1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2013 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
24 #include "coretypes.h"
27 #include "tree-iterator.h"
29 #include "tree-ssanames.h"
30 #include "tree-pass.h"
32 #include "gimple-pretty-print.h"
38 #include "langhooks.h"
39 #include "hash-table.h"
40 #include "alloc-pool.h"
42 #include "gimple-builder.h"
44 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
45 with <2x slowdown on average.
47 The tool consists of two parts:
48 instrumentation module (this file) and a run-time library.
49 The instrumentation module adds a run-time check before every memory insn.
50 For a 8- or 16- byte load accessing address X:
51 ShadowAddr = (X >> 3) + Offset
52 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
54 __asan_report_load8(X);
55 For a load of N bytes (N=1, 2 or 4) from address X:
56 ShadowAddr = (X >> 3) + Offset
57 ShadowValue = *(char*)ShadowAddr;
59 if ((X & 7) + N - 1 > ShadowValue)
60 __asan_report_loadN(X);
61 Stores are instrumented similarly, but using __asan_report_storeN functions.
62 A call too __asan_init() is inserted to the list of module CTORs.
64 The run-time library redefines malloc (so that redzone are inserted around
65 the allocated memory) and free (so that reuse of free-ed memory is delayed),
66 provides __asan_report* and __asan_init functions.
69 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
71 The current implementation supports detection of out-of-bounds and
72 use-after-free in the heap, on the stack and for global variables.
74 [Protection of stack variables]
76 To understand how detection of out-of-bounds and use-after-free works
77 for stack variables, lets look at this example on x86_64 where the
92 For this function, the stack protected by asan will be organized as
93 follows, from the top of the stack to the bottom:
95 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
97 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
98 the next slot be 32 bytes aligned; this one is called Partial
99 Redzone; this 32 bytes alignment is an asan constraint]
101 Slot 3/ [24 bytes for variable 'a']
103 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
105 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
107 Slot 6/ [8 bytes for variable 'b']
109 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
112 The 32 bytes of LEFT red zone at the bottom of the stack can be
115 1/ The first 8 bytes contain a magical asan number that is always
118 2/ The following 8 bytes contains a pointer to a string (to be
119 parsed at runtime by the runtime asan library), which format is
122 "<function-name> <space> <num-of-variables-on-the-stack>
123 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
124 <length-of-var-in-bytes> ){n} "
126 where '(...){n}' means the content inside the parenthesis occurs 'n'
127 times, with 'n' being the number of variables on the stack.
129 3/ The following 16 bytes of the red zone have no particular
132 The shadow memory for that stack layout is going to look like this:
134 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
135 The F1 byte pattern is a magic number called
136 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
137 the memory for that shadow byte is part of a the LEFT red zone
138 intended to seat at the bottom of the variables on the stack.
140 - content of shadow memory 8 bytes for slots 6 and 5:
141 0xF4F4F400. The F4 byte pattern is a magic number
142 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
143 memory region for this shadow byte is a PARTIAL red zone
144 intended to pad a variable A, so that the slot following
145 {A,padding} is 32 bytes aligned.
147 Note that the fact that the least significant byte of this
148 shadow memory content is 00 means that 8 bytes of its
149 corresponding memory (which corresponds to the memory of
150 variable 'b') is addressable.
152 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
153 The F2 byte pattern is a magic number called
154 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
155 region for this shadow byte is a MIDDLE red zone intended to
156 seat between two 32 aligned slots of {variable,padding}.
158 - content of shadow memory 8 bytes for slot 3 and 2:
159 0xF4000000. This represents is the concatenation of
160 variable 'a' and the partial red zone following it, like what we
161 had for variable 'b'. The least significant 3 bytes being 00
162 means that the 3 bytes of variable 'a' are addressable.
164 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
165 The F3 byte pattern is a magic number called
166 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
167 region for this shadow byte is a RIGHT red zone intended to seat
168 at the top of the variables of the stack.
170 Note that the real variable layout is done in expand_used_vars in
171 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
172 stack variables as well as the different red zones, emits some
173 prologue code to populate the shadow memory as to poison (mark as
174 non-accessible) the regions of the red zones and mark the regions of
175 stack variables as accessible, and emit some epilogue code to
176 un-poison (mark as accessible) the regions of red zones right before
179 [Protection of global variables]
181 The basic idea is to insert a red zone between two global variables
182 and install a constructor function that calls the asan runtime to do
183 the populating of the relevant shadow memory regions at load time.
185 So the global variables are laid out as to insert a red zone between
186 them. The size of the red zones is so that each variable starts on a
189 Then a constructor function is installed so that, for each global
190 variable, it calls the runtime asan library function
191 __asan_register_globals_with an instance of this type:
195 // Address of the beginning of the global variable.
198 // Initial size of the global variable.
201 // Size of the global variable + size of the red zone. This
202 // size is 32 bytes aligned.
203 uptr __size_with_redzone;
205 // Name of the global variable.
208 // This is always set to NULL for now.
209 uptr __has_dynamic_init;
212 A destructor function that calls the runtime asan library function
213 _asan_unregister_globals is also installed. */
215 alias_set_type asan_shadow_set
= -1;
217 /* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
218 alias set is used for all shadow memory accesses. */
219 static GTY(()) tree shadow_ptr_types
[2];
221 /* Hashtable support for memory references used by gimple
224 /* This type represents a reference to a memory region. */
227 /* The expression of the beginning of the memory region. */
230 /* The size of the access (can be 1, 2, 4, 8, 16 for now). */
234 static alloc_pool asan_mem_ref_alloc_pool
;
236 /* This creates the alloc pool used to store the instances of
237 asan_mem_ref that are stored in the hash table asan_mem_ref_ht. */
240 asan_mem_ref_get_alloc_pool ()
242 if (asan_mem_ref_alloc_pool
== NULL
)
243 asan_mem_ref_alloc_pool
= create_alloc_pool ("asan_mem_ref",
244 sizeof (asan_mem_ref
),
246 return asan_mem_ref_alloc_pool
;
250 /* Initializes an instance of asan_mem_ref. */
253 asan_mem_ref_init (asan_mem_ref
*ref
, tree start
, char access_size
)
256 ref
->access_size
= access_size
;
259 /* Allocates memory for an instance of asan_mem_ref into the memory
260 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
261 START is the address of (or the expression pointing to) the
262 beginning of memory reference. ACCESS_SIZE is the size of the
263 access to the referenced memory. */
266 asan_mem_ref_new (tree start
, char access_size
)
269 (asan_mem_ref
*) pool_alloc (asan_mem_ref_get_alloc_pool ());
271 asan_mem_ref_init (ref
, start
, access_size
);
275 /* This builds and returns a pointer to the end of the memory region
276 that starts at START and of length LEN. */
279 asan_mem_ref_get_end (tree start
, tree len
)
281 if (len
== NULL_TREE
|| integer_zerop (len
))
284 return fold_build2 (POINTER_PLUS_EXPR
, TREE_TYPE (start
), start
, len
);
287 /* Return a tree expression that represents the end of the referenced
288 memory region. Beware that this function can actually build a new
292 asan_mem_ref_get_end (const asan_mem_ref
*ref
, tree len
)
294 return asan_mem_ref_get_end (ref
->start
, len
);
297 struct asan_mem_ref_hasher
298 : typed_noop_remove
<asan_mem_ref
>
300 typedef asan_mem_ref value_type
;
301 typedef asan_mem_ref compare_type
;
303 static inline hashval_t
hash (const value_type
*);
304 static inline bool equal (const value_type
*, const compare_type
*);
307 /* Hash a memory reference. */
310 asan_mem_ref_hasher::hash (const asan_mem_ref
*mem_ref
)
312 hashval_t h
= iterative_hash_expr (mem_ref
->start
, 0);
313 h
= iterative_hash_hashval_t (h
, mem_ref
->access_size
);
317 /* Compare two memory references. We accept the length of either
318 memory references to be NULL_TREE. */
321 asan_mem_ref_hasher::equal (const asan_mem_ref
*m1
,
322 const asan_mem_ref
*m2
)
324 return (m1
->access_size
== m2
->access_size
325 && operand_equal_p (m1
->start
, m2
->start
, 0));
328 static hash_table
<asan_mem_ref_hasher
> asan_mem_ref_ht
;
330 /* Returns a reference to the hash table containing memory references.
331 This function ensures that the hash table is created. Note that
332 this hash table is updated by the function
333 update_mem_ref_hash_table. */
335 static hash_table
<asan_mem_ref_hasher
> &
336 get_mem_ref_hash_table ()
338 if (!asan_mem_ref_ht
.is_created ())
339 asan_mem_ref_ht
.create (10);
341 return asan_mem_ref_ht
;
344 /* Clear all entries from the memory references hash table. */
347 empty_mem_ref_hash_table ()
349 if (asan_mem_ref_ht
.is_created ())
350 asan_mem_ref_ht
.empty ();
353 /* Free the memory references hash table. */
356 free_mem_ref_resources ()
358 if (asan_mem_ref_ht
.is_created ())
359 asan_mem_ref_ht
.dispose ();
361 if (asan_mem_ref_alloc_pool
)
363 free_alloc_pool (asan_mem_ref_alloc_pool
);
364 asan_mem_ref_alloc_pool
= NULL
;
368 /* Return true iff the memory reference REF has been instrumented. */
371 has_mem_ref_been_instrumented (tree ref
, char access_size
)
374 asan_mem_ref_init (&r
, ref
, access_size
);
376 return (get_mem_ref_hash_table ().find (&r
) != NULL
);
379 /* Return true iff the memory reference REF has been instrumented. */
382 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
)
384 return has_mem_ref_been_instrumented (ref
->start
, ref
->access_size
);
387 /* Return true iff access to memory region starting at REF and of
388 length LEN has been instrumented. */
391 has_mem_ref_been_instrumented (const asan_mem_ref
*ref
, tree len
)
393 /* First let's see if the address of the beginning of REF has been
395 if (!has_mem_ref_been_instrumented (ref
))
400 /* Let's see if the end of the region has been instrumented. */
401 if (!has_mem_ref_been_instrumented (asan_mem_ref_get_end (ref
, len
),
408 /* Set REF to the memory reference present in a gimple assignment
409 ASSIGNMENT. Return true upon successful completion, false
413 get_mem_ref_of_assignment (const gimple assignment
,
417 gcc_assert (gimple_assign_single_p (assignment
));
419 if (gimple_store_p (assignment
)
420 && !gimple_clobber_p (assignment
))
422 ref
->start
= gimple_assign_lhs (assignment
);
423 *ref_is_store
= true;
425 else if (gimple_assign_load_p (assignment
))
427 ref
->start
= gimple_assign_rhs1 (assignment
);
428 *ref_is_store
= false;
433 ref
->access_size
= int_size_in_bytes (TREE_TYPE (ref
->start
));
437 /* Return the memory references contained in a gimple statement
438 representing a builtin call that has to do with memory access. */
441 get_mem_refs_of_builtin_call (const gimple call
,
453 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
455 tree callee
= gimple_call_fndecl (call
);
456 tree source0
= NULL_TREE
, source1
= NULL_TREE
,
457 dest
= NULL_TREE
, len
= NULL_TREE
;
458 bool is_store
= true, got_reference_p
= false;
459 char access_size
= 1;
461 switch (DECL_FUNCTION_CODE (callee
))
463 /* (s, s, n) style memops. */
465 case BUILT_IN_MEMCMP
:
466 source0
= gimple_call_arg (call
, 0);
467 source1
= gimple_call_arg (call
, 1);
468 len
= gimple_call_arg (call
, 2);
471 /* (src, dest, n) style memops. */
473 source0
= gimple_call_arg (call
, 0);
474 dest
= gimple_call_arg (call
, 1);
475 len
= gimple_call_arg (call
, 2);
478 /* (dest, src, n) style memops. */
479 case BUILT_IN_MEMCPY
:
480 case BUILT_IN_MEMCPY_CHK
:
481 case BUILT_IN_MEMMOVE
:
482 case BUILT_IN_MEMMOVE_CHK
:
483 case BUILT_IN_MEMPCPY
:
484 case BUILT_IN_MEMPCPY_CHK
:
485 dest
= gimple_call_arg (call
, 0);
486 source0
= gimple_call_arg (call
, 1);
487 len
= gimple_call_arg (call
, 2);
490 /* (dest, n) style memops. */
492 dest
= gimple_call_arg (call
, 0);
493 len
= gimple_call_arg (call
, 1);
496 /* (dest, x, n) style memops*/
497 case BUILT_IN_MEMSET
:
498 case BUILT_IN_MEMSET_CHK
:
499 dest
= gimple_call_arg (call
, 0);
500 len
= gimple_call_arg (call
, 2);
503 case BUILT_IN_STRLEN
:
504 source0
= gimple_call_arg (call
, 0);
505 len
= gimple_call_lhs (call
);
508 /* And now the __atomic* and __sync builtins.
509 These are handled differently from the classical memory memory
510 access builtins above. */
512 case BUILT_IN_ATOMIC_LOAD_1
:
513 case BUILT_IN_ATOMIC_LOAD_2
:
514 case BUILT_IN_ATOMIC_LOAD_4
:
515 case BUILT_IN_ATOMIC_LOAD_8
:
516 case BUILT_IN_ATOMIC_LOAD_16
:
520 case BUILT_IN_SYNC_FETCH_AND_ADD_1
:
521 case BUILT_IN_SYNC_FETCH_AND_ADD_2
:
522 case BUILT_IN_SYNC_FETCH_AND_ADD_4
:
523 case BUILT_IN_SYNC_FETCH_AND_ADD_8
:
524 case BUILT_IN_SYNC_FETCH_AND_ADD_16
:
526 case BUILT_IN_SYNC_FETCH_AND_SUB_1
:
527 case BUILT_IN_SYNC_FETCH_AND_SUB_2
:
528 case BUILT_IN_SYNC_FETCH_AND_SUB_4
:
529 case BUILT_IN_SYNC_FETCH_AND_SUB_8
:
530 case BUILT_IN_SYNC_FETCH_AND_SUB_16
:
532 case BUILT_IN_SYNC_FETCH_AND_OR_1
:
533 case BUILT_IN_SYNC_FETCH_AND_OR_2
:
534 case BUILT_IN_SYNC_FETCH_AND_OR_4
:
535 case BUILT_IN_SYNC_FETCH_AND_OR_8
:
536 case BUILT_IN_SYNC_FETCH_AND_OR_16
:
538 case BUILT_IN_SYNC_FETCH_AND_AND_1
:
539 case BUILT_IN_SYNC_FETCH_AND_AND_2
:
540 case BUILT_IN_SYNC_FETCH_AND_AND_4
:
541 case BUILT_IN_SYNC_FETCH_AND_AND_8
:
542 case BUILT_IN_SYNC_FETCH_AND_AND_16
:
544 case BUILT_IN_SYNC_FETCH_AND_XOR_1
:
545 case BUILT_IN_SYNC_FETCH_AND_XOR_2
:
546 case BUILT_IN_SYNC_FETCH_AND_XOR_4
:
547 case BUILT_IN_SYNC_FETCH_AND_XOR_8
:
548 case BUILT_IN_SYNC_FETCH_AND_XOR_16
:
550 case BUILT_IN_SYNC_FETCH_AND_NAND_1
:
551 case BUILT_IN_SYNC_FETCH_AND_NAND_2
:
552 case BUILT_IN_SYNC_FETCH_AND_NAND_4
:
553 case BUILT_IN_SYNC_FETCH_AND_NAND_8
:
555 case BUILT_IN_SYNC_ADD_AND_FETCH_1
:
556 case BUILT_IN_SYNC_ADD_AND_FETCH_2
:
557 case BUILT_IN_SYNC_ADD_AND_FETCH_4
:
558 case BUILT_IN_SYNC_ADD_AND_FETCH_8
:
559 case BUILT_IN_SYNC_ADD_AND_FETCH_16
:
561 case BUILT_IN_SYNC_SUB_AND_FETCH_1
:
562 case BUILT_IN_SYNC_SUB_AND_FETCH_2
:
563 case BUILT_IN_SYNC_SUB_AND_FETCH_4
:
564 case BUILT_IN_SYNC_SUB_AND_FETCH_8
:
565 case BUILT_IN_SYNC_SUB_AND_FETCH_16
:
567 case BUILT_IN_SYNC_OR_AND_FETCH_1
:
568 case BUILT_IN_SYNC_OR_AND_FETCH_2
:
569 case BUILT_IN_SYNC_OR_AND_FETCH_4
:
570 case BUILT_IN_SYNC_OR_AND_FETCH_8
:
571 case BUILT_IN_SYNC_OR_AND_FETCH_16
:
573 case BUILT_IN_SYNC_AND_AND_FETCH_1
:
574 case BUILT_IN_SYNC_AND_AND_FETCH_2
:
575 case BUILT_IN_SYNC_AND_AND_FETCH_4
:
576 case BUILT_IN_SYNC_AND_AND_FETCH_8
:
577 case BUILT_IN_SYNC_AND_AND_FETCH_16
:
579 case BUILT_IN_SYNC_XOR_AND_FETCH_1
:
580 case BUILT_IN_SYNC_XOR_AND_FETCH_2
:
581 case BUILT_IN_SYNC_XOR_AND_FETCH_4
:
582 case BUILT_IN_SYNC_XOR_AND_FETCH_8
:
583 case BUILT_IN_SYNC_XOR_AND_FETCH_16
:
585 case BUILT_IN_SYNC_NAND_AND_FETCH_1
:
586 case BUILT_IN_SYNC_NAND_AND_FETCH_2
:
587 case BUILT_IN_SYNC_NAND_AND_FETCH_4
:
588 case BUILT_IN_SYNC_NAND_AND_FETCH_8
:
590 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1
:
591 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2
:
592 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4
:
593 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8
:
594 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16
:
596 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1
:
597 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2
:
598 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4
:
599 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8
:
600 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16
:
602 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1
:
603 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2
:
604 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4
:
605 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8
:
606 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16
:
608 case BUILT_IN_SYNC_LOCK_RELEASE_1
:
609 case BUILT_IN_SYNC_LOCK_RELEASE_2
:
610 case BUILT_IN_SYNC_LOCK_RELEASE_4
:
611 case BUILT_IN_SYNC_LOCK_RELEASE_8
:
612 case BUILT_IN_SYNC_LOCK_RELEASE_16
:
614 case BUILT_IN_ATOMIC_EXCHANGE_1
:
615 case BUILT_IN_ATOMIC_EXCHANGE_2
:
616 case BUILT_IN_ATOMIC_EXCHANGE_4
:
617 case BUILT_IN_ATOMIC_EXCHANGE_8
:
618 case BUILT_IN_ATOMIC_EXCHANGE_16
:
620 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1
:
621 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2
:
622 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4
:
623 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8
:
624 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16
:
626 case BUILT_IN_ATOMIC_STORE_1
:
627 case BUILT_IN_ATOMIC_STORE_2
:
628 case BUILT_IN_ATOMIC_STORE_4
:
629 case BUILT_IN_ATOMIC_STORE_8
:
630 case BUILT_IN_ATOMIC_STORE_16
:
632 case BUILT_IN_ATOMIC_ADD_FETCH_1
:
633 case BUILT_IN_ATOMIC_ADD_FETCH_2
:
634 case BUILT_IN_ATOMIC_ADD_FETCH_4
:
635 case BUILT_IN_ATOMIC_ADD_FETCH_8
:
636 case BUILT_IN_ATOMIC_ADD_FETCH_16
:
638 case BUILT_IN_ATOMIC_SUB_FETCH_1
:
639 case BUILT_IN_ATOMIC_SUB_FETCH_2
:
640 case BUILT_IN_ATOMIC_SUB_FETCH_4
:
641 case BUILT_IN_ATOMIC_SUB_FETCH_8
:
642 case BUILT_IN_ATOMIC_SUB_FETCH_16
:
644 case BUILT_IN_ATOMIC_AND_FETCH_1
:
645 case BUILT_IN_ATOMIC_AND_FETCH_2
:
646 case BUILT_IN_ATOMIC_AND_FETCH_4
:
647 case BUILT_IN_ATOMIC_AND_FETCH_8
:
648 case BUILT_IN_ATOMIC_AND_FETCH_16
:
650 case BUILT_IN_ATOMIC_NAND_FETCH_1
:
651 case BUILT_IN_ATOMIC_NAND_FETCH_2
:
652 case BUILT_IN_ATOMIC_NAND_FETCH_4
:
653 case BUILT_IN_ATOMIC_NAND_FETCH_8
:
654 case BUILT_IN_ATOMIC_NAND_FETCH_16
:
656 case BUILT_IN_ATOMIC_XOR_FETCH_1
:
657 case BUILT_IN_ATOMIC_XOR_FETCH_2
:
658 case BUILT_IN_ATOMIC_XOR_FETCH_4
:
659 case BUILT_IN_ATOMIC_XOR_FETCH_8
:
660 case BUILT_IN_ATOMIC_XOR_FETCH_16
:
662 case BUILT_IN_ATOMIC_OR_FETCH_1
:
663 case BUILT_IN_ATOMIC_OR_FETCH_2
:
664 case BUILT_IN_ATOMIC_OR_FETCH_4
:
665 case BUILT_IN_ATOMIC_OR_FETCH_8
:
666 case BUILT_IN_ATOMIC_OR_FETCH_16
:
668 case BUILT_IN_ATOMIC_FETCH_ADD_1
:
669 case BUILT_IN_ATOMIC_FETCH_ADD_2
:
670 case BUILT_IN_ATOMIC_FETCH_ADD_4
:
671 case BUILT_IN_ATOMIC_FETCH_ADD_8
:
672 case BUILT_IN_ATOMIC_FETCH_ADD_16
:
674 case BUILT_IN_ATOMIC_FETCH_SUB_1
:
675 case BUILT_IN_ATOMIC_FETCH_SUB_2
:
676 case BUILT_IN_ATOMIC_FETCH_SUB_4
:
677 case BUILT_IN_ATOMIC_FETCH_SUB_8
:
678 case BUILT_IN_ATOMIC_FETCH_SUB_16
:
680 case BUILT_IN_ATOMIC_FETCH_AND_1
:
681 case BUILT_IN_ATOMIC_FETCH_AND_2
:
682 case BUILT_IN_ATOMIC_FETCH_AND_4
:
683 case BUILT_IN_ATOMIC_FETCH_AND_8
:
684 case BUILT_IN_ATOMIC_FETCH_AND_16
:
686 case BUILT_IN_ATOMIC_FETCH_NAND_1
:
687 case BUILT_IN_ATOMIC_FETCH_NAND_2
:
688 case BUILT_IN_ATOMIC_FETCH_NAND_4
:
689 case BUILT_IN_ATOMIC_FETCH_NAND_8
:
690 case BUILT_IN_ATOMIC_FETCH_NAND_16
:
692 case BUILT_IN_ATOMIC_FETCH_XOR_1
:
693 case BUILT_IN_ATOMIC_FETCH_XOR_2
:
694 case BUILT_IN_ATOMIC_FETCH_XOR_4
:
695 case BUILT_IN_ATOMIC_FETCH_XOR_8
:
696 case BUILT_IN_ATOMIC_FETCH_XOR_16
:
698 case BUILT_IN_ATOMIC_FETCH_OR_1
:
699 case BUILT_IN_ATOMIC_FETCH_OR_2
:
700 case BUILT_IN_ATOMIC_FETCH_OR_4
:
701 case BUILT_IN_ATOMIC_FETCH_OR_8
:
702 case BUILT_IN_ATOMIC_FETCH_OR_16
:
704 dest
= gimple_call_arg (call
, 0);
705 /* DEST represents the address of a memory location.
706 instrument_derefs wants the memory location, so lets
707 dereference the address DEST before handing it to
708 instrument_derefs. */
709 if (TREE_CODE (dest
) == ADDR_EXPR
)
710 dest
= TREE_OPERAND (dest
, 0);
711 else if (TREE_CODE (dest
) == SSA_NAME
)
712 dest
= build2 (MEM_REF
, TREE_TYPE (TREE_TYPE (dest
)),
713 dest
, build_int_cst (TREE_TYPE (dest
), 0));
717 access_size
= int_size_in_bytes (TREE_TYPE (dest
));
721 /* The other builtins memory access are not instrumented in this
722 function because they either don't have any length parameter,
723 or their length parameter is just a limit. */
727 if (len
!= NULL_TREE
)
729 if (source0
!= NULL_TREE
)
731 src0
->start
= source0
;
732 src0
->access_size
= access_size
;
734 *src0_is_store
= false;
737 if (source1
!= NULL_TREE
)
739 src1
->start
= source1
;
740 src1
->access_size
= access_size
;
742 *src1_is_store
= false;
745 if (dest
!= NULL_TREE
)
748 dst
->access_size
= access_size
;
750 *dst_is_store
= true;
753 got_reference_p
= true;
758 dst
->access_size
= access_size
;
759 *dst_len
= NULL_TREE
;
760 *dst_is_store
= is_store
;
761 *dest_is_deref
= true;
762 got_reference_p
= true;
765 return got_reference_p
;
768 /* Return true iff a given gimple statement has been instrumented.
769 Note that the statement is "defined" by the memory references it
773 has_stmt_been_instrumented_p (gimple stmt
)
775 if (gimple_assign_single_p (stmt
))
779 asan_mem_ref_init (&r
, NULL
, 1);
781 if (get_mem_ref_of_assignment (stmt
, &r
, &r_is_store
))
782 return has_mem_ref_been_instrumented (&r
);
784 else if (gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
))
786 asan_mem_ref src0
, src1
, dest
;
787 asan_mem_ref_init (&src0
, NULL
, 1);
788 asan_mem_ref_init (&src1
, NULL
, 1);
789 asan_mem_ref_init (&dest
, NULL
, 1);
791 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
792 bool src0_is_store
= false, src1_is_store
= false,
793 dest_is_store
= false, dest_is_deref
= false;
794 if (get_mem_refs_of_builtin_call (stmt
,
795 &src0
, &src0_len
, &src0_is_store
,
796 &src1
, &src1_len
, &src1_is_store
,
797 &dest
, &dest_len
, &dest_is_store
,
800 if (src0
.start
!= NULL_TREE
801 && !has_mem_ref_been_instrumented (&src0
, src0_len
))
804 if (src1
.start
!= NULL_TREE
805 && !has_mem_ref_been_instrumented (&src1
, src1_len
))
808 if (dest
.start
!= NULL_TREE
809 && !has_mem_ref_been_instrumented (&dest
, dest_len
))
818 /* Insert a memory reference into the hash table. */
821 update_mem_ref_hash_table (tree ref
, char access_size
)
823 hash_table
<asan_mem_ref_hasher
> ht
= get_mem_ref_hash_table ();
826 asan_mem_ref_init (&r
, ref
, access_size
);
828 asan_mem_ref
**slot
= ht
.find_slot (&r
, INSERT
);
830 *slot
= asan_mem_ref_new (ref
, access_size
);
833 /* Initialize shadow_ptr_types array. */
836 asan_init_shadow_ptr_types (void)
838 asan_shadow_set
= new_alias_set ();
839 shadow_ptr_types
[0] = build_distinct_type_copy (signed_char_type_node
);
840 TYPE_ALIAS_SET (shadow_ptr_types
[0]) = asan_shadow_set
;
841 shadow_ptr_types
[0] = build_pointer_type (shadow_ptr_types
[0]);
842 shadow_ptr_types
[1] = build_distinct_type_copy (short_integer_type_node
);
843 TYPE_ALIAS_SET (shadow_ptr_types
[1]) = asan_shadow_set
;
844 shadow_ptr_types
[1] = build_pointer_type (shadow_ptr_types
[1]);
845 initialize_sanitizer_builtins ();
848 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
851 asan_pp_string (pretty_printer
*pp
)
853 const char *buf
= pp_formatted_text (pp
);
854 size_t len
= strlen (buf
);
855 tree ret
= build_string (len
+ 1, buf
);
857 = build_array_type (TREE_TYPE (shadow_ptr_types
[0]),
858 build_index_type (size_int (len
)));
859 TREE_READONLY (ret
) = 1;
860 TREE_STATIC (ret
) = 1;
861 return build1 (ADDR_EXPR
, shadow_ptr_types
[0], ret
);
864 /* Return a CONST_INT representing 4 subsequent shadow memory bytes. */
867 asan_shadow_cst (unsigned char shadow_bytes
[4])
870 unsigned HOST_WIDE_INT val
= 0;
871 gcc_assert (WORDS_BIG_ENDIAN
== BYTES_BIG_ENDIAN
);
872 for (i
= 0; i
< 4; i
++)
873 val
|= (unsigned HOST_WIDE_INT
) shadow_bytes
[BYTES_BIG_ENDIAN
? 3 - i
: i
]
874 << (BITS_PER_UNIT
* i
);
875 return gen_int_mode (val
, SImode
);
878 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
882 asan_clear_shadow (rtx shadow_mem
, HOST_WIDE_INT len
)
884 rtx insn
, insns
, top_label
, end
, addr
, tmp
, jump
;
887 clear_storage (shadow_mem
, GEN_INT (len
), BLOCK_OP_NORMAL
);
888 insns
= get_insns ();
890 for (insn
= insns
; insn
; insn
= NEXT_INSN (insn
))
893 if (insn
== NULL_RTX
)
899 gcc_assert ((len
& 3) == 0);
900 top_label
= gen_label_rtx ();
901 addr
= copy_to_mode_reg (Pmode
, XEXP (shadow_mem
, 0));
902 shadow_mem
= adjust_automodify_address (shadow_mem
, SImode
, addr
, 0);
903 end
= force_reg (Pmode
, plus_constant (Pmode
, addr
, len
));
904 emit_label (top_label
);
906 emit_move_insn (shadow_mem
, const0_rtx
);
907 tmp
= expand_simple_binop (Pmode
, PLUS
, addr
, gen_int_mode (4, Pmode
), addr
,
908 true, OPTAB_LIB_WIDEN
);
910 emit_move_insn (addr
, tmp
);
911 emit_cmp_and_jump_insns (addr
, end
, LT
, NULL_RTX
, Pmode
, true, top_label
);
912 jump
= get_last_insn ();
913 gcc_assert (JUMP_P (jump
));
914 add_int_reg_note (jump
, REG_BR_PROB
, REG_BR_PROB_BASE
* 80 / 100);
917 /* Insert code to protect stack vars. The prologue sequence should be emitted
918 directly, epilogue sequence returned. BASE is the register holding the
919 stack base, against which OFFSETS array offsets are relative to, OFFSETS
920 array contains pairs of offsets in reverse order, always the end offset
921 of some gap that needs protection followed by starting offset,
922 and DECLS is an array of representative decls for each var partition.
923 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
924 elements long (OFFSETS include gap before the first variable as well
925 as gaps after each stack variable). */
928 asan_emit_stack_protection (rtx base
, HOST_WIDE_INT
*offsets
, tree
*decls
,
931 rtx shadow_base
, shadow_mem
, ret
, mem
;
932 unsigned char shadow_bytes
[4];
933 HOST_WIDE_INT base_offset
= offsets
[length
- 1], offset
, prev_offset
;
934 HOST_WIDE_INT last_offset
, last_size
;
936 unsigned char cur_shadow_byte
= ASAN_STACK_MAGIC_LEFT
;
939 if (shadow_ptr_types
[0] == NULL_TREE
)
940 asan_init_shadow_ptr_types ();
942 /* First of all, prepare the description string. */
943 pretty_printer asan_pp
;
945 if (DECL_NAME (current_function_decl
))
946 pp_tree_identifier (&asan_pp
, DECL_NAME (current_function_decl
));
948 pp_string (&asan_pp
, "<unknown>");
950 pp_decimal_int (&asan_pp
, length
/ 2 - 1);
952 for (l
= length
- 2; l
; l
-= 2)
954 tree decl
= decls
[l
/ 2 - 1];
955 pp_wide_integer (&asan_pp
, offsets
[l
] - base_offset
);
957 pp_wide_integer (&asan_pp
, offsets
[l
- 1] - offsets
[l
]);
959 if (DECL_P (decl
) && DECL_NAME (decl
))
961 pp_decimal_int (&asan_pp
, IDENTIFIER_LENGTH (DECL_NAME (decl
)));
963 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
966 pp_string (&asan_pp
, "9 <unknown>");
969 str_cst
= asan_pp_string (&asan_pp
);
971 /* Emit the prologue sequence. */
972 base
= expand_binop (Pmode
, add_optab
, base
,
973 gen_int_mode (base_offset
, Pmode
),
974 NULL_RTX
, 1, OPTAB_DIRECT
);
975 mem
= gen_rtx_MEM (ptr_mode
, base
);
976 emit_move_insn (mem
, gen_int_mode (ASAN_STACK_FRAME_MAGIC
, ptr_mode
));
977 mem
= adjust_address (mem
, VOIDmode
, GET_MODE_SIZE (ptr_mode
));
978 emit_move_insn (mem
, expand_normal (str_cst
));
979 shadow_base
= expand_binop (Pmode
, lshr_optab
, base
,
980 GEN_INT (ASAN_SHADOW_SHIFT
),
981 NULL_RTX
, 1, OPTAB_DIRECT
);
982 shadow_base
= expand_binop (Pmode
, add_optab
, shadow_base
,
983 gen_int_mode (targetm
.asan_shadow_offset (),
985 NULL_RTX
, 1, OPTAB_DIRECT
);
986 gcc_assert (asan_shadow_set
!= -1
987 && (ASAN_RED_ZONE_SIZE
>> ASAN_SHADOW_SHIFT
) == 4);
988 shadow_mem
= gen_rtx_MEM (SImode
, shadow_base
);
989 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
990 prev_offset
= base_offset
;
991 for (l
= length
; l
; l
-= 2)
994 cur_shadow_byte
= ASAN_STACK_MAGIC_RIGHT
;
995 offset
= offsets
[l
- 1];
996 if ((offset
- base_offset
) & (ASAN_RED_ZONE_SIZE
- 1))
1000 = base_offset
+ ((offset
- base_offset
)
1001 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
1002 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
1003 (aoff
- prev_offset
)
1004 >> ASAN_SHADOW_SHIFT
);
1006 for (i
= 0; i
< 4; i
++, aoff
+= (1 << ASAN_SHADOW_SHIFT
))
1009 if (aoff
< offset
- (1 << ASAN_SHADOW_SHIFT
) + 1)
1010 shadow_bytes
[i
] = 0;
1012 shadow_bytes
[i
] = offset
- aoff
;
1015 shadow_bytes
[i
] = ASAN_STACK_MAGIC_PARTIAL
;
1016 emit_move_insn (shadow_mem
, asan_shadow_cst (shadow_bytes
));
1019 while (offset
<= offsets
[l
- 2] - ASAN_RED_ZONE_SIZE
)
1021 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
1022 (offset
- prev_offset
)
1023 >> ASAN_SHADOW_SHIFT
);
1024 prev_offset
= offset
;
1025 memset (shadow_bytes
, cur_shadow_byte
, 4);
1026 emit_move_insn (shadow_mem
, asan_shadow_cst (shadow_bytes
));
1027 offset
+= ASAN_RED_ZONE_SIZE
;
1029 cur_shadow_byte
= ASAN_STACK_MAGIC_MIDDLE
;
1031 do_pending_stack_adjust ();
1033 /* Construct epilogue sequence. */
1036 shadow_mem
= gen_rtx_MEM (BLKmode
, shadow_base
);
1037 set_mem_alias_set (shadow_mem
, asan_shadow_set
);
1038 prev_offset
= base_offset
;
1039 last_offset
= base_offset
;
1041 for (l
= length
; l
; l
-= 2)
1043 offset
= base_offset
+ ((offsets
[l
- 1] - base_offset
)
1044 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
));
1045 if (last_offset
+ last_size
!= offset
)
1047 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
1048 (last_offset
- prev_offset
)
1049 >> ASAN_SHADOW_SHIFT
);
1050 prev_offset
= last_offset
;
1051 asan_clear_shadow (shadow_mem
, last_size
>> ASAN_SHADOW_SHIFT
);
1052 last_offset
= offset
;
1055 last_size
+= base_offset
+ ((offsets
[l
- 2] - base_offset
)
1056 & ~(ASAN_RED_ZONE_SIZE
- HOST_WIDE_INT_1
))
1061 shadow_mem
= adjust_address (shadow_mem
, VOIDmode
,
1062 (last_offset
- prev_offset
)
1063 >> ASAN_SHADOW_SHIFT
);
1064 asan_clear_shadow (shadow_mem
, last_size
>> ASAN_SHADOW_SHIFT
);
1067 do_pending_stack_adjust ();
1074 /* Return true if DECL, a global var, might be overridden and needs
1075 therefore a local alias. */
1078 asan_needs_local_alias (tree decl
)
1080 return DECL_WEAK (decl
) || !targetm
.binds_local_p (decl
);
1083 /* Return true if DECL is a VAR_DECL that should be protected
1084 by Address Sanitizer, by appending a red zone with protected
1085 shadow memory after it and aligning it to at least
1086 ASAN_RED_ZONE_SIZE bytes. */
1089 asan_protect_global (tree decl
)
1093 if (TREE_CODE (decl
) == STRING_CST
)
1095 /* Instrument all STRING_CSTs except those created
1096 by asan_pp_string here. */
1097 if (shadow_ptr_types
[0] != NULL_TREE
1098 && TREE_CODE (TREE_TYPE (decl
)) == ARRAY_TYPE
1099 && TREE_TYPE (TREE_TYPE (decl
)) == TREE_TYPE (shadow_ptr_types
[0]))
1103 if (TREE_CODE (decl
) != VAR_DECL
1104 /* TLS vars aren't statically protectable. */
1105 || DECL_THREAD_LOCAL_P (decl
)
1106 /* Externs will be protected elsewhere. */
1107 || DECL_EXTERNAL (decl
)
1108 || !DECL_RTL_SET_P (decl
)
1109 /* Comdat vars pose an ABI problem, we can't know if
1110 the var that is selected by the linker will have
1112 || DECL_ONE_ONLY (decl
)
1113 /* Similarly for common vars. People can use -fno-common. */
1114 || (DECL_COMMON (decl
) && TREE_PUBLIC (decl
))
1115 /* Don't protect if using user section, often vars placed
1116 into user section from multiple TUs are then assumed
1117 to be an array of such vars, putting padding in there
1118 breaks this assumption. */
1119 || (DECL_SECTION_NAME (decl
) != NULL_TREE
1120 && !DECL_HAS_IMPLICIT_SECTION_NAME_P (decl
))
1121 || DECL_SIZE (decl
) == 0
1122 || ASAN_RED_ZONE_SIZE
* BITS_PER_UNIT
> MAX_OFILE_ALIGNMENT
1123 || !valid_constant_size_p (DECL_SIZE_UNIT (decl
))
1124 || DECL_ALIGN_UNIT (decl
) > 2 * ASAN_RED_ZONE_SIZE
)
1127 rtl
= DECL_RTL (decl
);
1128 if (!MEM_P (rtl
) || GET_CODE (XEXP (rtl
, 0)) != SYMBOL_REF
)
1130 symbol
= XEXP (rtl
, 0);
1132 if (CONSTANT_POOL_ADDRESS_P (symbol
)
1133 || TREE_CONSTANT_POOL_ADDRESS_P (symbol
))
1136 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl
)))
1139 #ifndef ASM_OUTPUT_DEF
1140 if (asan_needs_local_alias (decl
))
1147 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
1148 IS_STORE is either 1 (for a store) or 0 (for a load).
1149 SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
1152 report_error_func (bool is_store
, int size_in_bytes
)
1154 static enum built_in_function report
[2][5]
1155 = { { BUILT_IN_ASAN_REPORT_LOAD1
, BUILT_IN_ASAN_REPORT_LOAD2
,
1156 BUILT_IN_ASAN_REPORT_LOAD4
, BUILT_IN_ASAN_REPORT_LOAD8
,
1157 BUILT_IN_ASAN_REPORT_LOAD16
},
1158 { BUILT_IN_ASAN_REPORT_STORE1
, BUILT_IN_ASAN_REPORT_STORE2
,
1159 BUILT_IN_ASAN_REPORT_STORE4
, BUILT_IN_ASAN_REPORT_STORE8
,
1160 BUILT_IN_ASAN_REPORT_STORE16
} };
1161 return builtin_decl_implicit (report
[is_store
][exact_log2 (size_in_bytes
)]);
1164 #define PROB_VERY_UNLIKELY (REG_BR_PROB_BASE / 2000 - 1)
1165 #define PROB_ALWAYS (REG_BR_PROB_BASE)
1167 /* Split the current basic block and create a condition statement
1168 insertion point right before or after the statement pointed to by
1169 ITER. Return an iterator to the point at which the caller might
1170 safely insert the condition statement.
1172 THEN_BLOCK must be set to the address of an uninitialized instance
1173 of basic_block. The function will then set *THEN_BLOCK to the
1174 'then block' of the condition statement to be inserted by the
1177 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1178 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1180 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1181 block' of the condition statement to be inserted by the caller.
1183 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1184 statements starting from *ITER, and *THEN_BLOCK is a new empty
1187 *ITER is adjusted to point to always point to the first statement
1188 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1189 same as what ITER was pointing to prior to calling this function,
1190 if BEFORE_P is true; otherwise, it is its following statement. */
1192 static gimple_stmt_iterator
1193 create_cond_insert_point (gimple_stmt_iterator
*iter
,
1195 bool then_more_likely_p
,
1196 bool create_then_fallthru_edge
,
1197 basic_block
*then_block
,
1198 basic_block
*fallthrough_block
)
1200 gimple_stmt_iterator gsi
= *iter
;
1202 if (!gsi_end_p (gsi
) && before_p
)
1205 basic_block cur_bb
= gsi_bb (*iter
);
1207 edge e
= split_block (cur_bb
, gsi_stmt (gsi
));
1209 /* Get a hold on the 'condition block', the 'then block' and the
1211 basic_block cond_bb
= e
->src
;
1212 basic_block fallthru_bb
= e
->dest
;
1213 basic_block then_bb
= create_empty_bb (cond_bb
);
1216 add_bb_to_loop (then_bb
, cond_bb
->loop_father
);
1217 loops_state_set (LOOPS_NEED_FIXUP
);
1220 /* Set up the newly created 'then block'. */
1221 e
= make_edge (cond_bb
, then_bb
, EDGE_TRUE_VALUE
);
1222 int fallthrough_probability
1223 = then_more_likely_p
1224 ? PROB_VERY_UNLIKELY
1225 : PROB_ALWAYS
- PROB_VERY_UNLIKELY
;
1226 e
->probability
= PROB_ALWAYS
- fallthrough_probability
;
1227 if (create_then_fallthru_edge
)
1228 make_single_succ_edge (then_bb
, fallthru_bb
, EDGE_FALLTHRU
);
1230 /* Set up the fallthrough basic block. */
1231 e
= find_edge (cond_bb
, fallthru_bb
);
1232 e
->flags
= EDGE_FALSE_VALUE
;
1233 e
->count
= cond_bb
->count
;
1234 e
->probability
= fallthrough_probability
;
1236 /* Update dominance info for the newly created then_bb; note that
1237 fallthru_bb's dominance info has already been updated by
1239 if (dom_info_available_p (CDI_DOMINATORS
))
1240 set_immediate_dominator (CDI_DOMINATORS
, then_bb
, cond_bb
);
1242 *then_block
= then_bb
;
1243 *fallthrough_block
= fallthru_bb
;
1244 *iter
= gsi_start_bb (fallthru_bb
);
1246 return gsi_last_bb (cond_bb
);
1249 /* Insert an if condition followed by a 'then block' right before the
1250 statement pointed to by ITER. The fallthrough block -- which is the
1251 else block of the condition as well as the destination of the
1252 outcoming edge of the 'then block' -- starts with the statement
1255 COND is the condition of the if.
1257 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1258 'then block' is higher than the probability of the edge to the
1261 Upon completion of the function, *THEN_BB is set to the newly
1262 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1265 *ITER is adjusted to still point to the same statement it was
1266 pointing to initially. */
1269 insert_if_then_before_iter (gimple cond
,
1270 gimple_stmt_iterator
*iter
,
1271 bool then_more_likely_p
,
1272 basic_block
*then_bb
,
1273 basic_block
*fallthrough_bb
)
1275 gimple_stmt_iterator cond_insert_point
=
1276 create_cond_insert_point (iter
,
1279 /*create_then_fallthru_edge=*/true,
1282 gsi_insert_after (&cond_insert_point
, cond
, GSI_NEW_STMT
);
1285 /* Instrument the memory access instruction BASE. Insert new
1286 statements before or after ITER.
1288 Note that the memory access represented by BASE can be either an
1289 SSA_NAME, or a non-SSA expression. LOCATION is the source code
1290 location. IS_STORE is TRUE for a store, FALSE for a load.
1291 BEFORE_P is TRUE for inserting the instrumentation code before
1292 ITER, FALSE for inserting it after ITER. SIZE_IN_BYTES is one of
1295 If BEFORE_P is TRUE, *ITER is arranged to still point to the
1296 statement it was pointing to prior to calling this function,
1297 otherwise, it points to the statement logically following it. */
1300 build_check_stmt (location_t location
, tree base
, gimple_stmt_iterator
*iter
,
1301 bool before_p
, bool is_store
, int size_in_bytes
)
1303 gimple_stmt_iterator gsi
;
1304 basic_block then_bb
, else_bb
;
1305 tree t
, base_addr
, shadow
;
1307 tree shadow_ptr_type
= shadow_ptr_types
[size_in_bytes
== 16 ? 1 : 0];
1308 tree shadow_type
= TREE_TYPE (shadow_ptr_type
);
1310 = build_nonstandard_integer_type (TYPE_PRECISION (TREE_TYPE (base
)), 1);
1311 tree base_ssa
= base
;
1313 /* Get an iterator on the point where we can add the condition
1314 statement for the instrumentation. */
1315 gsi
= create_cond_insert_point (iter
, before_p
,
1316 /*then_more_likely_p=*/false,
1317 /*create_then_fallthru_edge=*/false,
1321 base
= unshare_expr (base
);
1323 /* BASE can already be an SSA_NAME; in that case, do not create a
1324 new SSA_NAME for it. */
1325 if (TREE_CODE (base
) != SSA_NAME
)
1327 g
= gimple_build_assign_with_ops (TREE_CODE (base
),
1328 make_ssa_name (TREE_TYPE (base
), NULL
),
1330 gimple_set_location (g
, location
);
1331 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1332 base_ssa
= gimple_assign_lhs (g
);
1335 g
= gimple_build_assign_with_ops (NOP_EXPR
,
1336 make_ssa_name (uintptr_type
, NULL
),
1337 base_ssa
, NULL_TREE
);
1338 gimple_set_location (g
, location
);
1339 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1340 base_addr
= gimple_assign_lhs (g
);
1343 (base_addr >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
1345 t
= build_int_cst (uintptr_type
, ASAN_SHADOW_SHIFT
);
1346 g
= gimple_build_assign_with_ops (RSHIFT_EXPR
,
1347 make_ssa_name (uintptr_type
, NULL
),
1349 gimple_set_location (g
, location
);
1350 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1352 t
= build_int_cst (uintptr_type
, targetm
.asan_shadow_offset ());
1353 g
= gimple_build_assign_with_ops (PLUS_EXPR
,
1354 make_ssa_name (uintptr_type
, NULL
),
1355 gimple_assign_lhs (g
), t
);
1356 gimple_set_location (g
, location
);
1357 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1359 g
= gimple_build_assign_with_ops (NOP_EXPR
,
1360 make_ssa_name (shadow_ptr_type
, NULL
),
1361 gimple_assign_lhs (g
), NULL_TREE
);
1362 gimple_set_location (g
, location
);
1363 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1365 t
= build2 (MEM_REF
, shadow_type
, gimple_assign_lhs (g
),
1366 build_int_cst (shadow_ptr_type
, 0));
1367 g
= gimple_build_assign_with_ops (MEM_REF
,
1368 make_ssa_name (shadow_type
, NULL
),
1370 gimple_set_location (g
, location
);
1371 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1372 shadow
= gimple_assign_lhs (g
);
1374 if (size_in_bytes
< 8)
1376 /* Slow path for 1, 2 and 4 byte accesses.
1378 & ((base_addr & 7) + (size_in_bytes - 1)) >= shadow). */
1379 gimple_seq seq
= NULL
;
1380 gimple shadow_test
= build_assign (NE_EXPR
, shadow
, 0);
1381 gimple_seq_add_stmt (&seq
, shadow_test
);
1382 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, base_addr
, 7));
1383 gimple_seq_add_stmt (&seq
, build_type_cast (shadow_type
,
1384 gimple_seq_last (seq
)));
1385 if (size_in_bytes
> 1)
1386 gimple_seq_add_stmt (&seq
,
1387 build_assign (PLUS_EXPR
, gimple_seq_last (seq
),
1388 size_in_bytes
- 1));
1389 gimple_seq_add_stmt (&seq
, build_assign (GE_EXPR
, gimple_seq_last (seq
),
1391 gimple_seq_add_stmt (&seq
, build_assign (BIT_AND_EXPR
, shadow_test
,
1392 gimple_seq_last (seq
)));
1393 t
= gimple_assign_lhs (gimple_seq_last (seq
));
1394 gimple_seq_set_location (seq
, location
);
1395 gsi_insert_seq_after (&gsi
, seq
, GSI_CONTINUE_LINKING
);
1400 g
= gimple_build_cond (NE_EXPR
, t
, build_int_cst (TREE_TYPE (t
), 0),
1401 NULL_TREE
, NULL_TREE
);
1402 gimple_set_location (g
, location
);
1403 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1405 /* Generate call to the run-time library (e.g. __asan_report_load8). */
1406 gsi
= gsi_start_bb (then_bb
);
1407 g
= gimple_build_call (report_error_func (is_store
, size_in_bytes
),
1409 gimple_set_location (g
, location
);
1410 gsi_insert_after (&gsi
, g
, GSI_NEW_STMT
);
1412 *iter
= gsi_start_bb (else_bb
);
1415 /* If T represents a memory access, add instrumentation code before ITER.
1416 LOCATION is source code location.
1417 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
1420 instrument_derefs (gimple_stmt_iterator
*iter
, tree t
,
1421 location_t location
, bool is_store
)
1424 HOST_WIDE_INT size_in_bytes
;
1426 type
= TREE_TYPE (t
);
1427 switch (TREE_CODE (t
))
1438 size_in_bytes
= int_size_in_bytes (type
);
1439 if ((size_in_bytes
& (size_in_bytes
- 1)) != 0
1440 || (unsigned HOST_WIDE_INT
) size_in_bytes
- 1 >= 16)
1443 HOST_WIDE_INT bitsize
, bitpos
;
1445 enum machine_mode mode
;
1446 int volatilep
= 0, unsignedp
= 0;
1447 get_inner_reference (t
, &bitsize
, &bitpos
, &offset
,
1448 &mode
, &unsignedp
, &volatilep
, false);
1449 if (bitpos
% (size_in_bytes
* BITS_PER_UNIT
)
1450 || bitsize
!= size_in_bytes
* BITS_PER_UNIT
)
1452 if (TREE_CODE (t
) == COMPONENT_REF
1453 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1)) != NULL_TREE
)
1455 tree repr
= DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t
, 1));
1456 instrument_derefs (iter
, build3 (COMPONENT_REF
, TREE_TYPE (repr
),
1457 TREE_OPERAND (t
, 0), repr
,
1458 NULL_TREE
), location
, is_store
);
1463 base
= build_fold_addr_expr (t
);
1464 if (!has_mem_ref_been_instrumented (base
, size_in_bytes
))
1466 build_check_stmt (location
, base
, iter
, /*before_p=*/true,
1467 is_store
, size_in_bytes
);
1468 update_mem_ref_hash_table (base
, size_in_bytes
);
1469 update_mem_ref_hash_table (t
, size_in_bytes
);
1474 /* Instrument an access to a contiguous memory region that starts at
1475 the address pointed to by BASE, over a length of LEN (expressed in
1476 the sizeof (*BASE) bytes). ITER points to the instruction before
1477 which the instrumentation instructions must be inserted. LOCATION
1478 is the source location that the instrumentation instructions must
1479 have. If IS_STORE is true, then the memory access is a store;
1480 otherwise, it's a load. */
1483 instrument_mem_region_access (tree base
, tree len
,
1484 gimple_stmt_iterator
*iter
,
1485 location_t location
, bool is_store
)
1487 if (!POINTER_TYPE_P (TREE_TYPE (base
))
1488 || !INTEGRAL_TYPE_P (TREE_TYPE (len
))
1489 || integer_zerop (len
))
1492 gimple_stmt_iterator gsi
= *iter
;
1494 basic_block fallthrough_bb
= NULL
, then_bb
= NULL
;
1496 /* If the beginning of the memory region has already been
1497 instrumented, do not instrument it. */
1498 bool start_instrumented
= has_mem_ref_been_instrumented (base
, 1);
1500 /* If the end of the memory region has already been instrumented, do
1501 not instrument it. */
1502 tree end
= asan_mem_ref_get_end (base
, len
);
1503 bool end_instrumented
= has_mem_ref_been_instrumented (end
, 1);
1505 if (start_instrumented
&& end_instrumented
)
1508 if (!is_gimple_constant (len
))
1510 /* So, the length of the memory area to asan-protect is
1511 non-constant. Let's guard the generated instrumentation code
1516 //asan instrumentation code goes here.
1518 // falltrough instructions, starting with *ITER. */
1520 gimple g
= gimple_build_cond (NE_EXPR
,
1522 build_int_cst (TREE_TYPE (len
), 0),
1523 NULL_TREE
, NULL_TREE
);
1524 gimple_set_location (g
, location
);
1525 insert_if_then_before_iter (g
, iter
, /*then_more_likely_p=*/true,
1526 &then_bb
, &fallthrough_bb
);
1527 /* Note that fallthrough_bb starts with the statement that was
1528 pointed to by ITER. */
1530 /* The 'then block' of the 'if (len != 0) condition is where
1531 we'll generate the asan instrumentation code now. */
1532 gsi
= gsi_last_bb (then_bb
);
1535 if (!start_instrumented
)
1537 /* Instrument the beginning of the memory region to be accessed,
1538 and arrange for the rest of the intrumentation code to be
1539 inserted in the then block *after* the current gsi. */
1540 build_check_stmt (location
, base
, &gsi
, /*before_p=*/true, is_store
, 1);
1543 /* We are in the case where the length of the region is not
1544 constant; so instrumentation code is being generated in the
1545 'then block' of the 'if (len != 0) condition. Let's arrange
1546 for the subsequent instrumentation statements to go in the
1548 gsi
= gsi_last_bb (then_bb
);
1552 /* Don't remember this access as instrumented, if length
1553 is unknown. It might be zero and not being actually
1554 instrumented, so we can't rely on it being instrumented. */
1555 update_mem_ref_hash_table (base
, 1);
1559 if (end_instrumented
)
1562 /* We want to instrument the access at the end of the memory region,
1563 which is at (base + len - 1). */
1565 /* offset = len - 1; */
1566 len
= unshare_expr (len
);
1568 gimple_seq seq
= NULL
;
1569 if (TREE_CODE (len
) == INTEGER_CST
)
1570 offset
= fold_build2 (MINUS_EXPR
, size_type_node
,
1571 fold_convert (size_type_node
, len
),
1572 build_int_cst (size_type_node
, 1));
1578 if (TREE_CODE (len
) != SSA_NAME
)
1580 t
= make_ssa_name (TREE_TYPE (len
), NULL
);
1581 g
= gimple_build_assign_with_ops (TREE_CODE (len
), t
, len
, NULL
);
1582 gimple_set_location (g
, location
);
1583 gimple_seq_add_stmt_without_update (&seq
, g
);
1586 if (!useless_type_conversion_p (size_type_node
, TREE_TYPE (len
)))
1588 t
= make_ssa_name (size_type_node
, NULL
);
1589 g
= gimple_build_assign_with_ops (NOP_EXPR
, t
, len
, NULL
);
1590 gimple_set_location (g
, location
);
1591 gimple_seq_add_stmt_without_update (&seq
, g
);
1595 t
= make_ssa_name (size_type_node
, NULL
);
1596 g
= gimple_build_assign_with_ops (MINUS_EXPR
, t
, len
,
1597 build_int_cst (size_type_node
, 1));
1598 gimple_set_location (g
, location
);
1599 gimple_seq_add_stmt_without_update (&seq
, g
);
1600 offset
= gimple_assign_lhs (g
);
1604 base
= unshare_expr (base
);
1606 gimple_build_assign_with_ops (TREE_CODE (base
),
1607 make_ssa_name (TREE_TYPE (base
), NULL
),
1609 gimple_set_location (region_end
, location
);
1610 gimple_seq_add_stmt_without_update (&seq
, region_end
);
1612 /* _2 = _1 + offset; */
1614 gimple_build_assign_with_ops (POINTER_PLUS_EXPR
,
1615 make_ssa_name (TREE_TYPE (base
), NULL
),
1616 gimple_assign_lhs (region_end
),
1618 gimple_set_location (region_end
, location
);
1619 gimple_seq_add_stmt_without_update (&seq
, region_end
);
1620 gsi_insert_seq_before (&gsi
, seq
, GSI_SAME_STMT
);
1622 /* instrument access at _2; */
1623 gsi
= gsi_for_stmt (region_end
);
1624 build_check_stmt (location
, gimple_assign_lhs (region_end
),
1625 &gsi
, /*before_p=*/false, is_store
, 1);
1627 if (then_bb
== NULL
)
1628 update_mem_ref_hash_table (end
, 1);
1630 *iter
= gsi_for_stmt (gsi_stmt (*iter
));
1633 /* Instrument the call (to the builtin strlen function) pointed to by
1636 This function instruments the access to the first byte of the
1637 argument, right before the call. After the call it instruments the
1638 access to the last byte of the argument; it uses the result of the
1639 call to deduce the offset of that last byte.
1641 Upon completion, iff the call has actually been instrumented, this
1642 function returns TRUE and *ITER points to the statement logically
1643 following the built-in strlen function call *ITER was initially
1644 pointing to. Otherwise, the function returns FALSE and *ITER
1645 remains unchanged. */
1648 instrument_strlen_call (gimple_stmt_iterator
*iter
)
1650 gimple call
= gsi_stmt (*iter
);
1651 gcc_assert (is_gimple_call (call
));
1653 tree callee
= gimple_call_fndecl (call
);
1654 gcc_assert (is_builtin_fn (callee
)
1655 && DECL_BUILT_IN_CLASS (callee
) == BUILT_IN_NORMAL
1656 && DECL_FUNCTION_CODE (callee
) == BUILT_IN_STRLEN
);
1658 tree len
= gimple_call_lhs (call
);
1660 /* Some passes might clear the return value of the strlen call;
1661 bail out in that case. Return FALSE as we are not advancing
1664 gcc_assert (INTEGRAL_TYPE_P (TREE_TYPE (len
)));
1666 location_t loc
= gimple_location (call
);
1667 tree str_arg
= gimple_call_arg (call
, 0);
1669 /* Instrument the access to the first byte of str_arg. i.e:
1671 _1 = str_arg; instrument (_1); */
1672 tree cptr_type
= build_pointer_type (char_type_node
);
1673 gimple str_arg_ssa
=
1674 gimple_build_assign_with_ops (NOP_EXPR
,
1675 make_ssa_name (cptr_type
, NULL
),
1677 gimple_set_location (str_arg_ssa
, loc
);
1678 gimple_stmt_iterator gsi
= *iter
;
1679 gsi_insert_before (&gsi
, str_arg_ssa
, GSI_NEW_STMT
);
1680 build_check_stmt (loc
, gimple_assign_lhs (str_arg_ssa
), &gsi
,
1681 /*before_p=*/false, /*is_store=*/false, 1);
1683 /* If we initially had an instruction like:
1685 int n = strlen (str)
1687 we now want to instrument the access to str[n], after the
1688 instruction above.*/
1690 /* So let's build the access to str[n] that is, access through the
1691 pointer_plus expr: (_1 + len). */
1693 gimple_build_assign_with_ops (POINTER_PLUS_EXPR
,
1694 make_ssa_name (cptr_type
, NULL
),
1695 gimple_assign_lhs (str_arg_ssa
),
1697 gimple_set_location (stmt
, loc
);
1698 gsi_insert_after (&gsi
, stmt
, GSI_NEW_STMT
);
1700 build_check_stmt (loc
, gimple_assign_lhs (stmt
), &gsi
,
1701 /*before_p=*/false, /*is_store=*/false, 1);
1703 /* Ensure that iter points to the statement logically following the
1704 one it was initially pointing to. */
1706 /* As *ITER has been advanced to point to the next statement, let's
1707 return true to inform transform_statements that it shouldn't
1708 advance *ITER anymore; otherwises it will skip that next
1709 statement, which wouldn't be instrumented. */
1713 /* Instrument the call to a built-in memory access function that is
1714 pointed to by the iterator ITER.
1716 Upon completion, return TRUE iff *ITER has been advanced to the
1717 statement following the one it was originally pointing to. */
1720 instrument_builtin_call (gimple_stmt_iterator
*iter
)
1722 bool iter_advanced_p
= false;
1723 gimple call
= gsi_stmt (*iter
);
1725 gcc_checking_assert (gimple_call_builtin_p (call
, BUILT_IN_NORMAL
));
1727 tree callee
= gimple_call_fndecl (call
);
1728 location_t loc
= gimple_location (call
);
1730 if (DECL_FUNCTION_CODE (callee
) == BUILT_IN_STRLEN
)
1731 iter_advanced_p
= instrument_strlen_call (iter
);
1734 asan_mem_ref src0
, src1
, dest
;
1735 asan_mem_ref_init (&src0
, NULL
, 1);
1736 asan_mem_ref_init (&src1
, NULL
, 1);
1737 asan_mem_ref_init (&dest
, NULL
, 1);
1739 tree src0_len
= NULL_TREE
, src1_len
= NULL_TREE
, dest_len
= NULL_TREE
;
1740 bool src0_is_store
= false, src1_is_store
= false,
1741 dest_is_store
= false, dest_is_deref
= false;
1743 if (get_mem_refs_of_builtin_call (call
,
1744 &src0
, &src0_len
, &src0_is_store
,
1745 &src1
, &src1_len
, &src1_is_store
,
1746 &dest
, &dest_len
, &dest_is_store
,
1751 instrument_derefs (iter
, dest
.start
, loc
, dest_is_store
);
1753 iter_advanced_p
= true;
1755 else if (src0_len
|| src1_len
|| dest_len
)
1757 if (src0
.start
!= NULL_TREE
)
1758 instrument_mem_region_access (src0
.start
, src0_len
,
1759 iter
, loc
, /*is_store=*/false);
1760 if (src1
.start
!= NULL_TREE
)
1761 instrument_mem_region_access (src1
.start
, src1_len
,
1762 iter
, loc
, /*is_store=*/false);
1763 if (dest
.start
!= NULL_TREE
)
1764 instrument_mem_region_access (dest
.start
, dest_len
,
1765 iter
, loc
, /*is_store=*/true);
1766 *iter
= gsi_for_stmt (call
);
1768 iter_advanced_p
= true;
1772 return iter_advanced_p
;
1775 /* Instrument the assignment statement ITER if it is subject to
1776 instrumentation. Return TRUE iff instrumentation actually
1777 happened. In that case, the iterator ITER is advanced to the next
1778 logical expression following the one initially pointed to by ITER,
1779 and the relevant memory reference that which access has been
1780 instrumented is added to the memory references hash table. */
1783 maybe_instrument_assignment (gimple_stmt_iterator
*iter
)
1785 gimple s
= gsi_stmt (*iter
);
1787 gcc_assert (gimple_assign_single_p (s
));
1789 tree ref_expr
= NULL_TREE
;
1790 bool is_store
, is_instrumented
= false;
1792 if (gimple_store_p (s
))
1794 ref_expr
= gimple_assign_lhs (s
);
1796 instrument_derefs (iter
, ref_expr
,
1797 gimple_location (s
),
1799 is_instrumented
= true;
1802 if (gimple_assign_load_p (s
))
1804 ref_expr
= gimple_assign_rhs1 (s
);
1806 instrument_derefs (iter
, ref_expr
,
1807 gimple_location (s
),
1809 is_instrumented
= true;
1812 if (is_instrumented
)
1815 return is_instrumented
;
1818 /* Instrument the function call pointed to by the iterator ITER, if it
1819 is subject to instrumentation. At the moment, the only function
1820 calls that are instrumented are some built-in functions that access
1821 memory. Look at instrument_builtin_call to learn more.
1823 Upon completion return TRUE iff *ITER was advanced to the statement
1824 following the one it was originally pointing to. */
1827 maybe_instrument_call (gimple_stmt_iterator
*iter
)
1829 gimple stmt
= gsi_stmt (*iter
);
1830 bool is_builtin
= gimple_call_builtin_p (stmt
, BUILT_IN_NORMAL
);
1832 if (is_builtin
&& instrument_builtin_call (iter
))
1835 if (gimple_call_noreturn_p (stmt
))
1839 tree callee
= gimple_call_fndecl (stmt
);
1840 switch (DECL_FUNCTION_CODE (callee
))
1842 case BUILT_IN_UNREACHABLE
:
1844 /* Don't instrument these. */
1848 tree decl
= builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN
);
1849 gimple g
= gimple_build_call (decl
, 0);
1850 gimple_set_location (g
, gimple_location (stmt
));
1851 gsi_insert_before (iter
, g
, GSI_SAME_STMT
);
1856 /* Walk each instruction of all basic block and instrument those that
1857 represent memory references: loads, stores, or function calls.
1858 In a given basic block, this function avoids instrumenting memory
1859 references that have already been instrumented. */
1862 transform_statements (void)
1864 basic_block bb
, last_bb
= NULL
;
1865 gimple_stmt_iterator i
;
1866 int saved_last_basic_block
= last_basic_block
;
1870 basic_block prev_bb
= bb
;
1872 if (bb
->index
>= saved_last_basic_block
) continue;
1874 /* Flush the mem ref hash table, if current bb doesn't have
1875 exactly one predecessor, or if that predecessor (skipping
1876 over asan created basic blocks) isn't the last processed
1877 basic block. Thus we effectively flush on extended basic
1878 block boundaries. */
1879 while (single_pred_p (prev_bb
))
1881 prev_bb
= single_pred (prev_bb
);
1882 if (prev_bb
->index
< saved_last_basic_block
)
1885 if (prev_bb
!= last_bb
)
1886 empty_mem_ref_hash_table ();
1889 for (i
= gsi_start_bb (bb
); !gsi_end_p (i
);)
1891 gimple s
= gsi_stmt (i
);
1893 if (has_stmt_been_instrumented_p (s
))
1895 else if (gimple_assign_single_p (s
)
1896 && maybe_instrument_assignment (&i
))
1897 /* Nothing to do as maybe_instrument_assignment advanced
1899 else if (is_gimple_call (s
) && maybe_instrument_call (&i
))
1900 /* Nothing to do as maybe_instrument_call
1901 advanced the iterator I. */;
1904 /* No instrumentation happened.
1906 If the current instruction is a function call that
1907 might free something, let's forget about the memory
1908 references that got instrumented. Otherwise we might
1909 miss some instrumentation opportunities. */
1910 if (is_gimple_call (s
) && !nonfreeing_call_p (s
))
1911 empty_mem_ref_hash_table ();
1917 free_mem_ref_resources ();
1921 struct __asan_global
1925 uptr __size_with_redzone;
1927 uptr __has_dynamic_init;
1931 asan_global_struct (void)
1933 static const char *field_names
[5]
1934 = { "__beg", "__size", "__size_with_redzone",
1935 "__name", "__has_dynamic_init" };
1936 tree fields
[5], ret
;
1939 ret
= make_node (RECORD_TYPE
);
1940 for (i
= 0; i
< 5; i
++)
1943 = build_decl (UNKNOWN_LOCATION
, FIELD_DECL
,
1944 get_identifier (field_names
[i
]),
1945 (i
== 0 || i
== 3) ? const_ptr_type_node
1946 : pointer_sized_int_node
);
1947 DECL_CONTEXT (fields
[i
]) = ret
;
1949 DECL_CHAIN (fields
[i
- 1]) = fields
[i
];
1951 TYPE_FIELDS (ret
) = fields
[0];
1952 TYPE_NAME (ret
) = get_identifier ("__asan_global");
1957 /* Append description of a single global DECL into vector V.
1958 TYPE is __asan_global struct type as returned by asan_global_struct. */
1961 asan_add_global (tree decl
, tree type
, vec
<constructor_elt
, va_gc
> *v
)
1963 tree init
, uptr
= TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type
)));
1964 unsigned HOST_WIDE_INT size
;
1965 tree str_cst
, refdecl
= decl
;
1966 vec
<constructor_elt
, va_gc
> *vinner
= NULL
;
1968 pretty_printer asan_pp
;
1970 if (DECL_NAME (decl
))
1971 pp_tree_identifier (&asan_pp
, DECL_NAME (decl
));
1973 pp_string (&asan_pp
, "<unknown>");
1974 pp_space (&asan_pp
);
1975 pp_left_paren (&asan_pp
);
1976 pp_string (&asan_pp
, main_input_filename
);
1977 pp_right_paren (&asan_pp
);
1978 str_cst
= asan_pp_string (&asan_pp
);
1980 if (asan_needs_local_alias (decl
))
1983 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", vec_safe_length (v
) + 1);
1984 refdecl
= build_decl (DECL_SOURCE_LOCATION (decl
),
1985 VAR_DECL
, get_identifier (buf
), TREE_TYPE (decl
));
1986 TREE_ADDRESSABLE (refdecl
) = TREE_ADDRESSABLE (decl
);
1987 TREE_READONLY (refdecl
) = TREE_READONLY (decl
);
1988 TREE_THIS_VOLATILE (refdecl
) = TREE_THIS_VOLATILE (decl
);
1989 DECL_GIMPLE_REG_P (refdecl
) = DECL_GIMPLE_REG_P (decl
);
1990 DECL_ARTIFICIAL (refdecl
) = DECL_ARTIFICIAL (decl
);
1991 DECL_IGNORED_P (refdecl
) = DECL_IGNORED_P (decl
);
1992 TREE_STATIC (refdecl
) = 1;
1993 TREE_PUBLIC (refdecl
) = 0;
1994 TREE_USED (refdecl
) = 1;
1995 assemble_alias (refdecl
, DECL_ASSEMBLER_NAME (decl
));
1998 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
1999 fold_convert (const_ptr_type_node
,
2000 build_fold_addr_expr (refdecl
)));
2001 size
= tree_low_cst (DECL_SIZE_UNIT (decl
), 1);
2002 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
2003 size
+= asan_red_zone_size (size
);
2004 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, size
));
2005 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
,
2006 fold_convert (const_ptr_type_node
, str_cst
));
2007 CONSTRUCTOR_APPEND_ELT (vinner
, NULL_TREE
, build_int_cst (uptr
, 0));
2008 init
= build_constructor (type
, vinner
);
2009 CONSTRUCTOR_APPEND_ELT (v
, NULL_TREE
, init
);
2012 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2014 initialize_sanitizer_builtins (void)
2018 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT
))
2021 tree BT_FN_VOID
= build_function_type_list (void_type_node
, NULL_TREE
);
2023 = build_function_type_list (void_type_node
, ptr_type_node
, NULL_TREE
);
2024 tree BT_FN_VOID_PTR_PTR_PTR
2025 = build_function_type_list (void_type_node
, ptr_type_node
,
2026 ptr_type_node
, ptr_type_node
, NULL_TREE
);
2027 tree BT_FN_VOID_PTR_PTRMODE
2028 = build_function_type_list (void_type_node
, ptr_type_node
,
2029 pointer_sized_int_node
, NULL_TREE
);
2031 = build_function_type_list (void_type_node
, integer_type_node
, NULL_TREE
);
2032 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[5];
2033 tree BT_FN_IX_CONST_VPTR_INT
[5];
2034 tree BT_FN_IX_VPTR_IX_INT
[5];
2035 tree BT_FN_VOID_VPTR_IX_INT
[5];
2037 = build_pointer_type (build_qualified_type (void_type_node
,
2038 TYPE_QUAL_VOLATILE
));
2040 = build_pointer_type (build_qualified_type (void_type_node
,
2044 = lang_hooks
.types
.type_for_size (BOOL_TYPE_SIZE
, 1);
2046 for (i
= 0; i
< 5; i
++)
2048 tree ix
= build_nonstandard_integer_type (BITS_PER_UNIT
* (1 << i
), 1);
2049 BT_FN_BOOL_VPTR_PTR_IX_INT_INT
[i
]
2050 = build_function_type_list (boolt
, vptr
, ptr_type_node
, ix
,
2051 integer_type_node
, integer_type_node
,
2053 BT_FN_IX_CONST_VPTR_INT
[i
]
2054 = build_function_type_list (ix
, cvptr
, integer_type_node
, NULL_TREE
);
2055 BT_FN_IX_VPTR_IX_INT
[i
]
2056 = build_function_type_list (ix
, vptr
, ix
, integer_type_node
,
2058 BT_FN_VOID_VPTR_IX_INT
[i
]
2059 = build_function_type_list (void_type_node
, vptr
, ix
,
2060 integer_type_node
, NULL_TREE
);
2062 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2063 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2064 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2065 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2066 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2067 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2068 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2069 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2070 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2071 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2072 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2073 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2074 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2075 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2076 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2077 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2078 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2079 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2080 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2081 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2082 #undef ATTR_NOTHROW_LEAF_LIST
2083 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2084 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2085 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2086 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2087 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2088 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2089 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2090 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2091 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2092 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2093 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2094 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2095 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2096 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2097 #undef DEF_SANITIZER_BUILTIN
2098 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2099 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2100 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2101 set_call_expr_flags (decl, ATTRS); \
2102 set_builtin_decl (ENUM, decl, true);
2104 #include "sanitizer.def"
2106 #undef DEF_SANITIZER_BUILTIN
2109 /* Called via htab_traverse. Count number of emitted
2110 STRING_CSTs in the constant hash table. */
2113 count_string_csts (void **slot
, void *data
)
2115 struct constant_descriptor_tree
*desc
2116 = (struct constant_descriptor_tree
*) *slot
;
2117 if (TREE_CODE (desc
->value
) == STRING_CST
2118 && TREE_ASM_WRITTEN (desc
->value
)
2119 && asan_protect_global (desc
->value
))
2120 ++*((unsigned HOST_WIDE_INT
*) data
);
2124 /* Helper structure to pass two parameters to
2127 struct asan_add_string_csts_data
2130 vec
<constructor_elt
, va_gc
> *v
;
2133 /* Called via htab_traverse. Call asan_add_global
2134 on emitted STRING_CSTs from the constant hash table. */
2137 add_string_csts (void **slot
, void *data
)
2139 struct constant_descriptor_tree
*desc
2140 = (struct constant_descriptor_tree
*) *slot
;
2141 if (TREE_CODE (desc
->value
) == STRING_CST
2142 && TREE_ASM_WRITTEN (desc
->value
)
2143 && asan_protect_global (desc
->value
))
2145 struct asan_add_string_csts_data
*aascd
2146 = (struct asan_add_string_csts_data
*) data
;
2147 asan_add_global (SYMBOL_REF_DECL (XEXP (desc
->rtl
, 0)),
2148 aascd
->type
, aascd
->v
);
2153 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
2154 invoke ggc_collect. */
2155 static GTY(()) tree asan_ctor_statements
;
2157 /* Module-level instrumentation.
2158 - Insert __asan_init() into the list of CTORs.
2159 - TODO: insert redzones around globals.
2163 asan_finish_file (void)
2165 struct varpool_node
*vnode
;
2166 unsigned HOST_WIDE_INT gcount
= 0;
2168 if (shadow_ptr_types
[0] == NULL_TREE
)
2169 asan_init_shadow_ptr_types ();
2170 /* Avoid instrumenting code in the asan ctors/dtors.
2171 We don't need to insert padding after the description strings,
2172 nor after .LASAN* array. */
2173 flag_sanitize
&= ~SANITIZE_ADDRESS
;
2175 tree fn
= builtin_decl_implicit (BUILT_IN_ASAN_INIT
);
2176 append_to_statement_list (build_call_expr (fn
, 0), &asan_ctor_statements
);
2177 FOR_EACH_DEFINED_VARIABLE (vnode
)
2178 if (TREE_ASM_WRITTEN (vnode
->decl
)
2179 && asan_protect_global (vnode
->decl
))
2181 htab_t const_desc_htab
= constant_pool_htab ();
2182 htab_traverse (const_desc_htab
, count_string_csts
, &gcount
);
2185 tree type
= asan_global_struct (), var
, ctor
;
2186 tree dtor_statements
= NULL_TREE
;
2187 vec
<constructor_elt
, va_gc
> *v
;
2190 type
= build_array_type_nelts (type
, gcount
);
2191 ASM_GENERATE_INTERNAL_LABEL (buf
, "LASAN", 0);
2192 var
= build_decl (UNKNOWN_LOCATION
, VAR_DECL
, get_identifier (buf
),
2194 TREE_STATIC (var
) = 1;
2195 TREE_PUBLIC (var
) = 0;
2196 DECL_ARTIFICIAL (var
) = 1;
2197 DECL_IGNORED_P (var
) = 1;
2198 vec_alloc (v
, gcount
);
2199 FOR_EACH_DEFINED_VARIABLE (vnode
)
2200 if (TREE_ASM_WRITTEN (vnode
->decl
)
2201 && asan_protect_global (vnode
->decl
))
2202 asan_add_global (vnode
->decl
, TREE_TYPE (type
), v
);
2203 struct asan_add_string_csts_data aascd
;
2204 aascd
.type
= TREE_TYPE (type
);
2206 htab_traverse (const_desc_htab
, add_string_csts
, &aascd
);
2207 ctor
= build_constructor (type
, v
);
2208 TREE_CONSTANT (ctor
) = 1;
2209 TREE_STATIC (ctor
) = 1;
2210 DECL_INITIAL (var
) = ctor
;
2211 varpool_assemble_decl (varpool_node_for_decl (var
));
2213 fn
= builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS
);
2214 tree gcount_tree
= build_int_cst (pointer_sized_int_node
, gcount
);
2215 append_to_statement_list (build_call_expr (fn
, 2,
2216 build_fold_addr_expr (var
),
2218 &asan_ctor_statements
);
2220 fn
= builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS
);
2221 append_to_statement_list (build_call_expr (fn
, 2,
2222 build_fold_addr_expr (var
),
2225 cgraph_build_static_cdtor ('D', dtor_statements
,
2226 MAX_RESERVED_INIT_PRIORITY
- 1);
2228 cgraph_build_static_cdtor ('I', asan_ctor_statements
,
2229 MAX_RESERVED_INIT_PRIORITY
- 1);
2230 flag_sanitize
|= SANITIZE_ADDRESS
;
2233 /* Instrument the current function. */
2236 asan_instrument (void)
2238 if (shadow_ptr_types
[0] == NULL_TREE
)
2239 asan_init_shadow_ptr_types ();
2240 transform_statements ();
2247 return (flag_sanitize
& SANITIZE_ADDRESS
) != 0
2248 && !lookup_attribute ("no_sanitize_address",
2249 DECL_ATTRIBUTES (current_function_decl
));
2254 const pass_data pass_data_asan
=
2256 GIMPLE_PASS
, /* type */
2258 OPTGROUP_NONE
, /* optinfo_flags */
2259 true, /* has_gate */
2260 true, /* has_execute */
2261 TV_NONE
, /* tv_id */
2262 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
2263 0, /* properties_provided */
2264 0, /* properties_destroyed */
2265 0, /* todo_flags_start */
2266 ( TODO_verify_flow
| TODO_verify_stmts
2267 | TODO_update_ssa
), /* todo_flags_finish */
2270 class pass_asan
: public gimple_opt_pass
2273 pass_asan (gcc::context
*ctxt
)
2274 : gimple_opt_pass (pass_data_asan
, ctxt
)
2277 /* opt_pass methods: */
2278 opt_pass
* clone () { return new pass_asan (m_ctxt
); }
2279 bool gate () { return gate_asan (); }
2280 unsigned int execute () { return asan_instrument (); }
2282 }; // class pass_asan
2287 make_pass_asan (gcc::context
*ctxt
)
2289 return new pass_asan (ctxt
);
2295 return !optimize
&& gate_asan ();
2300 const pass_data pass_data_asan_O0
=
2302 GIMPLE_PASS
, /* type */
2304 OPTGROUP_NONE
, /* optinfo_flags */
2305 true, /* has_gate */
2306 true, /* has_execute */
2307 TV_NONE
, /* tv_id */
2308 ( PROP_ssa
| PROP_cfg
| PROP_gimple_leh
), /* properties_required */
2309 0, /* properties_provided */
2310 0, /* properties_destroyed */
2311 0, /* todo_flags_start */
2312 ( TODO_verify_flow
| TODO_verify_stmts
2313 | TODO_update_ssa
), /* todo_flags_finish */
2316 class pass_asan_O0
: public gimple_opt_pass
2319 pass_asan_O0 (gcc::context
*ctxt
)
2320 : gimple_opt_pass (pass_data_asan_O0
, ctxt
)
2323 /* opt_pass methods: */
2324 bool gate () { return gate_asan_O0 (); }
2325 unsigned int execute () { return asan_instrument (); }
2327 }; // class pass_asan_O0
2332 make_pass_asan_O0 (gcc::context
*ctxt
)
2334 return new pass_asan_O0 (ctxt
);
2337 #include "gt-asan.h"