IN_ATOMIC_FETCH_NAND_16:
795 case BUILT_IN_ATOMIC_FETCH_XOR_1:
796 case BUILT_IN_ATOMIC_FETCH_XOR_2:
797 case BUILT_IN_ATOMIC_FETCH_XOR_4:
798 case BUILT_IN_ATOMIC_FETCH_XOR_8:
799 case BUILT_IN_ATOMIC_FETCH_XOR_16:
801 case BUILT_IN_ATOMIC_FETCH_OR_1:
802 case BUILT_IN_ATOMIC_FETCH_OR_2:
803 case BUILT_IN_ATOMIC_FETCH_OR_4:
804 case BUILT_IN_ATOMIC_FETCH_OR_8:
805 case BUILT_IN_ATOMIC_FETCH_OR_16:
807 dest = gimple_call_arg (call, 0);
808 /* DEST represents the address of a memory location.
809 instrument_derefs wants the memory location, so lets
810 dereference the address DEST before handing it to
811 instrument_derefs. */
812 if (TREE_CODE (dest) == ADDR_EXPR)
813 dest = TREE_OPERAND (dest, 0);
814 else if (TREE_CODE (dest) == SSA_NAME || TREE_CODE (dest) == INTEGER_CST)
815 dest = build2 (MEM_REF, TREE_TYPE (TREE_TYPE (dest)),
816 dest, build_int_cst (TREE_TYPE (dest), 0));
820 access_size = int_size_in_bytes (TREE_TYPE (dest));
824 /* The other builtins memory access are not instrumented in this
825 function because they either don't have any length parameter,
826 or their length parameter is just a limit. */
830 if (len != NULL_TREE)
832 if (source0 != NULL_TREE)
834 src0->start = source0;
835 src0->access_size = access_size;
837 *src0_is_store = false;
840 if (source1 != NULL_TREE)
842 src1->start = source1;
843 src1->access_size = access_size;
845 *src1_is_store = false;
848 if (dest != NULL_TREE)
851 dst->access_size = access_size;
853 *dst_is_store = true;
856 got_reference_p = true;
861 dst->access_size = access_size;
862 *dst_len = NULL_TREE;
863 *dst_is_store = is_store;
864 *dest_is_deref = true;
865 got_reference_p = true;
868 return got_reference_p;
871 /* Return true iff a given gimple statement has been instrumented.
872 Note that the statement is "defined" by the memory references it
876 has_stmt_been_instrumented_p (gimple stmt)
878 if (gimple_assign_single_p (stmt))
882 asan_mem_ref_init (&r, NULL, 1);
884 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
886 return has_mem_ref_been_instrumented (&r);
888 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
890 asan_mem_ref src0, src1, dest;
891 asan_mem_ref_init (&src0, NULL, 1);
892 asan_mem_ref_init (&src1, NULL, 1);
893 asan_mem_ref_init (&dest, NULL, 1);
895 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
896 bool src0_is_store = false, src1_is_store = false,
897 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
898 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
899 &src0, &src0_len, &src0_is_store,
900 &src1, &src1_len, &src1_is_store,
901 &dest, &dest_len, &dest_is_store,
902 &dest_is_deref, &intercepted_p))
904 if (src0.start != NULL_TREE
905 && !has_mem_ref_been_instrumented (&src0, src0_len))
908 if (src1.start != NULL_TREE
909 && !has_mem_ref_been_instrumented (&src1, src1_len))
912 if (dest.start != NULL_TREE
913 && !has_mem_ref_been_instrumented (&dest, dest_len))
922 /* Insert a memory reference into the hash table. */
925 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
927 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
930 asan_mem_ref_init (&r, ref, access_size);
932 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
933 if (*slot == NULL || (*slot)->access_size < access_size)
934 *slot = asan_mem_ref_new (ref, access_size);
937 /* Initialize shadow_ptr_types array. */
940 asan_init_shadow_ptr_types (void)
942 asan_shadow_set = new_alias_set ();
943 shadow_ptr_types[0] = build_distinct_type_copy (signed_char_type_node);
944 TYPE_ALIAS_SET (shadow_ptr_types[0]) = asan_shadow_set;
945 shadow_ptr_types[0] = build_pointer_type (shadow_ptr_types[0]);
946 shadow_ptr_types[1] = build_distinct_type_copy (short_integer_type_node);
947 TYPE_ALIAS_SET (shadow_ptr_types[1]) = asan_shadow_set;
948 shadow_ptr_types[1] = build_pointer_type (shadow_ptr_types[1]);
949 initialize_sanitizer_builtins ();
952 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
955 asan_pp_string (pretty_printer *pp)
957 const char *buf = pp_formatted_text (pp);
958 size_t len = strlen (buf);
959 tree ret = build_string (len + 1, buf);
961 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
962 build_index_type (size_int (len)));
963 TREE_READONLY (ret) = 1;
964 TREE_STATIC (ret) = 1;
965 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
968 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
971 asan_shadow_cst (unsigned char shadow_bytes[4])
974 unsigned HOST_WIDE_INT val = 0;
975 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
976 for (i = 0; i < 4; i++)
977 val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
978 << (BITS_PER_UNIT * i);
979 return gen_int_mode (val, SImode);
982 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
986 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
988 rtx_insn *insn, *insns, *jump;
989 rtx_code_label *top_label;
993 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
994 insns = get_insns ();
996 for (insn = insns; insn; insn = NEXT_INSN (insn))
999 if (insn == NULL_RTX)
1005 gcc_assert ((len & 3) == 0);
1006 top_label = gen_label_rtx ();
1007 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1008 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1009 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1010 emit_label (top_label);
1012 emit_move_insn (shadow_mem, const0_rtx);
1013 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1014 true, OPTAB_LIB_WIDEN);
1016 emit_move_insn (addr, tmp);
1017 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1018 jump = get_last_insn ();
1019 gcc_assert (JUMP_P (jump));
1020 add_int_reg_note (jump, REG_BR_PROB, REG_BR_PROB_BASE * 80 / 100);
1024 asan_function_start (void)
1026 section *fnsec = function_section (current_function_decl);
1027 switch_to_section (fnsec);
1028 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1029 current_function_funcdef_no);
1032 /* Insert code to protect stack vars. The prologue sequence should be emitted
1033 directly, epilogue sequence returned. BASE is the register holding the
1034 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1035 array contains pairs of offsets in reverse order, always the end offset
1036 of some gap that needs protection followed by starting offset,
1037 and DECLS is an array of representative decls for each var partition.
1038 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1039 elements long (OFFSETS include gap before the first variable as well
1040 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1041 register which stack vars DECL_RTLs are based on. Either BASE should be
1042 assigned to PBASE, when not doing use after return protection, or
1043 corresponding address based on __asan_stack_malloc* return value. */
1046 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1047 HOST_WIDE_INT *offsets, tree *decls, int length)
1049 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1050 rtx_code_label *lab;
1053 unsigned char shadow_bytes[4];
1054 HOST_WIDE_INT base_offset = offsets[length - 1];
1055 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1056 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1057 HOST_WIDE_INT last_offset, last_size;
1059 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1060 tree str_cst, decl, id;
1061 int use_after_return_class = -1;
1063 if (shadow_ptr_types[0] == NULL_TREE)
1064 asan_init_shadow_ptr_types ();
1066 /* First of all, prepare the description string. */
1067 pretty_printer asan_pp;
1069 pp_decimal_int (&asan_pp, length / 2 - 1);
1070 pp_space (&asan_pp);
1071 for (l = length - 2; l; l -= 2)
1073 tree decl = decls[l / 2 - 1];
1074 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1075 pp_space (&asan_pp);
1076 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1077 pp_space (&asan_pp);
1078 if (DECL_P (decl) && DECL_NAME (decl))
1080 pp_decimal_int (&asan_pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
1081 pp_space (&asan_pp);
1082 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1085 pp_string (&asan_pp, "9 <unknown>");
1086 pp_space (&asan_pp);
1088 str_cst = asan_pp_string (&asan_pp);
1090 /* Emit the prologue sequence. */
1091 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1092 && ASAN_USE_AFTER_RETURN)
1094 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1095 /* __asan_stack_malloc_N guarantees alignment
1096 N < 6 ? (64 << N) : 4096 bytes. */
1097 if (alignb > (use_after_return_class < 6
1098 ? (64U << use_after_return_class) : 4096U))
1099 use_after_return_class = -1;
1100 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1101 base_align_bias = ((asan_frame_size + alignb - 1)
1102 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1104 /* Align base if target is STRICT_ALIGNMENT. */
1105 if (STRICT_ALIGNMENT)
1106 base = expand_binop (Pmode, and_optab, base,
1107 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1108 << ASAN_SHADOW_SHIFT)
1109 / BITS_PER_UNIT), Pmode), NULL_RTX,
1112 if (use_after_return_class == -1 && pbase)
1113 emit_move_insn (pbase, base);
1115 base = expand_binop (Pmode, add_optab, base,
1116 gen_int_mode (base_offset - base_align_bias, Pmode),
1117 NULL_RTX, 1, OPTAB_DIRECT);
1118 orig_base = NULL_RTX;
1119 if (use_after_return_class != -1)
1121 if (asan_detect_stack_use_after_return == NULL_TREE)
1123 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1124 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1126 SET_DECL_ASSEMBLER_NAME (decl, id);
1127 TREE_ADDRESSABLE (decl) = 1;
1128 DECL_ARTIFICIAL (decl) = 1;
1129 DECL_IGNORED_P (decl) = 1;
1130 DECL_EXTERNAL (decl) = 1;
1131 TREE_STATIC (decl) = 1;
1132 TREE_PUBLIC (decl) = 1;
1133 TREE_USED (decl) = 1;
1134 asan_detect_stack_use_after_return = decl;
1136 orig_base = gen_reg_rtx (Pmode);
1137 emit_move_insn (orig_base, base);
1138 ret = expand_normal (asan_detect_stack_use_after_return);
1139 lab = gen_label_rtx ();
1140 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1141 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1142 VOIDmode, 0, lab, very_likely);
1143 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1144 use_after_return_class);
1145 ret = init_one_libfunc (buf);
1146 rtx addr = convert_memory_address (ptr_mode, base);
1147 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode, 2,
1148 GEN_INT (asan_frame_size
1150 TYPE_MODE (pointer_sized_int_node),
1152 ret = convert_memory_address (Pmode, ret);
1153 emit_move_insn (base, ret);
1155 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1156 gen_int_mode (base_align_bias
1157 - base_offset, Pmode),
1158 NULL_RTX, 1, OPTAB_DIRECT));
1160 mem = gen_rtx_MEM (ptr_mode, base);
1161 mem = adjust_address (mem, VOIDmode, base_align_bias);
1162 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1163 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1164 emit_move_insn (mem, expand_normal (str_cst));
1165 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1166 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1167 id = get_identifier (buf);
1168 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1169 VAR_DECL, id, char_type_node);
1170 SET_DECL_ASSEMBLER_NAME (decl, id);
1171 TREE_ADDRESSABLE (decl) = 1;
1172 TREE_READONLY (decl) = 1;
1173 DECL_ARTIFICIAL (decl) = 1;
1174 DECL_IGNORED_P (decl) = 1;
1175 TREE_STATIC (decl) = 1;
1176 TREE_PUBLIC (decl) = 0;
1177 TREE_USED (decl) = 1;
1178 DECL_INITIAL (decl) = decl;
1179 TREE_ASM_WRITTEN (decl) = 1;
1180 TREE_ASM_WRITTEN (id) = 1;
1181 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1182 shadow_base = expand_binop (Pmode, lshr_optab, base,
1183 GEN_INT (ASAN_SHADOW_SHIFT),
1184 NULL_RTX, 1, OPTAB_DIRECT);
1186 = plus_constant (Pmode, shadow_base,
1187 asan_shadow_offset ()
1188 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1189 gcc_assert (asan_shadow_set != -1
1190 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1191 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1192 set_mem_alias_set (shadow_mem, asan_shadow_set);
1193 if (STRICT_ALIGNMENT)
1194 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1195 prev_offset = base_offset;
1196 for (l = length; l; l -= 2)
1199 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1200 offset = offsets[l - 1];
1201 if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
1205 = base_offset + ((offset - base_offset)
1206 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1207 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1208 (aoff - prev_offset)
1209 >> ASAN_SHADOW_SHIFT);
1211 for (i = 0; i < 4; i++, aoff += (1 << ASAN_SHADOW_SHIFT))
1214 if (aoff < offset - (1 << ASAN_SHADOW_SHIFT) + 1)
1215 shadow_bytes[i] = 0;
1217 shadow_bytes[i] = offset - aoff;
1220 shadow_bytes[i] = ASAN_STACK_MAGIC_PARTIAL;
1221 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1224 while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
1226 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1227 (offset - prev_offset)
1228 >> ASAN_SHADOW_SHIFT);
1229 prev_offset = offset;
1230 memset (shadow_bytes, cur_shadow_byte, 4);
1231 emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
1232 offset += ASAN_RED_ZONE_SIZE;
1234 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1236 do_pending_stack_adjust ();
1238 /* Construct epilogue sequence. */
1242 if (use_after_return_class != -1)
1244 rtx_code_label *lab2 = gen_label_rtx ();
1245 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1246 int very_likely = REG_BR_PROB_BASE - (REG_BR_PROB_BASE / 2000 - 1);
1247 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1248 VOIDmode, 0, lab2, very_likely);
1249 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1250 set_mem_alias_set (shadow_mem, asan_shadow_set);
1251 mem = gen_rtx_MEM (ptr_mode, base);
1252 mem = adjust_address (mem, VOIDmode, base_align_bias);
1253 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1254 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1255 if (use_after_return_class < 5
1256 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1257 BITS_PER_UNIT, true))
1258 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1259 BITS_PER_UNIT, true, 0);
1260 else if (use_after_return_class >= 5
1261 || !set_storage_via_setmem (shadow_mem,
1263 gen_int_mode (c, QImode),
1264 BITS_PER_UNIT, BITS_PER_UNIT,
1267 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1268 use_after_return_class);
1269 ret = init_one_libfunc (buf);
1270 rtx addr = convert_memory_address (ptr_mode, base);
1271 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1272 emit_library_call (ret, LCT_NORMAL, ptr_mode, 3, addr, ptr_mode,
1273 GEN_INT (asan_frame_size + base_align_bias),
1274 TYPE_MODE (pointer_sized_int_node),
1275 orig_addr, ptr_mode);
1277 lab = gen_label_rtx ();
1282 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1283 set_mem_alias_set (shadow_mem, asan_shadow_set);
1285 if (STRICT_ALIGNMENT)
1286 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1288 prev_offset = base_offset;
1289 last_offset = base_offset;
1291 for (l = length; l; l -= 2)
1293 offset = base_offset + ((offsets[l - 1] - base_offset)
1294 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1295 if (last_offset + last_size != offset)
1297 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1298 (last_offset - prev_offset)
1299 >> ASAN_SHADOW_SHIFT);
1300 prev_offset = last_offset;
1301 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1302 last_offset = offset;
1305 last_size += base_offset + ((offsets[l - 2] - base_offset)
1306 & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1311 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1312 (last_offset - prev_offset)
1313 >> ASAN_SHADOW_SHIFT);
1314 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1317 do_pending_stack_adjust ();
1321 insns = get_insns ();
1326 /* Return true if DECL, a global var, might be overridden and needs
1327 therefore a local alias. */
1330 asan_needs_local_alias (tree decl)
1332 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1335 /* Return true if DECL is a VAR_DECL that should be protected
1336 by Address Sanitizer, by appending a red zone with protected
1337 shadow memory after it and aligning it to at least
1338 ASAN_RED_ZONE_SIZE bytes. */
1341 asan_protect_global (tree decl)
1348 if (TREE_CODE (decl) == STRING_CST)
1350 /* Instrument all STRING_CSTs except those created
1351 by asan_pp_string here. */
1352 if (shadow_ptr_types[0] != NULL_TREE
1353 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1354 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1358 if (TREE_CODE (decl) != VAR_DECL
1359 /* TLS vars aren't statically protectable. */
1360 || DECL_THREAD_LOCAL_P (decl)
1361 /* Externs will be protected elsewhere. */
1362 || DECL_EXTERNAL (decl)
1363 || !DECL_RTL_SET_P (decl)
1364 /* Comdat vars pose an ABI problem, we can't know if
1365 the var that is selected by the linker will have
1367 || DECL_ONE_ONLY (decl)
1368 /* Similarly for common vars. People can use -fno-common.
1369 Note: Linux kernel is built with -fno-common, so we do instrument
1370 globals there even if it is C. */
1371 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1372 /* Don't protect if using user section, often vars placed
1373 into user section from multiple TUs are then assumed
1374 to be an array of such vars, putting padding in there
1375 breaks this assumption. */
1376 || (DECL_SECTION_NAME (decl) != NULL
1377 && !symtab_node::get (decl)->implicit_section)
1378 || DECL_SIZE (decl) == 0
1379 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1380 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1381 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1382 || TREE_TYPE (decl) == ubsan_get_source_location_type ())
1385 rtl = DECL_RTL (decl);
1386 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1388 symbol = XEXP (rtl, 0);
1390 if (CONSTANT_POOL_ADDRESS_P (symbol)
1391 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1394 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1397 #ifndef ASM_OUTPUT_DEF
1398 if (asan_needs_local_alias (decl))
1405 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1406 IS_STORE is either 1 (for a store) or 0 (for a load). */
1409 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1412 static enum built_in_function report[2][2][6]
1413 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1414 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1415 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1416 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1417 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1418 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1419 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1420 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1421 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1422 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1423 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1424 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1425 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1426 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1427 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1428 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1429 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1430 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1431 if (size_in_bytes == -1)
1434 return builtin_decl_implicit (report[recover_p][is_store][5]);
1437 int size_log2 = exact_log2 (size_in_bytes);
1438 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1441 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1442 IS_STORE is either 1 (for a store) or 0 (for a load). */
1445 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1448 static enum built_in_function check[2][2][6]
1449 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1450 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1451 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1452 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1453 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1454 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1455 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1456 BUILT_IN_ASAN_LOAD2_NOABORT,
1457 BUILT_IN_ASAN_LOAD4_NOABORT,
1458 BUILT_IN_ASAN_LOAD8_NOABORT,
1459 BUILT_IN_ASAN_LOAD16_NOABORT,
1460 BUILT_IN_ASAN_LOADN_NOABORT },
1461 { BUILT_IN_ASAN_STORE1_NOABORT,
1462 BUILT_IN_ASAN_STORE2_NOABORT,
1463 BUILT_IN_ASAN_STORE4_NOABORT,
1464 BUILT_IN_ASAN_STORE8_NOABORT,
1465 BUILT_IN_ASAN_STORE16_NOABORT,
1466 BUILT_IN_ASAN_STOREN_NOABORT } } };
1467 if (size_in_bytes == -1)
1470 return builtin_decl_implicit (check[recover_p][is_store][5]);
1473 int size_log2 = exact_log2 (size_in_bytes);
1474 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1477 /* Split the current basic block and create a condition statement
1478 insertion point right before or after the statement pointed to by
1479 ITER. Return an iterator to the point at which the caller might
1480 safely insert the condition statement.
1482 THEN_BLOCK must be set to the address of an uninitialized instance
1483 of basic_block. The function will then set *THEN_BLOCK to the
1484 'then block' of the condition statement to be inserted by the
1487 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1488 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1490 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1491 block' of the condition statement to be inserted by the caller.
1493 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1494 statements starting from *ITER, and *THEN_BLOCK is a new empty
1497 *ITER is adjusted to point to always point to the first statement
1498 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1499 same as what ITER was pointing to prior to calling this function,
1500 if BEFORE_P is true; otherwise, it is its following statement. */
1502 gimple_stmt_iterator
1503 create_cond_insert_point (gimple_stmt_iterator *iter,
1505 bool then_more_likely_p,
1506 bool create_then_fallthru_edge,
1507 basic_block *then_block,
1508 basic_block *fallthrough_block)
1510 gimple_stmt_iterator gsi = *iter;
1512 if (!gsi_end_p (gsi) && before_p)
1515 basic_block cur_bb = gsi_bb (*iter);
1517 edge e = split_block (cur_bb, gsi_stmt (gsi));
1519 /* Get a hold on the 'condition block', the 'then block' and the
1521 basic_block cond_bb = e->src;
1522 basic_block fallthru_bb = e->dest;
1523 basic_block then_bb = create_empty_bb (cond_bb);
1526 add_bb_to_loop (then_bb, cond_bb->loop_father);
1527 loops_state_set (LOOPS_NEED_FIXUP);
1530 /* Set up the newly created 'then block'. */
1531 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1532 int fallthrough_probability
1533 = then_more_likely_p
1534 ? PROB_VERY_UNLIKELY
1535 : PROB_ALWAYS - PROB_VERY_UNLIKELY;
1536 e->probability = PROB_ALWAYS - fallthrough_probability;
1537 if (create_then_fallthru_edge)
1538 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1540 /* Set up the fallthrough basic block. */
1541 e = find_edge (cond_bb, fallthru_bb);
1542 e->flags = EDGE_FALSE_VALUE;
1543 e->count = cond_bb->count;
1544 e->probability = fallthrough_probability;
1546 /* Update dominance info for the newly created then_bb; note that
1547 fallthru_bb's dominance info has already been updated by
1549 if (dom_info_available_p (CDI_DOMINATORS))
1550 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1552 *then_block = then_bb;
1553 *fallthrough_block = fallthru_bb;
1554 *iter = gsi_start_bb (fallthru_bb);
1556 return gsi_last_bb (cond_bb);
1559 /* Insert an if condition followed by a 'then block' right before the
1560 statement pointed to by ITER. The fallthrough block -- which is the
1561 else block of the condition as well as the destination of the
1562 outcoming edge of the 'then block' -- starts with the statement
1565 COND is the condition of the if.
1567 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1568 'then block' is higher than the probability of the edge to the
1571 Upon completion of the function, *THEN_BB is set to the newly
1572 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1575 *ITER is adjusted to still point to the same statement it was
1576 pointing to initially. */
1579 insert_if_then_before_iter (gcond *cond,
1580 gimple_stmt_iterator *iter,
1581 bool then_more_likely_p,
1582 basic_block *then_bb,
1583 basic_block *fallthrough_bb)
1585 gimple_stmt_iterator cond_insert_point =
1586 create_cond_insert_point (iter,
1589 /*create_then_fallthru_edge=*/true,
1592 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
1596 (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset (). */
1599 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
1600 tree base_addr, tree shadow_ptr_type)
1602 tree t, uintptr_type = TREE_TYPE (base_addr);
1603 tree shadow_type = TREE_TYPE (shadow_ptr_type);
1606 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
1607 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
1609 gimple_set_location (g, location);
1610 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1612 t = build_int_cst (uintptr_type, asan_shadow_offset ());
1613 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
1614 gimple_assign_lhs (g), t);
1615 gimple_set_location (g, location);
1616 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1618 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
1619 gimple_assign_lhs (g));
1620 gimple_set_location (g, location);
1621 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1623 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
1624 build_int_cst (shadow_ptr_type, 0));
1625 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
1626 gimple_set_location (g, location);
1627 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1628 return gimple_assign_lhs (g);
1631 /* BASE can already be an SSA_NAME; in that case, do not create a
1632 new SSA_NAME for it. */
1635 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
1638 if (TREE_CODE (base) == SSA_NAME)
1640 gimple g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
1641 TREE_CODE (base), base);
1642 gimple_set_location (g, loc);
1644 gsi_insert_before (iter, g, GSI_SAME_STMT);
1646 gsi_insert_after (iter, g, GSI_NEW_STMT);
1647 return gimple_assign_lhs (g);
1650 /* LEN can already have necessary size and precision;
1651 in that case, do not create a new variable. */
1654 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
1657 if (ptrofftype_p (len))
1659 gimple g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1661 gimple_set_location (g, loc);
1663 gsi_insert_before (iter, g, GSI_SAME_STMT);
1665 gsi_insert_after (iter, g, GSI_NEW_STMT);
1666 return gimple_assign_lhs (g);
1669 /* Instrument the memory access instruction BASE. Insert new
1670 statements before or after ITER.
1672 Note that the memory access represented by BASE can be either an
1673 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1674 location. IS_STORE is TRUE for a store, FALSE for a load.
1675 BEFORE_P is TRUE for inserting the instrumentation code before
1676 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
1677 for a scalar memory access and FALSE for memory region access.
1678 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
1679 length. ALIGN tells alignment of accessed memory object.
1681 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
1682 memory region have already been instrumented.
1684 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1685 statement it was pointing to prior to calling this function,
1686 otherwise, it points to the statement logically following it. */
1689 build_check_stmt (location_t loc, tree base, tree len,
1690 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
1691 bool is_non_zero_len, bool before_p, bool is_store,
1692 bool is_scalar_access, unsigned int align = 0)
1694 gimple_stmt_iterator gsi = *iter;
1697 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
1701 base = unshare_expr (base);
1702 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
1706 len = unshare_expr (len);
1707 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
1711 gcc_assert (size_in_bytes != -1);
1712 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
1715 if (size_in_bytes > 1)
1717 if ((size_in_bytes & (size_in_bytes - 1)) != 0
1718 || size_in_bytes > 16)
1719 is_scalar_access = false;
1720 else if (align && align < size_in_bytes * BITS_PER_UNIT)
1722 /* On non-strict alignment targets, if
1723 16-byte access is just 8-byte aligned,
1724 this will result in misaligned shadow
1725 memory 2 byte load, but otherwise can
1726 be handled using one read. */
1727 if (size_in_bytes != 16
1729 || align < 8 * BITS_PER_UNIT)
1730 is_scalar_access = false;
1734 HOST_WIDE_INT flags = 0;
1736 flags |= ASAN_CHECK_STORE;
1737 if (is_non_zero_len)
1738 flags |= ASAN_CHECK_NON_ZERO_LEN;
1739 if (is_scalar_access)
1740 flags |= ASAN_CHECK_SCALAR_ACCESS;
1742 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
1743 build_int_cst (integer_type_node, flags),
1745 build_int_cst (integer_type_node,
1746 align / BITS_PER_UNIT));
1747 gimple_set_location (g, loc);
1749 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1752 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
1758 /* If T represents a memory access, add instrumentation code before ITER.
1759 LOCATION is source code location.
1760 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1763 instrument_derefs (gimple_stmt_iterator *iter, tree t,
1764 location_t location, bool is_store)
1766 if (is_store && !ASAN_INSTRUMENT_WRITES)
1768 if (!is_store && !ASAN_INSTRUMENT_READS)
1772 HOST_WIDE_INT size_in_bytes;
1774 type = TREE_TYPE (t);
1775 switch (TREE_CODE (t))
1789 size_in_bytes = int_size_in_bytes (type);
1790 if (size_in_bytes <= 0)
1793 HOST_WIDE_INT bitsize, bitpos;
1796 int volatilep = 0, unsignedp = 0;
1797 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset,
1798 &mode, &unsignedp, &volatilep, false);
1800 if (TREE_CODE (t) == COMPONENT_REF
1801 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
1803 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
1804 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
1805 TREE_OPERAND (t, 0), repr,
1806 NULL_TREE), location, is_store);
1810 if (bitpos % BITS_PER_UNIT
1811 || bitsize != size_in_bytes * BITS_PER_UNIT)
1814 if (TREE_CODE (inner) == VAR_DECL
1815 && offset == NULL_TREE
1817 && DECL_SIZE (inner)
1818 && tree_fits_shwi_p (DECL_SIZE (inner))
1819 && bitpos + bitsize <= tree_to_shwi (DECL_SIZE (inner)))
1821 if (DECL_THREAD_LOCAL_P (inner))
1823 if (!TREE_STATIC (inner))
1825 /* Automatic vars in the current function will be always
1827 if (decl_function_context (inner) == current_function_decl)
1830 /* Always instrument external vars, they might be dynamically
1832 else if (!DECL_EXTERNAL (inner))
1834 /* For static vars if they are known not to be dynamically
1835 initialized, they will be always accessible. */
1836 varpool_node *vnode = varpool_node::get (inner);
1837 if (vnode && !vnode->dynamically_initialized)
1842 base = build_fold_addr_expr (t);
1843 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
1845 unsigned int align = get_object_alignment (t);
1846 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
1847 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
1848 is_store, /*is_scalar_access*/true, align);
1849 update_mem_ref_hash_table (base, size_in_bytes);
1850 update_mem_ref_hash_table (t, size_in_bytes);
1855 /* Insert a memory reference into the hash table if access length
1856 can be determined in compile time. */
1859 maybe_update_mem_ref_hash_table (tree base, tree len)
1861 if (!POINTER_TYPE_P (TREE_TYPE (base))
1862 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
1865 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1867 if (size_in_bytes != -1)
1868 update_mem_ref_hash_table (base, size_in_bytes);
1871 /* Instrument an access to a contiguous memory region that starts at
1872 the address pointed to by BASE, over a length of LEN (expressed in
1873 the sizeof (*BASE) bytes). ITER points to the instruction before
1874 which the instrumentation instructions must be inserted. LOCATION
1875 is the source location that the instrumentation instructions must
1876 have. If IS_STORE is true, then the memory access is a store;
1877 otherwise, it's a load. */
1880 instrument_mem_region_access (tree base, tree len,
1881 gimple_stmt_iterator *iter,
1882 location_t location, bool is_store)
1884 if (!POINTER_TYPE_P (TREE_TYPE (base))
1885 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
1886 || integer_zerop (len))
1889 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
1891 if ((size_in_bytes == -1)
1892 || !has_mem_ref_been_instrumented (base, size_in_bytes))
1894 build_check_stmt (location, base, len, size_in_bytes, iter,
1895 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
1896 is_store, /*is_scalar_access*/false, /*align*/0);
1899 maybe_update_mem_ref_hash_table (base, len);
1900 *iter = gsi_for_stmt (gsi_stmt (*iter));
1903 /* Instrument the call to a built-in memory access function that is
1904 pointed to by the iterator ITER.
1906 Upon completion, return TRUE iff *ITER has been advanced to the
1907 statement following the one it was originally pointing to. */
1910 instrument_builtin_call (gimple_stmt_iterator *iter)
1912 if (!ASAN_MEMINTRIN)
1915 bool iter_advanced_p = false;
1916 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
1918 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
1920 location_t loc = gimple_location (call);
1922 asan_mem_ref src0, src1, dest;
1923 asan_mem_ref_init (&src0, NULL, 1);
1924 asan_mem_ref_init (&src1, NULL, 1);
1925 asan_mem_ref_init (&dest, NULL, 1);
1927 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1928 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
1929 dest_is_deref = false, intercepted_p = true;
1931 if (get_mem_refs_of_builtin_call (call,
1932 &src0, &src0_len, &src0_is_store,
1933 &src1, &src1_len, &src1_is_store,
1934 &dest, &dest_len, &dest_is_store,
1935 &dest_is_deref, &intercepted_p))
1939 instrument_derefs (iter, dest.start, loc, dest_is_store);
1941 iter_advanced_p = true;
1943 else if (!intercepted_p
1944 && (src0_len || src1_len || dest_len))
1946 if (src0.start != NULL_TREE)
1947 instrument_mem_region_access (src0.start, src0_len,
1948 iter, loc, /*is_store=*/false);
1949 if (src1.start != NULL_TREE)
1950 instrument_mem_region_access (src1.start, src1_len,
1951 iter, loc, /*is_store=*/false);
1952 if (dest.start != NULL_TREE)
1953 instrument_mem_region_access (dest.start, dest_len,
1954 iter, loc, /*is_store=*/true);
1956 *iter = gsi_for_stmt (call);
1958 iter_advanced_p = true;
1962 if (src0.start != NULL_TREE)
1963 maybe_update_mem_ref_hash_table (src0.start, src0_len);
1964 if (src1.start != NULL_TREE)
1965 maybe_update_mem_ref_hash_table (src1.start, src1_len);
1966 if (dest.start != NULL_TREE)
1967 maybe_update_mem_ref_hash_table (dest.start, dest_len);
1970 return iter_advanced_p;
1973 /* Instrument the assignment statement ITER if it is subject to
1974 instrumentation. Return TRUE iff instrumentation actually
1975 happened. In that case, the iterator ITER is advanced to the next
1976 logical expression following the one initially pointed to by ITER,
1977 and the relevant memory reference that which access has been
1978 instrumented is added to the memory references hash table. */
1981 maybe_instrument_assignment (gimple_stmt_iterator *iter)
1983 gimple s = gsi_stmt (*iter);
1985 gcc_assert (gimple_assign_single_p (s));
1987 tree ref_expr = NULL_TREE;
1988 bool is_store, is_instrumented = false;
1990 if (gimple_store_p (s))
1992 ref_expr = gimple_assign_lhs (s);
1994 instrument_derefs (iter, ref_expr,
1995 gimple_location (s),
1997 is_instrumented = true;
2000 if (gimple_assign_load_p (s))
2002 ref_expr = gimple_assign_rhs1 (s);
2004 instrument_derefs (iter, ref_expr,
2005 gimple_location (s),
2007 is_instrumented = true;
2010 if (is_instrumented)
2013 return is_instrumented;
2016 /* Instrument the function call pointed to by the iterator ITER, if it
2017 is subject to instrumentation. At the moment, the only function
2018 calls that are instrumented are some built-in functions that access
2019 memory. Look at instrument_builtin_call to learn more.
2021 Upon completion return TRUE iff *ITER was advanced to the statement
2022 following the one it was originally pointing to. */
2025 maybe_instrument_call (gimple_stmt_iterator *iter)
2027 gimple stmt = gsi_stmt (*iter);
2028 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2030 if (is_builtin && instrument_builtin_call (iter))
2033 if (gimple_call_noreturn_p (stmt))
2037 tree callee = gimple_call_fndecl (stmt);
2038 switch (DECL_FUNCTION_CODE (callee))
2040 case BUILT_IN_UNREACHABLE:
2042 /* Don't instrument these. */
2048 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2049 gimple g = gimple_build_call (decl, 0);
2050 gimple_set_location (g, gimple_location (stmt));
2051 gsi_insert_before (iter, g, GSI_SAME_STMT);
2056 /* Walk each instruction of all basic block and instrument those that
2057 represent memory references: loads, stores, or function calls.
2058 In a given basic block, this function avoids instrumenting memory
2059 references that have already been instrumented. */
2062 transform_statements (void)
2064 basic_block bb, last_bb = NULL;
2065 gimple_stmt_iterator i;
2066 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2068 FOR_EACH_BB_FN (bb, cfun)
2070 basic_block prev_bb = bb;
2072 if (bb->index >= saved_last_basic_block) continue;
2074 /* Flush the mem ref hash table, if current bb doesn't have
2075 exactly one predecessor, or if that predecessor (skipping
2076 over asan created basic blocks) isn't the last processed
2077 basic block. Thus we effectively flush on extended basic
2078 block boundaries. */
2079 while (single_pred_p (prev_bb))
2081 prev_bb = single_pred (prev_bb);
2082 if (prev_bb->index < saved_last_basic_block)
2085 if (prev_bb != last_bb)
2086 empty_mem_ref_hash_table ();
2089 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2091 gimple s = gsi_stmt (i);
2093 if (has_stmt_been_instrumented_p (s))
2095 else if (gimple_assign_single_p (s)
2096 && !gimple_clobber_p (s)
2097 && maybe_instrument_assignment (&i))
2098 /* Nothing to do as maybe_instrument_assignment advanced
2100 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2101 /* Nothing to do as maybe_instrument_call
2102 advanced the iterator I. */;
2105 /* No instrumentation happened.
2107 If the current instruction is a function call that
2108 might free something, let's forget about the memory
2109 references that got instrumented. Otherwise we might
2110 miss some instrumentation opportunities. */
2111 if (is_gimple_call (s) && !nonfreeing_call_p (s))
2112 empty_mem_ref_hash_table ();
2118 free_mem_ref_resources ();
2122 __asan_before_dynamic_init (module_name)
2124 __asan_after_dynamic_init ()
2128 asan_dynamic_init_call (bool after_p)
2130 tree fn = builtin_decl_implicit (after_p
2131 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2132 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2133 tree module_name_cst = NULL_TREE;
2136 pretty_printer module_name_pp;
2137 pp_string (&module_name_pp, main_input_filename);
2139 if (shadow_ptr_types[0] == NULL_TREE)
2140 asan_init_shadow_ptr_types ();
2141 module_name_cst = asan_pp_string (&module_name_pp);
2142 module_name_cst = fold_convert (const_ptr_type_node,
2146 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2150 struct __asan_global
2154 uptr __size_with_redzone;
2156 const void *__module_name;
2157 uptr __has_dynamic_init;
2158 __asan_global_source_location *__location;
2162 asan_global_struct (void)
2164 static const char *field_names[7]
2165 = { "__beg", "__size", "__size_with_redzone",
2166 "__name", "__module_name", "__has_dynamic_init", "__location"};
2167 tree fields[7], ret;
2170 ret = make_node (RECORD_TYPE);
2171 for (i = 0; i < 7; i++)
2174 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2175 get_identifier (field_names[i]),
2176 (i == 0 || i == 3) ? const_ptr_type_node
2177 : pointer_sized_int_node);
2178 DECL_CONTEXT (fields[i]) = ret;
2180 DECL_CHAIN (fields[i - 1]) = fields[i];
2182 tree type_decl = build_decl (input_location, TYPE_DECL,
2183 get_identifier ("__asan_global"), ret);
2184 DECL_IGNORED_P (type_decl) = 1;
2185 DECL_ARTIFICIAL (type_decl) = 1;
2186 TYPE_FIELDS (ret) = fields[0];
2187 TYPE_NAME (ret) = type_decl;
2188 TYPE_STUB_DECL (ret) = type_decl;
2193 /* Append description of a single global DECL into vector V.
2194 TYPE is __asan_global struct type as returned by asan_global_struct. */
2197 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2199 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2200 unsigned HOST_WIDE_INT size;
2201 tree str_cst, module_name_cst, refdecl = decl;
2202 vec<constructor_elt, va_gc> *vinner = NULL;
2204 pretty_printer asan_pp, module_name_pp;
2206 if (DECL_NAME (decl))
2207 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2209 pp_string (&asan_pp, "<unknown>");
2210 str_cst = asan_pp_string (&asan_pp);
2212 pp_string (&module_name_pp, main_input_filename);
2213 module_name_cst = asan_pp_string (&module_name_pp);
2215 if (asan_needs_local_alias (decl))
2218 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2219 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2220 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2221 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2222 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2223 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2224 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2225 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2226 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2227 TREE_STATIC (refdecl) = 1;
2228 TREE_PUBLIC (refdecl) = 0;
2229 TREE_USED (refdecl) = 1;
2230 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2233 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2234 fold_convert (const_ptr_type_node,
2235 build_fold_addr_expr (refdecl)));
2236 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2237 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2238 size += asan_red_zone_size (size);
2239 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2240 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2241 fold_convert (const_ptr_type_node, str_cst));
2242 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2243 fold_convert (const_ptr_type_node, module_name_cst));
2244 varpool_node *vnode = varpool_node::get (decl);
2245 int has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2246 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2247 build_int_cst (uptr, has_dynamic_init));
2248 tree locptr = NULL_TREE;
2249 location_t loc = DECL_SOURCE_LOCATION (decl);
2250 expanded_location xloc = expand_location (loc);
2251 if (xloc.file != NULL)
2253 static int lasanloccnt = 0;
2255 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2256 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2257 ubsan_get_source_location_type ());
2258 TREE_STATIC (var) = 1;
2259 TREE_PUBLIC (var) = 0;
2260 DECL_ARTIFICIAL (var) = 1;
2261 DECL_IGNORED_P (var) = 1;
2262 pretty_printer filename_pp;
2263 pp_string (&filename_pp, xloc.file);
2264 tree str = asan_pp_string (&filename_pp);
2265 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2266 NULL_TREE, str, NULL_TREE,
2267 build_int_cst (unsigned_type_node,
2268 xloc.line), NULL_TREE,
2269 build_int_cst (unsigned_type_node,
2271 TREE_CONSTANT (ctor) = 1;
2272 TREE_STATIC (ctor) = 1;
2273 DECL_INITIAL (var) = ctor;
2274 varpool_node::finalize_decl (var);
2275 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2278 locptr = build_int_cst (uptr, 0);
2279 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2280 init = build_constructor (type, vinner);
2281 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2284 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2286 initialize_sanitizer_builtins (void)
2290 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2293 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2295 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2296 tree BT_FN_VOID_CONST_PTR
2297 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2298 tree BT_FN_VOID_PTR_PTR
2299 = build_function_type_list (void_type_node, ptr_type_node,
2300 ptr_type_node, NULL_TREE);
2301 tree BT_FN_VOID_PTR_PTR_PTR
2302 = build_function_type_list (void_type_node, ptr_type_node,
2303 ptr_type_node, ptr_type_node, NULL_TREE);
2304 tree BT_FN_VOID_PTR_PTRMODE
2305 = build_function_type_list (void_type_node, ptr_type_node,
2306 pointer_sized_int_node, NULL_TREE);
2308 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2309 tree BT_FN_SIZE_CONST_PTR_INT
2310 = build_function_type_list (size_type_node, const_ptr_type_node,
2311 integer_type_node, NULL_TREE);
2312 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2313 tree BT_FN_IX_CONST_VPTR_INT[5];
2314 tree BT_FN_IX_VPTR_IX_INT[5];
2315 tree BT_FN_VOID_VPTR_IX_INT[5];
2317 = build_pointer_type (build_qualified_type (void_type_node,
2318 TYPE_QUAL_VOLATILE));
2320 = build_pointer_type (build_qualified_type (void_type_node,
2324 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2326 for (i = 0; i < 5; i++)
2328 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2329 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2330 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2331 integer_type_node, integer_type_node,
2333 BT_FN_IX_CONST_VPTR_INT[i]
2334 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2335 BT_FN_IX_VPTR_IX_INT[i]
2336 = build_function_type_list (ix, vptr, ix, integer_type_node,
2338 BT_FN_VOID_VPTR_IX_INT[i]
2339 = build_function_type_list (void_type_node, vptr, ix,
2340 integer_type_node, NULL_TREE);
2342 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2343 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2344 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2345 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2346 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2347 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2348 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2349 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2350 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2351 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2352 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2353 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2354 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2355 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2356 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2357 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2358 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2359 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2360 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2361 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2362 #undef ATTR_NOTHROW_LEAF_LIST
2363 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2364 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2365 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2366 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2367 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2368 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2369 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2370 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2371 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2372 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2373 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2374 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2375 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2376 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2377 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2378 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2379 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2380 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2381 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2382 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2383 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2384 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2385 #undef DEF_SANITIZER_BUILTIN
2386 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2387 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2388 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2389 set_call_expr_flags (decl, ATTRS); \
2390 set_builtin_decl (ENUM, decl, true);
2392 #include "sanitizer.def"
2394 /* -fsanitize=object-size uses __builtin_object_size, but that might
2395 not be available for e.g. Fortran at this point. We use
2396 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2397 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2398 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2399 DEF_SANITIZER_BUILTIN (BUILT_IN_OBJECT_SIZE, "object_size",
2400 BT_FN_SIZE_CONST_PTR_INT,
2401 ATTR_PURE_NOTHROW_LEAF_LIST)
2403 #undef DEF_SANITIZER_BUILTIN
2406 /* Called via htab_traverse. Count number of emitted
2407 STRING_CSTs in the constant hash table. */
2410 count_string_csts (constant_descriptor_tree **slot,
2411 unsigned HOST_WIDE_INT *data)
2413 struct constant_descriptor_tree *desc = *slot;
2414 if (TREE_CODE (desc->value) == STRING_CST
2415 && TREE_ASM_WRITTEN (desc->value)
2416 && asan_protect_global (desc->value))
2421 /* Helper structure to pass two parameters to
2424 struct asan_add_string_csts_data
2427 vec<constructor_elt, va_gc> *v;
2430 /* Called via hash_table::traverse. Call asan_add_global
2431 on emitted STRING_CSTs from the constant hash table. */
2434 add_string_csts (constant_descriptor_tree **slot,
2435 asan_add_string_csts_data *aascd)
2437 struct constant_descriptor_tree *desc = *slot;
2438 if (TREE_CODE (desc->value) == STRING_CST
2439 && TREE_ASM_WRITTEN (desc->value)
2440 && asan_protect_global (desc->value))
2442 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
2443 aascd->type, aascd->v);
2448 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2449 invoke ggc_collect. */
2450 static GTY(()) tree asan_ctor_statements;
2452 /* Module-level instrumentation.
2453 - Insert __asan_init_vN() into the list of CTORs.
2454 - TODO: insert redzones around globals.
2458 asan_finish_file (void)
2460 varpool_node *vnode;
2461 unsigned HOST_WIDE_INT gcount = 0;
2463 if (shadow_ptr_types[0] == NULL_TREE)
2464 asan_init_shadow_ptr_types ();
2465 /* Avoid instrumenting code in the asan ctors/dtors.
2466 We don't need to insert padding after the description strings,
2467 nor after .LASAN* array. */
2468 flag_sanitize &= ~SANITIZE_ADDRESS;
2470 /* For user-space we want asan constructors to run first.
2471 Linux kernel does not support priorities other than default, and the only
2472 other user of constructors is coverage. So we run with the default
2474 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
2475 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
2477 if (flag_sanitize & SANITIZE_USER_ADDRESS)
2479 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
2480 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
2482 FOR_EACH_DEFINED_VARIABLE (vnode)
2483 if (TREE_ASM_WRITTEN (vnode->decl)
2484 && asan_protect_global (vnode->decl))
2486 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
2487 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
2491 tree type = asan_global_struct (), var, ctor;
2492 tree dtor_statements = NULL_TREE;
2493 vec<constructor_elt, va_gc> *v;
2496 type = build_array_type_nelts (type, gcount);
2497 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
2498 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2500 TREE_STATIC (var) = 1;
2501 TREE_PUBLIC (var) = 0;
2502 DECL_ARTIFICIAL (var) = 1;
2503 DECL_IGNORED_P (var) = 1;
2504 vec_alloc (v, gcount);
2505 FOR_EACH_DEFINED_VARIABLE (vnode)
2506 if (TREE_ASM_WRITTEN (vnode->decl)
2507 && asan_protect_global (vnode->decl))
2508 asan_add_global (vnode->decl, TREE_TYPE (type), v);
2509 struct asan_add_string_csts_data aascd;
2510 aascd.type = TREE_TYPE (type);
2512 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
2514 ctor = build_constructor (type, v);
2515 TREE_CONSTANT (ctor) = 1;
2516 TREE_STATIC (ctor) = 1;
2517 DECL_INITIAL (var) = ctor;
2518 varpool_node::finalize_decl (var);
2520 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
2521 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
2522 append_to_statement_list (build_call_expr (fn, 2,
2523 build_fold_addr_expr (var),
2525 &asan_ctor_statements);
2527 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
2528 append_to_statement_list (build_call_expr (fn, 2,
2529 build_fold_addr_expr (var),
2532 cgraph_build_static_cdtor ('D', dtor_statements, priority);
2534 if (asan_ctor_statements)
2535 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
2536 flag_sanitize |= SANITIZE_ADDRESS;
2539 /* Expand the ASAN_{LOAD,STORE} builtins. */
2542 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
2544 gimple g = gsi_stmt (*iter);
2545 location_t loc = gimple_location (g);
2548 = (flag_sanitize & flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
2550 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
2551 gcc_assert (flags < ASAN_CHECK_LAST);
2552 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
2553 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
2554 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
2556 tree base = gimple_call_arg (g, 1);
2557 tree len = gimple_call_arg (g, 2);
2558 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
2560 HOST_WIDE_INT size_in_bytes
2561 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2565 /* Instrument using callbacks. */
2566 gimple g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2568 gimple_set_location (g, loc);
2569 gsi_insert_before (iter, g, GSI_SAME_STMT);
2570 tree base_addr = gimple_assign_lhs (g);
2573 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
2575 g = gimple_build_call (fun, 1, base_addr);
2578 gcc_assert (nargs == 2);
2579 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2581 gimple_set_location (g, loc);
2582 gsi_insert_before (iter, g, GSI_SAME_STMT);
2583 tree sz_arg = gimple_assign_lhs (g);
2584 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
2586 gimple_set_location (g, loc);
2587 gsi_replace (iter, g, false);
2591 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
2593 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
2594 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2596 gimple_stmt_iterator gsi = *iter;
2598 if (!is_non_zero_len)
2600 /* So, the length of the memory area to asan-protect is
2601 non-constant. Let's guard the generated instrumentation code
2606 //asan instrumentation code goes here.
2608 // falltrough instructions, starting with *ITER. */
2610 g = gimple_build_cond (NE_EXPR,
2612 build_int_cst (TREE_TYPE (len), 0),
2613 NULL_TREE, NULL_TREE);
2614 gimple_set_location (g, loc);
2616 basic_block then_bb, fallthrough_bb;
2617 insert_if_then_before_iter (as_a <gcond *> (g), iter,
2618 /*then_more_likely_p=*/true,
2619 &then_bb, &fallthrough_bb);
2620 /* Note that fallthrough_bb starts with the statement that was
2621 pointed to by ITER. */
2623 /* The 'then block' of the 'if (len != 0) condition is where
2624 we'll generate the asan instrumentation code now. */
2625 gsi = gsi_last_bb (then_bb);
2628 /* Get an iterator on the point where we can add the condition
2629 statement for the instrumentation. */
2630 basic_block then_bb, else_bb;
2631 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
2632 /*then_more_likely_p=*/false,
2633 /*create_then_fallthru_edge*/recover_p,
2637 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2639 gimple_set_location (g, loc);
2640 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
2641 tree base_addr = gimple_assign_lhs (g);
2644 if (real_size_in_bytes >= 8)
2646 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2652 /* Slow path for 1, 2 and 4 byte accesses. */
2653 /* Test (shadow != 0)
2654 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
2655 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
2657 gimple shadow_test = build_assign (NE_EXPR, shadow, 0);
2658 gimple_seq seq = NULL;
2659 gimple_seq_add_stmt (&seq, shadow_test);
2660 /* Aligned (>= 8 bytes) can test just
2661 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
2665 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2667 gimple_seq_add_stmt (&seq,
2668 build_type_cast (shadow_type,
2669 gimple_seq_last (seq)));
2670 if (real_size_in_bytes > 1)
2671 gimple_seq_add_stmt (&seq,
2672 build_assign (PLUS_EXPR,
2673 gimple_seq_last (seq),
2674 real_size_in_bytes - 1));
2675 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
2678 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
2679 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
2680 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2681 gimple_seq_last (seq)));
2682 t = gimple_assign_lhs (gimple_seq_last (seq));
2683 gimple_seq_set_location (seq, loc);
2684 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
2686 /* For non-constant, misaligned or otherwise weird access sizes,
2687 check first and last byte. */
2688 if (size_in_bytes == -1)
2690 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2692 build_int_cst (pointer_sized_int_node, 1));
2693 gimple_set_location (g, loc);
2694 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2695 tree last = gimple_assign_lhs (g);
2696 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2697 PLUS_EXPR, base_addr, last);
2698 gimple_set_location (g, loc);
2699 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2700 tree base_end_addr = gimple_assign_lhs (g);
2702 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
2704 gimple shadow_test = build_assign (NE_EXPR, shadow, 0);
2705 gimple_seq seq = NULL;
2706 gimple_seq_add_stmt (&seq, shadow_test);
2707 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
2709 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
2710 gimple_seq_last (seq)));
2711 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
2712 gimple_seq_last (seq),
2714 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
2715 gimple_seq_last (seq)));
2716 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
2717 gimple_seq_last (seq)));
2718 t = gimple_assign_lhs (gimple_seq_last (seq));
2719 gimple_seq_set_location (seq, loc);
2720 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
2724 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
2725 NULL_TREE, NULL_TREE);
2726 gimple_set_location (g, loc);
2727 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2729 /* Generate call to the run-time library (e.g. __asan_report_load8). */
2730 gsi = gsi_start_bb (then_bb);
2732 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
2733 g = gimple_build_call (fun, nargs, base_addr, len);
2734 gimple_set_location (g, loc);
2735 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2737 gsi_remove (iter, true);
2738 *iter = gsi_start_bb (else_bb);
2743 /* Instrument the current function. */
2746 asan_instrument (void)
2748 if (shadow_ptr_types[0] == NULL_TREE)
2749 asan_init_shadow_ptr_types ();
2750 transform_statements ();
2757 return (flag_sanitize & SANITIZE_ADDRESS) != 0
2758 && !lookup_attribute ("no_sanitize_address",
2759 DECL_ATTRIBUTES (current_function_decl));
2764 const pass_data pass_data_asan =
2766 GIMPLE_PASS, /* type */
2768 OPTGROUP_NONE, /* optinfo_flags */
2769 TV_NONE, /* tv_id */
2770 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2771 0, /* properties_provided */
2772 0, /* properties_destroyed */
2773 0, /* todo_flags_start */
2774 TODO_update_ssa, /* todo_flags_finish */
2777 class pass_asan : public gimple_opt_pass
2780 pass_asan (gcc::context *ctxt)
2781 : gimple_opt_pass (pass_data_asan, ctxt)
2784 /* opt_pass methods: */
2785 opt_pass * clone () { return new pass_asan (m_ctxt); }
2786 virtual bool gate (function *) { return gate_asan (); }
2787 virtual unsigned int execute (function *) { return asan_instrument (); }
2789 }; // class pass_asan
2794 make_pass_asan (gcc::context *ctxt)
2796 return new pass_asan (ctxt);
2801 const pass_data pass_data_asan_O0 =
2803 GIMPLE_PASS, /* type */
2805 OPTGROUP_NONE, /* optinfo_flags */
2806 TV_NONE, /* tv_id */
2807 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
2808 0, /* properties_provided */
2809 0, /* properties_destroyed */
2810 0, /* todo_flags_start */
2811 TODO_update_ssa, /* todo_flags_finish */
2814 class pass_asan_O0 : public gimple_opt_pass
2817 pass_asan_O0 (gcc::context *ctxt)
2818 : gimple_opt_pass (pass_data_asan_O0, ctxt)
2821 /* opt_pass methods: */
2822 virtual bool gate (function *) { return !optimize && gate_asan (); }
2823 virtual unsigned int execute (function *) { return asan_instrument (); }
2825 }; // class pass_asan_O0
2830 make_pass_asan_O0 (gcc::context *ctxt)
2832 return new pass_asan_O0 (ctxt);
2835 #include "gt-asan.h"
ftigeot's projects / dragonfly.git / blob