projects / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
re PR sanitizer/88289 (r266664 causes asan to fail on many/most tests on BE)
[gcc.git] / gcc / asan.c
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2018 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
11
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21
22 #include "config.h"
23 #include "system.h"
24 #include "coretypes.h"
25 #include "backend.h"
26 #include "target.h"
27 #include "rtl.h"
28 #include "tree.h"
29 #include "gimple.h"
30 #include "cfghooks.h"
31 #include "alloc-pool.h"
32 #include "tree-pass.h"
33 #include "memmodel.h"
34 #include "tm_p.h"
35 #include "ssa.h"
36 #include "stringpool.h"
37 #include "tree-ssanames.h"
38 #include "optabs.h"
39 #include "emit-rtl.h"
40 #include "cgraph.h"
41 #include "gimple-pretty-print.h"
42 #include "alias.h"
43 #include "fold-const.h"
44 #include "cfganal.h"
45 #include "gimplify.h"
46 #include "gimple-iterator.h"
47 #include "varasm.h"
48 #include "stor-layout.h"
49 #include "tree-iterator.h"
50 #include "stringpool.h"
51 #include "attribs.h"
52 #include "asan.h"
53 #include "dojump.h"
54 #include "explow.h"
55 #include "expr.h"
56 #include "output.h"
57 #include "langhooks.h"
58 #include "cfgloop.h"
59 #include "gimple-builder.h"
60 #include "gimple-fold.h"
61 #include "ubsan.h"
62 #include "params.h"
63 #include "builtins.h"
64 #include "fnmatch.h"
65 #include "tree-inline.h"
66
67 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
68 with <2x slowdown on average.
69
70 The tool consists of two parts:
71 instrumentation module (this file) and a run-time library.
72 The instrumentation module adds a run-time check before every memory insn.
73 For a 8- or 16- byte load accessing address X:
74 ShadowAddr = (X >> 3) + Offset
75 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
76 if (ShadowValue)
77 __asan_report_load8(X);
78 For a load of N bytes (N=1, 2 or 4) from address X:
79 ShadowAddr = (X >> 3) + Offset
80 ShadowValue = *(char*)ShadowAddr;
81 if (ShadowValue)
82 if ((X & 7) + N - 1 > ShadowValue)
83 __asan_report_loadN(X);
84 Stores are instrumented similarly, but using __asan_report_storeN functions.
85 A call too __asan_init_vN() is inserted to the list of module CTORs.
86 N is the version number of the AddressSanitizer API. The changes between the
87 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
88
89 The run-time library redefines malloc (so that redzone are inserted around
90 the allocated memory) and free (so that reuse of free-ed memory is delayed),
91 provides __asan_report* and __asan_init_vN functions.
92
93 Read more:
94 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
95
96 The current implementation supports detection of out-of-bounds and
97 use-after-free in the heap, on the stack and for global variables.
98
99 [Protection of stack variables]
100
101 To understand how detection of out-of-bounds and use-after-free works
102 for stack variables, lets look at this example on x86_64 where the
103 stack grows downward:
104
105 int
106 foo ()
107 {
108 char a[23] = {0};
109 int b[2] = {0};
110
111 a[5] = 1;
112 b[1] = 2;
113
114 return a[5] + b[1];
115 }
116
117 For this function, the stack protected by asan will be organized as
118 follows, from the top of the stack to the bottom:
119
120 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
121
122 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
123 the next slot be 32 bytes aligned; this one is called Partial
124 Redzone; this 32 bytes alignment is an asan constraint]
125
126 Slot 3/ [24 bytes for variable 'a']
127
128 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
129
130 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
131
132 Slot 6/ [8 bytes for variable 'b']
133
134 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
135 'LEFT RedZone']
136
137 The 32 bytes of LEFT red zone at the bottom of the stack can be
138 decomposed as such:
139
140 1/ The first 8 bytes contain a magical asan number that is always
141 0x41B58AB3.
142
143 2/ The following 8 bytes contains a pointer to a string (to be
144 parsed at runtime by the runtime asan library), which format is
145 the following:
146
147 "<function-name> <space> <num-of-variables-on-the-stack>
148 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
149 <length-of-var-in-bytes> ){n} "
150
151 where '(...){n}' means the content inside the parenthesis occurs 'n'
152 times, with 'n' being the number of variables on the stack.
153
154 3/ The following 8 bytes contain the PC of the current function which
155 will be used by the run-time library to print an error message.
156
157 4/ The following 8 bytes are reserved for internal use by the run-time.
158
159 The shadow memory for that stack layout is going to look like this:
160
161 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
162 The F1 byte pattern is a magic number called
163 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
164 the memory for that shadow byte is part of a the LEFT red zone
165 intended to seat at the bottom of the variables on the stack.
166
167 - content of shadow memory 8 bytes for slots 6 and 5:
168 0xF4F4F400. The F4 byte pattern is a magic number
169 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
170 memory region for this shadow byte is a PARTIAL red zone
171 intended to pad a variable A, so that the slot following
172 {A,padding} is 32 bytes aligned.
173
174 Note that the fact that the least significant byte of this
175 shadow memory content is 00 means that 8 bytes of its
176 corresponding memory (which corresponds to the memory of
177 variable 'b') is addressable.
178
179 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
180 The F2 byte pattern is a magic number called
181 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
182 region for this shadow byte is a MIDDLE red zone intended to
183 seat between two 32 aligned slots of {variable,padding}.
184
185 - content of shadow memory 8 bytes for slot 3 and 2:
186 0xF4000000. This represents is the concatenation of
187 variable 'a' and the partial red zone following it, like what we
188 had for variable 'b'. The least significant 3 bytes being 00
189 means that the 3 bytes of variable 'a' are addressable.
190
191 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
192 The F3 byte pattern is a magic number called
193 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
194 region for this shadow byte is a RIGHT red zone intended to seat
195 at the top of the variables of the stack.
196
197 Note that the real variable layout is done in expand_used_vars in
198 cfgexpand.c. As far as Address Sanitizer is concerned, it lays out
199 stack variables as well as the different red zones, emits some
200 prologue code to populate the shadow memory as to poison (mark as
201 non-accessible) the regions of the red zones and mark the regions of
202 stack variables as accessible, and emit some epilogue code to
203 un-poison (mark as accessible) the regions of red zones right before
204 the function exits.
205
206 [Protection of global variables]
207
208 The basic idea is to insert a red zone between two global variables
209 and install a constructor function that calls the asan runtime to do
210 the populating of the relevant shadow memory regions at load time.
211
212 So the global variables are laid out as to insert a red zone between
213 them. The size of the red zones is so that each variable starts on a
214 32 bytes boundary.
215
216 Then a constructor function is installed so that, for each global
217 variable, it calls the runtime asan library function
218 __asan_register_globals_with an instance of this type:
219
220 struct __asan_global
221 {
222 // Address of the beginning of the global variable.
223 const void *__beg;
224
225 // Initial size of the global variable.
226 uptr __size;
227
228 // Size of the global variable + size of the red zone. This
229 // size is 32 bytes aligned.
230 uptr __size_with_redzone;
231
232 // Name of the global variable.
233 const void *__name;
234
235 // Name of the module where the global variable is declared.
236 const void *__module_name;
237
238 // 1 if it has dynamic initialization, 0 otherwise.
239 uptr __has_dynamic_init;
240
241 // A pointer to struct that contains source location, could be NULL.
242 __asan_global_source_location *__location;
243 }
244
245 A destructor function that calls the runtime asan library function
246 _asan_unregister_globals is also installed. */
247
248 static unsigned HOST_WIDE_INT asan_shadow_offset_value;
249 static bool asan_shadow_offset_computed;
250 static vec<char *> sanitized_sections;
251 static tree last_alloca_addr;
252
253 /* Set of variable declarations that are going to be guarded by
254 use-after-scope sanitizer. */
255
256 hash_set<tree> *asan_handled_variables = NULL;
257
258 hash_set <tree> *asan_used_labels = NULL;
259
260 /* Sets shadow offset to value in string VAL. */
261
262 bool
263 set_asan_shadow_offset (const char *val)
264 {
265 char *endp;
266
267 errno = 0;
268 #ifdef HAVE_LONG_LONG
269 asan_shadow_offset_value = strtoull (val, &endp, 0);
270 #else
271 asan_shadow_offset_value = strtoul (val, &endp, 0);
272 #endif
273 if (!(*val != '\0' && *endp == '\0' && errno == 0))
274 return false;
275
276 asan_shadow_offset_computed = true;
277
278 return true;
279 }
280
281 /* Set list of user-defined sections that need to be sanitized. */
282
283 void
284 set_sanitized_sections (const char *sections)
285 {
286 char *pat;
287 unsigned i;
288 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
289 free (pat);
290 sanitized_sections.truncate (0);
291
292 for (const char *s = sections; *s; )
293 {
294 const char *end;
295 for (end = s; *end && *end != ','; ++end);
296 size_t len = end - s;
297 sanitized_sections.safe_push (xstrndup (s, len));
298 s = *end ? end + 1 : end;
299 }
300 }
301
302 bool
303 asan_mark_p (gimple *stmt, enum asan_mark_flags flag)
304 {
305 return (gimple_call_internal_p (stmt, IFN_ASAN_MARK)
306 && tree_to_uhwi (gimple_call_arg (stmt, 0)) == flag);
307 }
308
309 bool
310 asan_sanitize_stack_p (void)
311 {
312 return (sanitize_flags_p (SANITIZE_ADDRESS) && ASAN_STACK);
313 }
314
315 bool
316 asan_sanitize_allocas_p (void)
317 {
318 return (asan_sanitize_stack_p () && ASAN_PROTECT_ALLOCAS);
319 }
320
321 /* Checks whether section SEC should be sanitized. */
322
323 static bool
324 section_sanitized_p (const char *sec)
325 {
326 char *pat;
327 unsigned i;
328 FOR_EACH_VEC_ELT (sanitized_sections, i, pat)
329 if (fnmatch (pat, sec, FNM_PERIOD) == 0)
330 return true;
331 return false;
332 }
333
334 /* Returns Asan shadow offset. */
335
336 static unsigned HOST_WIDE_INT
337 asan_shadow_offset ()
338 {
339 if (!asan_shadow_offset_computed)
340 {
341 asan_shadow_offset_computed = true;
342 asan_shadow_offset_value = targetm.asan_shadow_offset ();
343 }
344 return asan_shadow_offset_value;
345 }
346
347 alias_set_type asan_shadow_set = -1;
348
349 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
350 alias set is used for all shadow memory accesses. */
351 static GTY(()) tree shadow_ptr_types[3];
352
353 /* Decl for __asan_option_detect_stack_use_after_return. */
354 static GTY(()) tree asan_detect_stack_use_after_return;
355
356 /* Hashtable support for memory references used by gimple
357 statements. */
358
359 /* This type represents a reference to a memory region. */
360 struct asan_mem_ref
361 {
362 /* The expression of the beginning of the memory region. */
363 tree start;
364
365 /* The size of the access. */
366 HOST_WIDE_INT access_size;
367 };
368
369 object_allocator <asan_mem_ref> asan_mem_ref_pool ("asan_mem_ref");
370
371 /* Initializes an instance of asan_mem_ref. */
372
373 static void
374 asan_mem_ref_init (asan_mem_ref *ref, tree start, HOST_WIDE_INT access_size)
375 {
376 ref->start = start;
377 ref->access_size = access_size;
378 }
379
380 /* Allocates memory for an instance of asan_mem_ref into the memory
381 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
382 START is the address of (or the expression pointing to) the
383 beginning of memory reference. ACCESS_SIZE is the size of the
384 access to the referenced memory. */
385
386 static asan_mem_ref*
387 asan_mem_ref_new (tree start, HOST_WIDE_INT access_size)
388 {
389 asan_mem_ref *ref = asan_mem_ref_pool.allocate ();
390
391 asan_mem_ref_init (ref, start, access_size);
392 return ref;
393 }
394
395 /* This builds and returns a pointer to the end of the memory region
396 that starts at START and of length LEN. */
397
398 tree
399 asan_mem_ref_get_end (tree start, tree len)
400 {
401 if (len == NULL_TREE || integer_zerop (len))
402 return start;
403
404 if (!ptrofftype_p (len))
405 len = convert_to_ptrofftype (len);
406
407 return fold_build2 (POINTER_PLUS_EXPR, TREE_TYPE (start), start, len);
408 }
409
410 /* Return a tree expression that represents the end of the referenced
411 memory region. Beware that this function can actually build a new
412 tree expression. */
413
414 tree
415 asan_mem_ref_get_end (const asan_mem_ref *ref, tree len)
416 {
417 return asan_mem_ref_get_end (ref->start, len);
418 }
419
420 struct asan_mem_ref_hasher : nofree_ptr_hash <asan_mem_ref>
421 {
422 static inline hashval_t hash (const asan_mem_ref *);
423 static inline bool equal (const asan_mem_ref *, const asan_mem_ref *);
424 };
425
426 /* Hash a memory reference. */
427
428 inline hashval_t
429 asan_mem_ref_hasher::hash (const asan_mem_ref *mem_ref)
430 {
431 return iterative_hash_expr (mem_ref->start, 0);
432 }
433
434 /* Compare two memory references. We accept the length of either
435 memory references to be NULL_TREE. */
436
437 inline bool
438 asan_mem_ref_hasher::equal (const asan_mem_ref *m1,
439 const asan_mem_ref *m2)
440 {
441 return operand_equal_p (m1->start, m2->start, 0);
442 }
443
444 static hash_table<asan_mem_ref_hasher> *asan_mem_ref_ht;
445
446 /* Returns a reference to the hash table containing memory references.
447 This function ensures that the hash table is created. Note that
448 this hash table is updated by the function
449 update_mem_ref_hash_table. */
450
451 static hash_table<asan_mem_ref_hasher> *
452 get_mem_ref_hash_table ()
453 {
454 if (!asan_mem_ref_ht)
455 asan_mem_ref_ht = new hash_table<asan_mem_ref_hasher> (10);
456
457 return asan_mem_ref_ht;
458 }
459
460 /* Clear all entries from the memory references hash table. */
461
462 static void
463 empty_mem_ref_hash_table ()
464 {
465 if (asan_mem_ref_ht)
466 asan_mem_ref_ht->empty ();
467 }
468
469 /* Free the memory references hash table. */
470
471 static void
472 free_mem_ref_resources ()
473 {
474 delete asan_mem_ref_ht;
475 asan_mem_ref_ht = NULL;
476
477 asan_mem_ref_pool.release ();
478 }
479
480 /* Return true iff the memory reference REF has been instrumented. */
481
482 static bool
483 has_mem_ref_been_instrumented (tree ref, HOST_WIDE_INT access_size)
484 {
485 asan_mem_ref r;
486 asan_mem_ref_init (&r, ref, access_size);
487
488 asan_mem_ref *saved_ref = get_mem_ref_hash_table ()->find (&r);
489 return saved_ref && saved_ref->access_size >= access_size;
490 }
491
492 /* Return true iff the memory reference REF has been instrumented. */
493
494 static bool
495 has_mem_ref_been_instrumented (const asan_mem_ref *ref)
496 {
497 return has_mem_ref_been_instrumented (ref->start, ref->access_size);
498 }
499
500 /* Return true iff access to memory region starting at REF and of
501 length LEN has been instrumented. */
502
503 static bool
504 has_mem_ref_been_instrumented (const asan_mem_ref *ref, tree len)
505 {
506 HOST_WIDE_INT size_in_bytes
507 = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
508
509 return size_in_bytes != -1
510 && has_mem_ref_been_instrumented (ref->start, size_in_bytes);
511 }
512
513 /* Set REF to the memory reference present in a gimple assignment
514 ASSIGNMENT. Return true upon successful completion, false
515 otherwise. */
516
517 static bool
518 get_mem_ref_of_assignment (const gassign *assignment,
519 asan_mem_ref *ref,
520 bool *ref_is_store)
521 {
522 gcc_assert (gimple_assign_single_p (assignment));
523
524 if (gimple_store_p (assignment)
525 && !gimple_clobber_p (assignment))
526 {
527 ref->start = gimple_assign_lhs (assignment);
528 *ref_is_store = true;
529 }
530 else if (gimple_assign_load_p (assignment))
531 {
532 ref->start = gimple_assign_rhs1 (assignment);
533 *ref_is_store = false;
534 }
535 else
536 return false;
537
538 ref->access_size = int_size_in_bytes (TREE_TYPE (ref->start));
539 return true;
540 }
541
542 /* Return address of last allocated dynamic alloca. */
543
544 static tree
545 get_last_alloca_addr ()
546 {
547 if (last_alloca_addr)
548 return last_alloca_addr;
549
550 last_alloca_addr = create_tmp_reg (ptr_type_node, "last_alloca_addr");
551 gassign *g = gimple_build_assign (last_alloca_addr, null_pointer_node);
552 edge e = single_succ_edge (ENTRY_BLOCK_PTR_FOR_FN (cfun));
553 gsi_insert_on_edge_immediate (e, g);
554 return last_alloca_addr;
555 }
556
557 /* Insert __asan_allocas_unpoison (top, bottom) call before
558 __builtin_stack_restore (new_sp) call.
559 The pseudocode of this routine should look like this:
560 top = last_alloca_addr;
561 bot = new_sp;
562 __asan_allocas_unpoison (top, bot);
563 last_alloca_addr = new_sp;
564 __builtin_stack_restore (new_sp);
565 In general, we can't use new_sp as bot parameter because on some
566 architectures SP has non zero offset from dynamic stack area. Moreover, on
567 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
568 particular function only after all callees were expanded to rtl.
569 The most noticeable example is PowerPC{,64}, see
570 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
571 To overcome the issue we use following trick: pass new_sp as a second
572 parameter to __asan_allocas_unpoison and rewrite it during expansion with
573 new_sp + (virtual_dynamic_stack_rtx - sp) later in
574 expand_asan_emit_allocas_unpoison function. */
575
576 static void
577 handle_builtin_stack_restore (gcall *call, gimple_stmt_iterator *iter)
578 {
579 if (!iter || !asan_sanitize_allocas_p ())
580 return;
581
582 tree last_alloca = get_last_alloca_addr ();
583 tree restored_stack = gimple_call_arg (call, 0);
584 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCAS_UNPOISON);
585 gimple *g = gimple_build_call (fn, 2, last_alloca, restored_stack);
586 gsi_insert_before (iter, g, GSI_SAME_STMT);
587 g = gimple_build_assign (last_alloca, restored_stack);
588 gsi_insert_before (iter, g, GSI_SAME_STMT);
589 }
590
591 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
592 should replace this call with another one with changed parameters and
593 replace all its uses with new address, so
594 addr = __builtin_alloca (old_size, align);
595 is replaced by
596 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
597 Following two statements are optimized out if we know that
598 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
599 redzone.
600 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
601 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
602 right_redzone_size = ASAN_RED_ZONE_SIZE;
603 additional_size = left_redzone_size + partial_redzone_size +
604 right_redzone_size;
605 new_size = old_size + additional_size;
606 new_alloca = __builtin_alloca (new_size, max (align, 32))
607 __asan_alloca_poison (new_alloca, old_size)
608 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
609 last_alloca_addr = new_alloca;
610 ADDITIONAL_SIZE is added to make new memory allocation contain not only
611 requested memory, but also left, partial and right redzones as well as some
612 additional space, required by alignment. */
613
614 static void
615 handle_builtin_alloca (gcall *call, gimple_stmt_iterator *iter)
616 {
617 if (!iter || !asan_sanitize_allocas_p ())
618 return;
619
620 gassign *g;
621 gcall *gg;
622 const HOST_WIDE_INT redzone_mask = ASAN_RED_ZONE_SIZE - 1;
623
624 tree last_alloca = get_last_alloca_addr ();
625 tree callee = gimple_call_fndecl (call);
626 tree old_size = gimple_call_arg (call, 0);
627 tree ptr_type = gimple_call_lhs (call) ? TREE_TYPE (gimple_call_lhs (call))
628 : ptr_type_node;
629 tree partial_size = NULL_TREE;
630 unsigned int align
631 = DECL_FUNCTION_CODE (callee) == BUILT_IN_ALLOCA
632 ? 0 : tree_to_uhwi (gimple_call_arg (call, 1));
633
634 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
635 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
636 manually. */
637 align = MAX (align, ASAN_RED_ZONE_SIZE * BITS_PER_UNIT);
638
639 tree alloca_rz_mask = build_int_cst (size_type_node, redzone_mask);
640 tree redzone_size = build_int_cst (size_type_node, ASAN_RED_ZONE_SIZE);
641
642 /* Extract lower bits from old_size. */
643 wide_int size_nonzero_bits = get_nonzero_bits (old_size);
644 wide_int rz_mask
645 = wi::uhwi (redzone_mask, wi::get_precision (size_nonzero_bits));
646 wide_int old_size_lower_bits = wi::bit_and (size_nonzero_bits, rz_mask);
647
648 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
649 redzone. Otherwise, compute its size here. */
650 if (wi::ne_p (old_size_lower_bits, 0))
651 {
652 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
653 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
654 g = gimple_build_assign (make_ssa_name (size_type_node, NULL),
655 BIT_AND_EXPR, old_size, alloca_rz_mask);
656 gsi_insert_before (iter, g, GSI_SAME_STMT);
657 tree misalign = gimple_assign_lhs (g);
658 g = gimple_build_assign (make_ssa_name (size_type_node, NULL), MINUS_EXPR,
659 redzone_size, misalign);
660 gsi_insert_before (iter, g, GSI_SAME_STMT);
661 partial_size = gimple_assign_lhs (g);
662 }
663
664 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
665 tree additional_size = build_int_cst (size_type_node, align / BITS_PER_UNIT
666 + ASAN_RED_ZONE_SIZE);
667 /* If alloca has partial redzone, include it to additional_size too. */
668 if (partial_size)
669 {
670 /* additional_size += partial_size. */
671 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR,
672 partial_size, additional_size);
673 gsi_insert_before (iter, g, GSI_SAME_STMT);
674 additional_size = gimple_assign_lhs (g);
675 }
676
677 /* new_size = old_size + additional_size. */
678 g = gimple_build_assign (make_ssa_name (size_type_node), PLUS_EXPR, old_size,
679 additional_size);
680 gsi_insert_before (iter, g, GSI_SAME_STMT);
681 tree new_size = gimple_assign_lhs (g);
682
683 /* Build new __builtin_alloca call:
684 new_alloca_with_rz = __builtin_alloca (new_size, align). */
685 tree fn = builtin_decl_implicit (BUILT_IN_ALLOCA_WITH_ALIGN);
686 gg = gimple_build_call (fn, 2, new_size,
687 build_int_cst (size_type_node, align));
688 tree new_alloca_with_rz = make_ssa_name (ptr_type, gg);
689 gimple_call_set_lhs (gg, new_alloca_with_rz);
690 gsi_insert_before (iter, gg, GSI_SAME_STMT);
691
692 /* new_alloca = new_alloca_with_rz + align. */
693 g = gimple_build_assign (make_ssa_name (ptr_type), POINTER_PLUS_EXPR,
694 new_alloca_with_rz,
695 build_int_cst (size_type_node,
696 align / BITS_PER_UNIT));
697 gsi_insert_before (iter, g, GSI_SAME_STMT);
698 tree new_alloca = gimple_assign_lhs (g);
699
700 /* Poison newly created alloca redzones:
701 __asan_alloca_poison (new_alloca, old_size). */
702 fn = builtin_decl_implicit (BUILT_IN_ASAN_ALLOCA_POISON);
703 gg = gimple_build_call (fn, 2, new_alloca, old_size);
704 gsi_insert_before (iter, gg, GSI_SAME_STMT);
705
706 /* Save new_alloca_with_rz value into last_alloca to use it during
707 allocas unpoisoning. */
708 g = gimple_build_assign (last_alloca, new_alloca_with_rz);
709 gsi_insert_before (iter, g, GSI_SAME_STMT);
710
711 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
712 replace_call_with_value (iter, new_alloca);
713 }
714
715 /* Return the memory references contained in a gimple statement
716 representing a builtin call that has to do with memory access. */
717
718 static bool
719 get_mem_refs_of_builtin_call (gcall *call,
720 asan_mem_ref *src0,
721 tree *src0_len,
722 bool *src0_is_store,
723 asan_mem_ref *src1,
724 tree *src1_len,
725 bool *src1_is_store,
726 asan_mem_ref *dst,
727 tree *dst_len,
728 bool *dst_is_store,
729 bool *dest_is_deref,
730 bool *intercepted_p,
731 gimple_stmt_iterator *iter = NULL)
732 {
733 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
734
735 tree callee = gimple_call_fndecl (call);
736 tree source0 = NULL_TREE, source1 = NULL_TREE,
737 dest = NULL_TREE, len = NULL_TREE;
738 bool is_store = true, got_reference_p = false;
739 HOST_WIDE_INT access_size = 1;
740
741 *intercepted_p = asan_intercepted_p ((DECL_FUNCTION_CODE (callee)));
742
743 switch (DECL_FUNCTION_CODE (callee))
744 {
745 /* (s, s, n) style memops. */
746 case BUILT_IN_BCMP:
747 case BUILT_IN_MEMCMP:
748 source0 = gimple_call_arg (call, 0);
749 source1 = gimple_call_arg (call, 1);
750 len = gimple_call_arg (call, 2);
751 break;
752
753 /* (src, dest, n) style memops. */
754 case BUILT_IN_BCOPY:
755 source0 = gimple_call_arg (call, 0);
756 dest = gimple_call_arg (call, 1);
757 len = gimple_call_arg (call, 2);
758 break;
759
760 /* (dest, src, n) style memops. */
761 case BUILT_IN_MEMCPY:
762 case BUILT_IN_MEMCPY_CHK:
763 case BUILT_IN_MEMMOVE:
764 case BUILT_IN_MEMMOVE_CHK:
765 case BUILT_IN_MEMPCPY:
766 case BUILT_IN_MEMPCPY_CHK:
767 dest = gimple_call_arg (call, 0);
768 source0 = gimple_call_arg (call, 1);
769 len = gimple_call_arg (call, 2);
770 break;
771
772 /* (dest, n) style memops. */
773 case BUILT_IN_BZERO:
774 dest = gimple_call_arg (call, 0);
775 len = gimple_call_arg (call, 1);
776 break;
777
778 /* (dest, x, n) style memops*/
779 case BUILT_IN_MEMSET:
780 case BUILT_IN_MEMSET_CHK:
781 dest = gimple_call_arg (call, 0);
782 len = gimple_call_arg (call, 2);
783 break;
784
785 case BUILT_IN_STRLEN:
786 source0 = gimple_call_arg (call, 0);
787 len = gimple_call_lhs (call);
788 break;
789
790 case BUILT_IN_STACK_RESTORE:
791 handle_builtin_stack_restore (call, iter);
792 break;
793
794 CASE_BUILT_IN_ALLOCA:
795 handle_builtin_alloca (call, iter);
796 break;
797 /* And now the __atomic* and __sync builtins.
798 These are handled differently from the classical memory memory
799 access builtins above. */
800
801 case BUILT_IN_ATOMIC_LOAD_1:
802 is_store = false;
803 /* FALLTHRU */
804 case BUILT_IN_SYNC_FETCH_AND_ADD_1:
805 case BUILT_IN_SYNC_FETCH_AND_SUB_1:
806 case BUILT_IN_SYNC_FETCH_AND_OR_1:
807 case BUILT_IN_SYNC_FETCH_AND_AND_1:
808 case BUILT_IN_SYNC_FETCH_AND_XOR_1:
809 case BUILT_IN_SYNC_FETCH_AND_NAND_1:
810 case BUILT_IN_SYNC_ADD_AND_FETCH_1:
811 case BUILT_IN_SYNC_SUB_AND_FETCH_1:
812 case BUILT_IN_SYNC_OR_AND_FETCH_1:
813 case BUILT_IN_SYNC_AND_AND_FETCH_1:
814 case BUILT_IN_SYNC_XOR_AND_FETCH_1:
815 case BUILT_IN_SYNC_NAND_AND_FETCH_1:
816 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_1:
817 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_1:
818 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_1:
819 case BUILT_IN_SYNC_LOCK_RELEASE_1:
820 case BUILT_IN_ATOMIC_EXCHANGE_1:
821 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_1:
822 case BUILT_IN_ATOMIC_STORE_1:
823 case BUILT_IN_ATOMIC_ADD_FETCH_1:
824 case BUILT_IN_ATOMIC_SUB_FETCH_1:
825 case BUILT_IN_ATOMIC_AND_FETCH_1:
826 case BUILT_IN_ATOMIC_NAND_FETCH_1:
827 case BUILT_IN_ATOMIC_XOR_FETCH_1:
828 case BUILT_IN_ATOMIC_OR_FETCH_1:
829 case BUILT_IN_ATOMIC_FETCH_ADD_1:
830 case BUILT_IN_ATOMIC_FETCH_SUB_1:
831 case BUILT_IN_ATOMIC_FETCH_AND_1:
832 case BUILT_IN_ATOMIC_FETCH_NAND_1:
833 case BUILT_IN_ATOMIC_FETCH_XOR_1:
834 case BUILT_IN_ATOMIC_FETCH_OR_1:
835 access_size = 1;
836 goto do_atomic;
837
838 case BUILT_IN_ATOMIC_LOAD_2:
839 is_store = false;
840 /* FALLTHRU */
841 case BUILT_IN_SYNC_FETCH_AND_ADD_2:
842 case BUILT_IN_SYNC_FETCH_AND_SUB_2:
843 case BUILT_IN_SYNC_FETCH_AND_OR_2:
844 case BUILT_IN_SYNC_FETCH_AND_AND_2:
845 case BUILT_IN_SYNC_FETCH_AND_XOR_2:
846 case BUILT_IN_SYNC_FETCH_AND_NAND_2:
847 case BUILT_IN_SYNC_ADD_AND_FETCH_2:
848 case BUILT_IN_SYNC_SUB_AND_FETCH_2:
849 case BUILT_IN_SYNC_OR_AND_FETCH_2:
850 case BUILT_IN_SYNC_AND_AND_FETCH_2:
851 case BUILT_IN_SYNC_XOR_AND_FETCH_2:
852 case BUILT_IN_SYNC_NAND_AND_FETCH_2:
853 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_2:
854 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_2:
855 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_2:
856 case BUILT_IN_SYNC_LOCK_RELEASE_2:
857 case BUILT_IN_ATOMIC_EXCHANGE_2:
858 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_2:
859 case BUILT_IN_ATOMIC_STORE_2:
860 case BUILT_IN_ATOMIC_ADD_FETCH_2:
861 case BUILT_IN_ATOMIC_SUB_FETCH_2:
862 case BUILT_IN_ATOMIC_AND_FETCH_2:
863 case BUILT_IN_ATOMIC_NAND_FETCH_2:
864 case BUILT_IN_ATOMIC_XOR_FETCH_2:
865 case BUILT_IN_ATOMIC_OR_FETCH_2:
866 case BUILT_IN_ATOMIC_FETCH_ADD_2:
867 case BUILT_IN_ATOMIC_FETCH_SUB_2:
868 case BUILT_IN_ATOMIC_FETCH_AND_2:
869 case BUILT_IN_ATOMIC_FETCH_NAND_2:
870 case BUILT_IN_ATOMIC_FETCH_XOR_2:
871 case BUILT_IN_ATOMIC_FETCH_OR_2:
872 access_size = 2;
873 goto do_atomic;
874
875 case BUILT_IN_ATOMIC_LOAD_4:
876 is_store = false;
877 /* FALLTHRU */
878 case BUILT_IN_SYNC_FETCH_AND_ADD_4:
879 case BUILT_IN_SYNC_FETCH_AND_SUB_4:
880 case BUILT_IN_SYNC_FETCH_AND_OR_4:
881 case BUILT_IN_SYNC_FETCH_AND_AND_4:
882 case BUILT_IN_SYNC_FETCH_AND_XOR_4:
883 case BUILT_IN_SYNC_FETCH_AND_NAND_4:
884 case BUILT_IN_SYNC_ADD_AND_FETCH_4:
885 case BUILT_IN_SYNC_SUB_AND_FETCH_4:
886 case BUILT_IN_SYNC_OR_AND_FETCH_4:
887 case BUILT_IN_SYNC_AND_AND_FETCH_4:
888 case BUILT_IN_SYNC_XOR_AND_FETCH_4:
889 case BUILT_IN_SYNC_NAND_AND_FETCH_4:
890 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_4:
891 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_4:
892 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_4:
893 case BUILT_IN_SYNC_LOCK_RELEASE_4:
894 case BUILT_IN_ATOMIC_EXCHANGE_4:
895 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_4:
896 case BUILT_IN_ATOMIC_STORE_4:
897 case BUILT_IN_ATOMIC_ADD_FETCH_4:
898 case BUILT_IN_ATOMIC_SUB_FETCH_4:
899 case BUILT_IN_ATOMIC_AND_FETCH_4:
900 case BUILT_IN_ATOMIC_NAND_FETCH_4:
901 case BUILT_IN_ATOMIC_XOR_FETCH_4:
902 case BUILT_IN_ATOMIC_OR_FETCH_4:
903 case BUILT_IN_ATOMIC_FETCH_ADD_4:
904 case BUILT_IN_ATOMIC_FETCH_SUB_4:
905 case BUILT_IN_ATOMIC_FETCH_AND_4:
906 case BUILT_IN_ATOMIC_FETCH_NAND_4:
907 case BUILT_IN_ATOMIC_FETCH_XOR_4:
908 case BUILT_IN_ATOMIC_FETCH_OR_4:
909 access_size = 4;
910 goto do_atomic;
911
912 case BUILT_IN_ATOMIC_LOAD_8:
913 is_store = false;
914 /* FALLTHRU */
915 case BUILT_IN_SYNC_FETCH_AND_ADD_8:
916 case BUILT_IN_SYNC_FETCH_AND_SUB_8:
917 case BUILT_IN_SYNC_FETCH_AND_OR_8:
918 case BUILT_IN_SYNC_FETCH_AND_AND_8:
919 case BUILT_IN_SYNC_FETCH_AND_XOR_8:
920 case BUILT_IN_SYNC_FETCH_AND_NAND_8:
921 case BUILT_IN_SYNC_ADD_AND_FETCH_8:
922 case BUILT_IN_SYNC_SUB_AND_FETCH_8:
923 case BUILT_IN_SYNC_OR_AND_FETCH_8:
924 case BUILT_IN_SYNC_AND_AND_FETCH_8:
925 case BUILT_IN_SYNC_XOR_AND_FETCH_8:
926 case BUILT_IN_SYNC_NAND_AND_FETCH_8:
927 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_8:
928 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_8:
929 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_8:
930 case BUILT_IN_SYNC_LOCK_RELEASE_8:
931 case BUILT_IN_ATOMIC_EXCHANGE_8:
932 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_8:
933 case BUILT_IN_ATOMIC_STORE_8:
934 case BUILT_IN_ATOMIC_ADD_FETCH_8:
935 case BUILT_IN_ATOMIC_SUB_FETCH_8:
936 case BUILT_IN_ATOMIC_AND_FETCH_8:
937 case BUILT_IN_ATOMIC_NAND_FETCH_8:
938 case BUILT_IN_ATOMIC_XOR_FETCH_8:
939 case BUILT_IN_ATOMIC_OR_FETCH_8:
940 case BUILT_IN_ATOMIC_FETCH_ADD_8:
941 case BUILT_IN_ATOMIC_FETCH_SUB_8:
942 case BUILT_IN_ATOMIC_FETCH_AND_8:
943 case BUILT_IN_ATOMIC_FETCH_NAND_8:
944 case BUILT_IN_ATOMIC_FETCH_XOR_8:
945 case BUILT_IN_ATOMIC_FETCH_OR_8:
946 access_size = 8;
947 goto do_atomic;
948
949 case BUILT_IN_ATOMIC_LOAD_16:
950 is_store = false;
951 /* FALLTHRU */
952 case BUILT_IN_SYNC_FETCH_AND_ADD_16:
953 case BUILT_IN_SYNC_FETCH_AND_SUB_16:
954 case BUILT_IN_SYNC_FETCH_AND_OR_16:
955 case BUILT_IN_SYNC_FETCH_AND_AND_16:
956 case BUILT_IN_SYNC_FETCH_AND_XOR_16:
957 case BUILT_IN_SYNC_FETCH_AND_NAND_16:
958 case BUILT_IN_SYNC_ADD_AND_FETCH_16:
959 case BUILT_IN_SYNC_SUB_AND_FETCH_16:
960 case BUILT_IN_SYNC_OR_AND_FETCH_16:
961 case BUILT_IN_SYNC_AND_AND_FETCH_16:
962 case BUILT_IN_SYNC_XOR_AND_FETCH_16:
963 case BUILT_IN_SYNC_NAND_AND_FETCH_16:
964 case BUILT_IN_SYNC_BOOL_COMPARE_AND_SWAP_16:
965 case BUILT_IN_SYNC_VAL_COMPARE_AND_SWAP_16:
966 case BUILT_IN_SYNC_LOCK_TEST_AND_SET_16:
967 case BUILT_IN_SYNC_LOCK_RELEASE_16:
968 case BUILT_IN_ATOMIC_EXCHANGE_16:
969 case BUILT_IN_ATOMIC_COMPARE_EXCHANGE_16:
970 case BUILT_IN_ATOMIC_STORE_16:
971 case BUILT_IN_ATOMIC_ADD_FETCH_16:
972 case BUILT_IN_ATOMIC_SUB_FETCH_16:
973 case BUILT_IN_ATOMIC_AND_FETCH_16:
974 case BUILT_IN_ATOMIC_NAND_FETCH_16:
975 case BUILT_IN_ATOMIC_XOR_FETCH_16:
976 case BUILT_IN_ATOMIC_OR_FETCH_16:
977 case BUILT_IN_ATOMIC_FETCH_ADD_16:
978 case BUILT_IN_ATOMIC_FETCH_SUB_16:
979 case BUILT_IN_ATOMIC_FETCH_AND_16:
980 case BUILT_IN_ATOMIC_FETCH_NAND_16:
981 case BUILT_IN_ATOMIC_FETCH_XOR_16:
982 case BUILT_IN_ATOMIC_FETCH_OR_16:
983 access_size = 16;
984 /* FALLTHRU */
985 do_atomic:
986 {
987 dest = gimple_call_arg (call, 0);
988 /* DEST represents the address of a memory location.
989 instrument_derefs wants the memory location, so lets
990 dereference the address DEST before handing it to
991 instrument_derefs. */
992 tree type = build_nonstandard_integer_type (access_size
993 * BITS_PER_UNIT, 1);
994 dest = build2 (MEM_REF, type, dest,
995 build_int_cst (build_pointer_type (char_type_node), 0));
996 break;
997 }
998
999 default:
1000 /* The other builtins memory access are not instrumented in this
1001 function because they either don't have any length parameter,
1002 or their length parameter is just a limit. */
1003 break;
1004 }
1005
1006 if (len != NULL_TREE)
1007 {
1008 if (source0 != NULL_TREE)
1009 {
1010 src0->start = source0;
1011 src0->access_size = access_size;
1012 *src0_len = len;
1013 *src0_is_store = false;
1014 }
1015
1016 if (source1 != NULL_TREE)
1017 {
1018 src1->start = source1;
1019 src1->access_size = access_size;
1020 *src1_len = len;
1021 *src1_is_store = false;
1022 }
1023
1024 if (dest != NULL_TREE)
1025 {
1026 dst->start = dest;
1027 dst->access_size = access_size;
1028 *dst_len = len;
1029 *dst_is_store = true;
1030 }
1031
1032 got_reference_p = true;
1033 }
1034 else if (dest)
1035 {
1036 dst->start = dest;
1037 dst->access_size = access_size;
1038 *dst_len = NULL_TREE;
1039 *dst_is_store = is_store;
1040 *dest_is_deref = true;
1041 got_reference_p = true;
1042 }
1043
1044 return got_reference_p;
1045 }
1046
1047 /* Return true iff a given gimple statement has been instrumented.
1048 Note that the statement is "defined" by the memory references it
1049 contains. */
1050
1051 static bool
1052 has_stmt_been_instrumented_p (gimple *stmt)
1053 {
1054 if (gimple_assign_single_p (stmt))
1055 {
1056 bool r_is_store;
1057 asan_mem_ref r;
1058 asan_mem_ref_init (&r, NULL, 1);
1059
1060 if (get_mem_ref_of_assignment (as_a <gassign *> (stmt), &r,
1061 &r_is_store))
1062 return has_mem_ref_been_instrumented (&r);
1063 }
1064 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1065 {
1066 asan_mem_ref src0, src1, dest;
1067 asan_mem_ref_init (&src0, NULL, 1);
1068 asan_mem_ref_init (&src1, NULL, 1);
1069 asan_mem_ref_init (&dest, NULL, 1);
1070
1071 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
1072 bool src0_is_store = false, src1_is_store = false,
1073 dest_is_store = false, dest_is_deref = false, intercepted_p = true;
1074 if (get_mem_refs_of_builtin_call (as_a <gcall *> (stmt),
1075 &src0, &src0_len, &src0_is_store,
1076 &src1, &src1_len, &src1_is_store,
1077 &dest, &dest_len, &dest_is_store,
1078 &dest_is_deref, &intercepted_p))
1079 {
1080 if (src0.start != NULL_TREE
1081 && !has_mem_ref_been_instrumented (&src0, src0_len))
1082 return false;
1083
1084 if (src1.start != NULL_TREE
1085 && !has_mem_ref_been_instrumented (&src1, src1_len))
1086 return false;
1087
1088 if (dest.start != NULL_TREE
1089 && !has_mem_ref_been_instrumented (&dest, dest_len))
1090 return false;
1091
1092 return true;
1093 }
1094 }
1095 else if (is_gimple_call (stmt) && gimple_store_p (stmt))
1096 {
1097 asan_mem_ref r;
1098 asan_mem_ref_init (&r, NULL, 1);
1099
1100 r.start = gimple_call_lhs (stmt);
1101 r.access_size = int_size_in_bytes (TREE_TYPE (r.start));
1102 return has_mem_ref_been_instrumented (&r);
1103 }
1104
1105 return false;
1106 }
1107
1108 /* Insert a memory reference into the hash table. */
1109
1110 static void
1111 update_mem_ref_hash_table (tree ref, HOST_WIDE_INT access_size)
1112 {
1113 hash_table<asan_mem_ref_hasher> *ht = get_mem_ref_hash_table ();
1114
1115 asan_mem_ref r;
1116 asan_mem_ref_init (&r, ref, access_size);
1117
1118 asan_mem_ref **slot = ht->find_slot (&r, INSERT);
1119 if (*slot == NULL || (*slot)->access_size < access_size)
1120 *slot = asan_mem_ref_new (ref, access_size);
1121 }
1122
1123 /* Initialize shadow_ptr_types array. */
1124
1125 static void
1126 asan_init_shadow_ptr_types (void)
1127 {
1128 asan_shadow_set = new_alias_set ();
1129 tree types[3] = { signed_char_type_node, short_integer_type_node,
1130 integer_type_node };
1131
1132 for (unsigned i = 0; i < 3; i++)
1133 {
1134 shadow_ptr_types[i] = build_distinct_type_copy (types[i]);
1135 TYPE_ALIAS_SET (shadow_ptr_types[i]) = asan_shadow_set;
1136 shadow_ptr_types[i] = build_pointer_type (shadow_ptr_types[i]);
1137 }
1138
1139 initialize_sanitizer_builtins ();
1140 }
1141
1142 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1143
1144 static tree
1145 asan_pp_string (pretty_printer *pp)
1146 {
1147 const char *buf = pp_formatted_text (pp);
1148 size_t len = strlen (buf);
1149 tree ret = build_string (len + 1, buf);
1150 TREE_TYPE (ret)
1151 = build_array_type (TREE_TYPE (shadow_ptr_types[0]),
1152 build_index_type (size_int (len)));
1153 TREE_READONLY (ret) = 1;
1154 TREE_STATIC (ret) = 1;
1155 return build1 (ADDR_EXPR, shadow_ptr_types[0], ret);
1156 }
1157
1158 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1159 though. */
1160
1161 static void
1162 asan_clear_shadow (rtx shadow_mem, HOST_WIDE_INT len)
1163 {
1164 rtx_insn *insn, *insns, *jump;
1165 rtx_code_label *top_label;
1166 rtx end, addr, tmp;
1167
1168 start_sequence ();
1169 clear_storage (shadow_mem, GEN_INT (len), BLOCK_OP_NORMAL);
1170 insns = get_insns ();
1171 end_sequence ();
1172 for (insn = insns; insn; insn = NEXT_INSN (insn))
1173 if (CALL_P (insn))
1174 break;
1175 if (insn == NULL_RTX)
1176 {
1177 emit_insn (insns);
1178 return;
1179 }
1180
1181 gcc_assert ((len & 3) == 0);
1182 top_label = gen_label_rtx ();
1183 addr = copy_to_mode_reg (Pmode, XEXP (shadow_mem, 0));
1184 shadow_mem = adjust_automodify_address (shadow_mem, SImode, addr, 0);
1185 end = force_reg (Pmode, plus_constant (Pmode, addr, len));
1186 emit_label (top_label);
1187
1188 emit_move_insn (shadow_mem, const0_rtx);
1189 tmp = expand_simple_binop (Pmode, PLUS, addr, gen_int_mode (4, Pmode), addr,
1190 true, OPTAB_LIB_WIDEN);
1191 if (tmp != addr)
1192 emit_move_insn (addr, tmp);
1193 emit_cmp_and_jump_insns (addr, end, LT, NULL_RTX, Pmode, true, top_label);
1194 jump = get_last_insn ();
1195 gcc_assert (JUMP_P (jump));
1196 add_reg_br_prob_note (jump,
1197 profile_probability::guessed_always ()
1198 .apply_scale (80, 100));
1199 }
1200
1201 void
1202 asan_function_start (void)
1203 {
1204 section *fnsec = function_section (current_function_decl);
1205 switch_to_section (fnsec);
1206 ASM_OUTPUT_DEBUG_LABEL (asm_out_file, "LASANPC",
1207 current_function_funcdef_no);
1208 }
1209
1210 /* Return number of shadow bytes that are occupied by a local variable
1211 of SIZE bytes. */
1212
1213 static unsigned HOST_WIDE_INT
1214 shadow_mem_size (unsigned HOST_WIDE_INT size)
1215 {
1216 /* It must be possible to align stack variables to granularity
1217 of shadow memory. */
1218 gcc_assert (BITS_PER_UNIT
1219 * ASAN_SHADOW_GRANULARITY <= MAX_SUPPORTED_STACK_ALIGNMENT);
1220
1221 return ROUND_UP (size, ASAN_SHADOW_GRANULARITY) / ASAN_SHADOW_GRANULARITY;
1222 }
1223
1224 /* Always emit 4 bytes at a time. */
1225 #define RZ_BUFFER_SIZE 4
1226
1227 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1228 struct asan_redzone_buffer
1229 {
1230 /* Constructor. */
1231 asan_redzone_buffer (rtx shadow_mem, HOST_WIDE_INT prev_offset):
1232 m_shadow_mem (shadow_mem), m_prev_offset (prev_offset),
1233 m_original_offset (prev_offset), m_shadow_bytes (RZ_BUFFER_SIZE)
1234 {}
1235
1236 /* Emit VALUE shadow byte at a given OFFSET. */
1237 void emit_redzone_byte (HOST_WIDE_INT offset, unsigned char value);
1238
1239 /* Emit RTX emission of the content of the buffer. */
1240 void flush_redzone_payload (void);
1241
1242 private:
1243 /* Flush if the content of the buffer is full
1244 (equal to RZ_BUFFER_SIZE). */
1245 void flush_if_full (void);
1246
1247 /* Memory where we last emitted a redzone payload. */
1248 rtx m_shadow_mem;
1249
1250 /* Relative offset where we last emitted a redzone payload. */
1251 HOST_WIDE_INT m_prev_offset;
1252
1253 /* Relative original offset. Used for checking only. */
1254 HOST_WIDE_INT m_original_offset;
1255
1256 public:
1257 /* Buffer with redzone payload. */
1258 auto_vec<unsigned char> m_shadow_bytes;
1259 };
1260
1261 /* Emit VALUE shadow byte at a given OFFSET. */
1262
1263 void
1264 asan_redzone_buffer::emit_redzone_byte (HOST_WIDE_INT offset,
1265 unsigned char value)
1266 {
1267 gcc_assert ((offset & (ASAN_SHADOW_GRANULARITY - 1)) == 0);
1268 gcc_assert (offset >= m_prev_offset);
1269
1270 HOST_WIDE_INT off
1271 = m_prev_offset + ASAN_SHADOW_GRANULARITY * m_shadow_bytes.length ();
1272 if (off == offset)
1273 {
1274 /* Consecutive shadow memory byte. */
1275 m_shadow_bytes.safe_push (value);
1276 flush_if_full ();
1277 }
1278 else
1279 {
1280 if (!m_shadow_bytes.is_empty ())
1281 flush_redzone_payload ();
1282
1283 /* Maybe start earlier in order to use aligned store. */
1284 HOST_WIDE_INT align = (offset - m_prev_offset) % ASAN_RED_ZONE_SIZE;
1285 if (align)
1286 {
1287 offset -= align;
1288 for (unsigned i = 0; i < align / BITS_PER_UNIT; i++)
1289 m_shadow_bytes.safe_push (0);
1290 }
1291
1292 /* Adjust m_prev_offset and m_shadow_mem. */
1293 HOST_WIDE_INT diff = offset - m_prev_offset;
1294 m_shadow_mem = adjust_address (m_shadow_mem, VOIDmode,
1295 diff >> ASAN_SHADOW_SHIFT);
1296 m_prev_offset = offset;
1297 m_shadow_bytes.safe_push (value);
1298 flush_if_full ();
1299 }
1300 }
1301
1302 /* Emit RTX emission of the content of the buffer. */
1303
1304 void
1305 asan_redzone_buffer::flush_redzone_payload (void)
1306 {
1307 gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
1308
1309 if (m_shadow_bytes.is_empty ())
1310 return;
1311
1312 /* Be sure we always emit to an aligned address. */
1313 gcc_assert (((m_prev_offset - m_original_offset)
1314 & (ASAN_RED_ZONE_SIZE - 1)) == 0);
1315
1316 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1317 unsigned l = m_shadow_bytes.length ();
1318 for (unsigned i = 0; i <= RZ_BUFFER_SIZE - l; i++)
1319 m_shadow_bytes.safe_push (0);
1320
1321 if (dump_file && (dump_flags & TDF_DETAILS))
1322 fprintf (dump_file,
1323 "Flushing rzbuffer at offset %" PRId64 " with: ", m_prev_offset);
1324
1325 unsigned HOST_WIDE_INT val = 0;
1326 for (unsigned i = 0; i < RZ_BUFFER_SIZE; i++)
1327 {
1328 unsigned char v
1329 = m_shadow_bytes[BYTES_BIG_ENDIAN ? RZ_BUFFER_SIZE - i - 1 : i];
1330 val |= (unsigned HOST_WIDE_INT)v << (BITS_PER_UNIT * i);
1331 if (dump_file && (dump_flags & TDF_DETAILS))
1332 fprintf (dump_file, "%02x ", v);
1333 }
1334
1335 if (dump_file && (dump_flags & TDF_DETAILS))
1336 fprintf (dump_file, "\n");
1337
1338 rtx c = gen_int_mode (val, SImode);
1339 m_shadow_mem = adjust_address (m_shadow_mem, SImode, 0);
1340 emit_move_insn (m_shadow_mem, c);
1341 m_shadow_bytes.truncate (0);
1342 }
1343
1344 /* Flush if the content of the buffer is full
1345 (equal to RZ_BUFFER_SIZE). */
1346
1347 void
1348 asan_redzone_buffer::flush_if_full (void)
1349 {
1350 if (m_shadow_bytes.length () == RZ_BUFFER_SIZE)
1351 flush_redzone_payload ();
1352 }
1353
1354 /* Insert code to protect stack vars. The prologue sequence should be emitted
1355 directly, epilogue sequence returned. BASE is the register holding the
1356 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1357 array contains pairs of offsets in reverse order, always the end offset
1358 of some gap that needs protection followed by starting offset,
1359 and DECLS is an array of representative decls for each var partition.
1360 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1361 elements long (OFFSETS include gap before the first variable as well
1362 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1363 register which stack vars DECL_RTLs are based on. Either BASE should be
1364 assigned to PBASE, when not doing use after return protection, or
1365 corresponding address based on __asan_stack_malloc* return value. */
1366
1367 rtx_insn *
1368 asan_emit_stack_protection (rtx base, rtx pbase, unsigned int alignb,
1369 HOST_WIDE_INT *offsets, tree *decls, int length)
1370 {
1371 rtx shadow_base, shadow_mem, ret, mem, orig_base;
1372 rtx_code_label *lab;
1373 rtx_insn *insns;
1374 char buf[32];
1375 HOST_WIDE_INT base_offset = offsets[length - 1];
1376 HOST_WIDE_INT base_align_bias = 0, offset, prev_offset;
1377 HOST_WIDE_INT asan_frame_size = offsets[0] - base_offset;
1378 HOST_WIDE_INT last_offset, last_size;
1379 int l;
1380 unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
1381 tree str_cst, decl, id;
1382 int use_after_return_class = -1;
1383
1384 if (shadow_ptr_types[0] == NULL_TREE)
1385 asan_init_shadow_ptr_types ();
1386
1387 expanded_location cfun_xloc
1388 = expand_location (DECL_SOURCE_LOCATION (current_function_decl));
1389
1390 /* First of all, prepare the description string. */
1391 pretty_printer asan_pp;
1392
1393 pp_decimal_int (&asan_pp, length / 2 - 1);
1394 pp_space (&asan_pp);
1395 for (l = length - 2; l; l -= 2)
1396 {
1397 tree decl = decls[l / 2 - 1];
1398 pp_wide_integer (&asan_pp, offsets[l] - base_offset);
1399 pp_space (&asan_pp);
1400 pp_wide_integer (&asan_pp, offsets[l - 1] - offsets[l]);
1401 pp_space (&asan_pp);
1402
1403 expanded_location xloc
1404 = expand_location (DECL_SOURCE_LOCATION (decl));
1405 char location[32];
1406
1407 if (xloc.file == cfun_xloc.file)
1408 sprintf (location, ":%d", xloc.line);
1409 else
1410 location[0] = '\0';
1411
1412 if (DECL_P (decl) && DECL_NAME (decl))
1413 {
1414 unsigned idlen
1415 = IDENTIFIER_LENGTH (DECL_NAME (decl)) + strlen (location);
1416 pp_decimal_int (&asan_pp, idlen);
1417 pp_space (&asan_pp);
1418 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
1419 pp_string (&asan_pp, location);
1420 }
1421 else
1422 pp_string (&asan_pp, "9 <unknown>");
1423
1424 if (l > 2)
1425 pp_space (&asan_pp);
1426 }
1427 str_cst = asan_pp_string (&asan_pp);
1428
1429 /* Emit the prologue sequence. */
1430 if (asan_frame_size > 32 && asan_frame_size <= 65536 && pbase
1431 && ASAN_USE_AFTER_RETURN)
1432 {
1433 use_after_return_class = floor_log2 (asan_frame_size - 1) - 5;
1434 /* __asan_stack_malloc_N guarantees alignment
1435 N < 6 ? (64 << N) : 4096 bytes. */
1436 if (alignb > (use_after_return_class < 6
1437 ? (64U << use_after_return_class) : 4096U))
1438 use_after_return_class = -1;
1439 else if (alignb > ASAN_RED_ZONE_SIZE && (asan_frame_size & (alignb - 1)))
1440 base_align_bias = ((asan_frame_size + alignb - 1)
1441 & ~(alignb - HOST_WIDE_INT_1)) - asan_frame_size;
1442 }
1443 /* Align base if target is STRICT_ALIGNMENT. */
1444 if (STRICT_ALIGNMENT)
1445 base = expand_binop (Pmode, and_optab, base,
1446 gen_int_mode (-((GET_MODE_ALIGNMENT (SImode)
1447 << ASAN_SHADOW_SHIFT)
1448 / BITS_PER_UNIT), Pmode), NULL_RTX,
1449 1, OPTAB_DIRECT);
1450
1451 if (use_after_return_class == -1 && pbase)
1452 emit_move_insn (pbase, base);
1453
1454 base = expand_binop (Pmode, add_optab, base,
1455 gen_int_mode (base_offset - base_align_bias, Pmode),
1456 NULL_RTX, 1, OPTAB_DIRECT);
1457 orig_base = NULL_RTX;
1458 if (use_after_return_class != -1)
1459 {
1460 if (asan_detect_stack_use_after_return == NULL_TREE)
1461 {
1462 id = get_identifier ("__asan_option_detect_stack_use_after_return");
1463 decl = build_decl (BUILTINS_LOCATION, VAR_DECL, id,
1464 integer_type_node);
1465 SET_DECL_ASSEMBLER_NAME (decl, id);
1466 TREE_ADDRESSABLE (decl) = 1;
1467 DECL_ARTIFICIAL (decl) = 1;
1468 DECL_IGNORED_P (decl) = 1;
1469 DECL_EXTERNAL (decl) = 1;
1470 TREE_STATIC (decl) = 1;
1471 TREE_PUBLIC (decl) = 1;
1472 TREE_USED (decl) = 1;
1473 asan_detect_stack_use_after_return = decl;
1474 }
1475 orig_base = gen_reg_rtx (Pmode);
1476 emit_move_insn (orig_base, base);
1477 ret = expand_normal (asan_detect_stack_use_after_return);
1478 lab = gen_label_rtx ();
1479 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1480 VOIDmode, 0, lab,
1481 profile_probability::very_likely ());
1482 snprintf (buf, sizeof buf, "__asan_stack_malloc_%d",
1483 use_after_return_class);
1484 ret = init_one_libfunc (buf);
1485 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1486 GEN_INT (asan_frame_size
1487 + base_align_bias),
1488 TYPE_MODE (pointer_sized_int_node));
1489 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
1490 and NULL otherwise. Check RET value is NULL here and jump over the
1491 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
1492 emit_cmp_and_jump_insns (ret, const0_rtx, EQ, NULL_RTX,
1493 VOIDmode, 0, lab,
1494 profile_probability:: very_unlikely ());
1495 ret = convert_memory_address (Pmode, ret);
1496 emit_move_insn (base, ret);
1497 emit_label (lab);
1498 emit_move_insn (pbase, expand_binop (Pmode, add_optab, base,
1499 gen_int_mode (base_align_bias
1500 - base_offset, Pmode),
1501 NULL_RTX, 1, OPTAB_DIRECT));
1502 }
1503 mem = gen_rtx_MEM (ptr_mode, base);
1504 mem = adjust_address (mem, VOIDmode, base_align_bias);
1505 emit_move_insn (mem, gen_int_mode (ASAN_STACK_FRAME_MAGIC, ptr_mode));
1506 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1507 emit_move_insn (mem, expand_normal (str_cst));
1508 mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
1509 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANPC", current_function_funcdef_no);
1510 id = get_identifier (buf);
1511 decl = build_decl (DECL_SOURCE_LOCATION (current_function_decl),
1512 VAR_DECL, id, char_type_node);
1513 SET_DECL_ASSEMBLER_NAME (decl, id);
1514 TREE_ADDRESSABLE (decl) = 1;
1515 TREE_READONLY (decl) = 1;
1516 DECL_ARTIFICIAL (decl) = 1;
1517 DECL_IGNORED_P (decl) = 1;
1518 TREE_STATIC (decl) = 1;
1519 TREE_PUBLIC (decl) = 0;
1520 TREE_USED (decl) = 1;
1521 DECL_INITIAL (decl) = decl;
1522 TREE_ASM_WRITTEN (decl) = 1;
1523 TREE_ASM_WRITTEN (id) = 1;
1524 emit_move_insn (mem, expand_normal (build_fold_addr_expr (decl)));
1525 shadow_base = expand_binop (Pmode, lshr_optab, base,
1526 gen_int_shift_amount (Pmode, ASAN_SHADOW_SHIFT),
1527 NULL_RTX, 1, OPTAB_DIRECT);
1528 shadow_base
1529 = plus_constant (Pmode, shadow_base,
1530 asan_shadow_offset ()
1531 + (base_align_bias >> ASAN_SHADOW_SHIFT));
1532 gcc_assert (asan_shadow_set != -1
1533 && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
1534 shadow_mem = gen_rtx_MEM (SImode, shadow_base);
1535 set_mem_alias_set (shadow_mem, asan_shadow_set);
1536 if (STRICT_ALIGNMENT)
1537 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1538 prev_offset = base_offset;
1539
1540 asan_redzone_buffer rz_buffer (shadow_mem, prev_offset);
1541 for (l = length; l; l -= 2)
1542 {
1543 if (l == 2)
1544 cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
1545 offset = offsets[l - 1];
1546
1547 bool extra_byte = (offset - base_offset) & (ASAN_SHADOW_GRANULARITY - 1);
1548 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
1549 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
1550 In that case we have to emit one extra byte that will describe
1551 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
1552 if (extra_byte)
1553 {
1554 HOST_WIDE_INT aoff
1555 = base_offset + ((offset - base_offset)
1556 & ~(ASAN_SHADOW_GRANULARITY - HOST_WIDE_INT_1));
1557 rz_buffer.emit_redzone_byte (aoff, offset - aoff);
1558 offset = aoff + ASAN_SHADOW_GRANULARITY;
1559 }
1560
1561 /* Calculate size of red zone payload. */
1562 while (offset < offsets[l - 2])
1563 {
1564 rz_buffer.emit_redzone_byte (offset, cur_shadow_byte);
1565 offset += ASAN_SHADOW_GRANULARITY;
1566 }
1567
1568 cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
1569 }
1570
1571 /* As the automatic variables are aligned to
1572 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
1573 flushed here. */
1574 gcc_assert (rz_buffer.m_shadow_bytes.is_empty ());
1575
1576 do_pending_stack_adjust ();
1577
1578 /* Construct epilogue sequence. */
1579 start_sequence ();
1580
1581 lab = NULL;
1582 if (use_after_return_class != -1)
1583 {
1584 rtx_code_label *lab2 = gen_label_rtx ();
1585 char c = (char) ASAN_STACK_MAGIC_USE_AFTER_RET;
1586 emit_cmp_and_jump_insns (orig_base, base, EQ, NULL_RTX,
1587 VOIDmode, 0, lab2,
1588 profile_probability::very_likely ());
1589 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1590 set_mem_alias_set (shadow_mem, asan_shadow_set);
1591 mem = gen_rtx_MEM (ptr_mode, base);
1592 mem = adjust_address (mem, VOIDmode, base_align_bias);
1593 emit_move_insn (mem, gen_int_mode (ASAN_STACK_RETIRED_MAGIC, ptr_mode));
1594 unsigned HOST_WIDE_INT sz = asan_frame_size >> ASAN_SHADOW_SHIFT;
1595 if (use_after_return_class < 5
1596 && can_store_by_pieces (sz, builtin_memset_read_str, &c,
1597 BITS_PER_UNIT, true))
1598 store_by_pieces (shadow_mem, sz, builtin_memset_read_str, &c,
1599 BITS_PER_UNIT, true, RETURN_BEGIN);
1600 else if (use_after_return_class >= 5
1601 || !set_storage_via_setmem (shadow_mem,
1602 GEN_INT (sz),
1603 gen_int_mode (c, QImode),
1604 BITS_PER_UNIT, BITS_PER_UNIT,
1605 -1, sz, sz, sz))
1606 {
1607 snprintf (buf, sizeof buf, "__asan_stack_free_%d",
1608 use_after_return_class);
1609 ret = init_one_libfunc (buf);
1610 rtx addr = convert_memory_address (ptr_mode, base);
1611 rtx orig_addr = convert_memory_address (ptr_mode, orig_base);
1612 emit_library_call (ret, LCT_NORMAL, ptr_mode, addr, ptr_mode,
1613 GEN_INT (asan_frame_size + base_align_bias),
1614 TYPE_MODE (pointer_sized_int_node),
1615 orig_addr, ptr_mode);
1616 }
1617 lab = gen_label_rtx ();
1618 emit_jump (lab);
1619 emit_label (lab2);
1620 }
1621
1622 shadow_mem = gen_rtx_MEM (BLKmode, shadow_base);
1623 set_mem_alias_set (shadow_mem, asan_shadow_set);
1624
1625 if (STRICT_ALIGNMENT)
1626 set_mem_align (shadow_mem, (GET_MODE_ALIGNMENT (SImode)));
1627
1628 prev_offset = base_offset;
1629 last_offset = base_offset;
1630 last_size = 0;
1631 for (l = length; l; l -= 2)
1632 {
1633 offset = base_offset + ((offsets[l - 1] - base_offset)
1634 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
1635 if (last_offset + last_size != offset)
1636 {
1637 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1638 (last_offset - prev_offset)
1639 >> ASAN_SHADOW_SHIFT);
1640 prev_offset = last_offset;
1641 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1642 last_offset = offset;
1643 last_size = 0;
1644 }
1645 last_size += base_offset + ((offsets[l - 2] - base_offset)
1646 & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
1647 - offset;
1648
1649 /* Unpoison shadow memory that corresponds to a variable that is
1650 is subject of use-after-return sanitization. */
1651 if (l > 2)
1652 {
1653 decl = decls[l / 2 - 2];
1654 if (asan_handled_variables != NULL
1655 && asan_handled_variables->contains (decl))
1656 {
1657 HOST_WIDE_INT size = offsets[l - 3] - offsets[l - 2];
1658 if (dump_file && (dump_flags & TDF_DETAILS))
1659 {
1660 const char *n = (DECL_NAME (decl)
1661 ? IDENTIFIER_POINTER (DECL_NAME (decl))
1662 : "<unknown>");
1663 fprintf (dump_file, "Unpoisoning shadow stack for variable: "
1664 "%s (%" PRId64 " B)\n", n, size);
1665 }
1666
1667 last_size += size & ~(ASAN_MIN_RED_ZONE_SIZE - HOST_WIDE_INT_1);
1668 }
1669 }
1670 }
1671 if (last_size)
1672 {
1673 shadow_mem = adjust_address (shadow_mem, VOIDmode,
1674 (last_offset - prev_offset)
1675 >> ASAN_SHADOW_SHIFT);
1676 asan_clear_shadow (shadow_mem, last_size >> ASAN_SHADOW_SHIFT);
1677 }
1678
1679 /* Clean-up set with instrumented stack variables. */
1680 delete asan_handled_variables;
1681 asan_handled_variables = NULL;
1682 delete asan_used_labels;
1683 asan_used_labels = NULL;
1684
1685 do_pending_stack_adjust ();
1686 if (lab)
1687 emit_label (lab);
1688
1689 insns = get_insns ();
1690 end_sequence ();
1691 return insns;
1692 }
1693
1694 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
1695 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
1696 indicates whether we're emitting new instructions sequence or not. */
1697
1698 rtx_insn *
1699 asan_emit_allocas_unpoison (rtx top, rtx bot, rtx_insn *before)
1700 {
1701 if (before)
1702 push_to_sequence (before);
1703 else
1704 start_sequence ();
1705 rtx ret = init_one_libfunc ("__asan_allocas_unpoison");
1706 top = convert_memory_address (ptr_mode, top);
1707 bot = convert_memory_address (ptr_mode, bot);
1708 ret = emit_library_call_value (ret, NULL_RTX, LCT_NORMAL, ptr_mode,
1709 top, ptr_mode, bot, ptr_mode);
1710
1711 do_pending_stack_adjust ();
1712 rtx_insn *insns = get_insns ();
1713 end_sequence ();
1714 return insns;
1715 }
1716
1717 /* Return true if DECL, a global var, might be overridden and needs
1718 therefore a local alias. */
1719
1720 static bool
1721 asan_needs_local_alias (tree decl)
1722 {
1723 return DECL_WEAK (decl) || !targetm.binds_local_p (decl);
1724 }
1725
1726 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
1727 therefore doesn't need protection. */
1728
1729 static bool
1730 is_odr_indicator (tree decl)
1731 {
1732 return (DECL_ARTIFICIAL (decl)
1733 && lookup_attribute ("asan odr indicator", DECL_ATTRIBUTES (decl)));
1734 }
1735
1736 /* Return true if DECL is a VAR_DECL that should be protected
1737 by Address Sanitizer, by appending a red zone with protected
1738 shadow memory after it and aligning it to at least
1739 ASAN_RED_ZONE_SIZE bytes. */
1740
1741 bool
1742 asan_protect_global (tree decl, bool ignore_decl_rtl_set_p)
1743 {
1744 if (!ASAN_GLOBALS)
1745 return false;
1746
1747 rtx rtl, symbol;
1748
1749 if (TREE_CODE (decl) == STRING_CST)
1750 {
1751 /* Instrument all STRING_CSTs except those created
1752 by asan_pp_string here. */
1753 if (shadow_ptr_types[0] != NULL_TREE
1754 && TREE_CODE (TREE_TYPE (decl)) == ARRAY_TYPE
1755 && TREE_TYPE (TREE_TYPE (decl)) == TREE_TYPE (shadow_ptr_types[0]))
1756 return false;
1757 return true;
1758 }
1759 if (!VAR_P (decl)
1760 /* TLS vars aren't statically protectable. */
1761 || DECL_THREAD_LOCAL_P (decl)
1762 /* Externs will be protected elsewhere. */
1763 || DECL_EXTERNAL (decl)
1764 /* PR sanitizer/81697: For architectures that use section anchors first
1765 call to asan_protect_global may occur before DECL_RTL (decl) is set.
1766 We should ignore DECL_RTL_SET_P then, because otherwise the first call
1767 to asan_protect_global will return FALSE and the following calls on the
1768 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
1769 up with inconsistency at runtime. */
1770 || (!DECL_RTL_SET_P (decl) && !ignore_decl_rtl_set_p)
1771 /* Comdat vars pose an ABI problem, we can't know if
1772 the var that is selected by the linker will have
1773 padding or not. */
1774 || DECL_ONE_ONLY (decl)
1775 /* Similarly for common vars. People can use -fno-common.
1776 Note: Linux kernel is built with -fno-common, so we do instrument
1777 globals there even if it is C. */
1778 || (DECL_COMMON (decl) && TREE_PUBLIC (decl))
1779 /* Don't protect if using user section, often vars placed
1780 into user section from multiple TUs are then assumed
1781 to be an array of such vars, putting padding in there
1782 breaks this assumption. */
1783 || (DECL_SECTION_NAME (decl) != NULL
1784 && !symtab_node::get (decl)->implicit_section
1785 && !section_sanitized_p (DECL_SECTION_NAME (decl)))
1786 || DECL_SIZE (decl) == 0
1787 || ASAN_RED_ZONE_SIZE * BITS_PER_UNIT > MAX_OFILE_ALIGNMENT
1788 || TREE_CODE (DECL_SIZE_UNIT (decl)) != INTEGER_CST
1789 || !valid_constant_size_p (DECL_SIZE_UNIT (decl))
1790 || DECL_ALIGN_UNIT (decl) > 2 * ASAN_RED_ZONE_SIZE
1791 || TREE_TYPE (decl) == ubsan_get_source_location_type ()
1792 || is_odr_indicator (decl))
1793 return false;
1794
1795 if (!ignore_decl_rtl_set_p || DECL_RTL_SET_P (decl))
1796 {
1797
1798 rtl = DECL_RTL (decl);
1799 if (!MEM_P (rtl) || GET_CODE (XEXP (rtl, 0)) != SYMBOL_REF)
1800 return false;
1801 symbol = XEXP (rtl, 0);
1802
1803 if (CONSTANT_POOL_ADDRESS_P (symbol)
1804 || TREE_CONSTANT_POOL_ADDRESS_P (symbol))
1805 return false;
1806 }
1807
1808 if (lookup_attribute ("weakref", DECL_ATTRIBUTES (decl)))
1809 return false;
1810
1811 if (!TARGET_SUPPORTS_ALIASES && asan_needs_local_alias (decl))
1812 return false;
1813
1814 return true;
1815 }
1816
1817 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
1818 IS_STORE is either 1 (for a store) or 0 (for a load). */
1819
1820 static tree
1821 report_error_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1822 int *nargs)
1823 {
1824 static enum built_in_function report[2][2][6]
1825 = { { { BUILT_IN_ASAN_REPORT_LOAD1, BUILT_IN_ASAN_REPORT_LOAD2,
1826 BUILT_IN_ASAN_REPORT_LOAD4, BUILT_IN_ASAN_REPORT_LOAD8,
1827 BUILT_IN_ASAN_REPORT_LOAD16, BUILT_IN_ASAN_REPORT_LOAD_N },
1828 { BUILT_IN_ASAN_REPORT_STORE1, BUILT_IN_ASAN_REPORT_STORE2,
1829 BUILT_IN_ASAN_REPORT_STORE4, BUILT_IN_ASAN_REPORT_STORE8,
1830 BUILT_IN_ASAN_REPORT_STORE16, BUILT_IN_ASAN_REPORT_STORE_N } },
1831 { { BUILT_IN_ASAN_REPORT_LOAD1_NOABORT,
1832 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
1833 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
1834 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
1835 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
1836 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
1837 { BUILT_IN_ASAN_REPORT_STORE1_NOABORT,
1838 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
1839 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
1840 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
1841 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
1842 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
1843 if (size_in_bytes == -1)
1844 {
1845 *nargs = 2;
1846 return builtin_decl_implicit (report[recover_p][is_store][5]);
1847 }
1848 *nargs = 1;
1849 int size_log2 = exact_log2 (size_in_bytes);
1850 return builtin_decl_implicit (report[recover_p][is_store][size_log2]);
1851 }
1852
1853 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
1854 IS_STORE is either 1 (for a store) or 0 (for a load). */
1855
1856 static tree
1857 check_func (bool is_store, bool recover_p, HOST_WIDE_INT size_in_bytes,
1858 int *nargs)
1859 {
1860 static enum built_in_function check[2][2][6]
1861 = { { { BUILT_IN_ASAN_LOAD1, BUILT_IN_ASAN_LOAD2,
1862 BUILT_IN_ASAN_LOAD4, BUILT_IN_ASAN_LOAD8,
1863 BUILT_IN_ASAN_LOAD16, BUILT_IN_ASAN_LOADN },
1864 { BUILT_IN_ASAN_STORE1, BUILT_IN_ASAN_STORE2,
1865 BUILT_IN_ASAN_STORE4, BUILT_IN_ASAN_STORE8,
1866 BUILT_IN_ASAN_STORE16, BUILT_IN_ASAN_STOREN } },
1867 { { BUILT_IN_ASAN_LOAD1_NOABORT,
1868 BUILT_IN_ASAN_LOAD2_NOABORT,
1869 BUILT_IN_ASAN_LOAD4_NOABORT,
1870 BUILT_IN_ASAN_LOAD8_NOABORT,
1871 BUILT_IN_ASAN_LOAD16_NOABORT,
1872 BUILT_IN_ASAN_LOADN_NOABORT },
1873 { BUILT_IN_ASAN_STORE1_NOABORT,
1874 BUILT_IN_ASAN_STORE2_NOABORT,
1875 BUILT_IN_ASAN_STORE4_NOABORT,
1876 BUILT_IN_ASAN_STORE8_NOABORT,
1877 BUILT_IN_ASAN_STORE16_NOABORT,
1878 BUILT_IN_ASAN_STOREN_NOABORT } } };
1879 if (size_in_bytes == -1)
1880 {
1881 *nargs = 2;
1882 return builtin_decl_implicit (check[recover_p][is_store][5]);
1883 }
1884 *nargs = 1;
1885 int size_log2 = exact_log2 (size_in_bytes);
1886 return builtin_decl_implicit (check[recover_p][is_store][size_log2]);
1887 }
1888
1889 /* Split the current basic block and create a condition statement
1890 insertion point right before or after the statement pointed to by
1891 ITER. Return an iterator to the point at which the caller might
1892 safely insert the condition statement.
1893
1894 THEN_BLOCK must be set to the address of an uninitialized instance
1895 of basic_block. The function will then set *THEN_BLOCK to the
1896 'then block' of the condition statement to be inserted by the
1897 caller.
1898
1899 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
1900 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
1901
1902 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
1903 block' of the condition statement to be inserted by the caller.
1904
1905 Note that *FALLTHROUGH_BLOCK is a new block that contains the
1906 statements starting from *ITER, and *THEN_BLOCK is a new empty
1907 block.
1908
1909 *ITER is adjusted to point to always point to the first statement
1910 of the basic block * FALLTHROUGH_BLOCK. That statement is the
1911 same as what ITER was pointing to prior to calling this function,
1912 if BEFORE_P is true; otherwise, it is its following statement. */
1913
1914 gimple_stmt_iterator
1915 create_cond_insert_point (gimple_stmt_iterator *iter,
1916 bool before_p,
1917 bool then_more_likely_p,
1918 bool create_then_fallthru_edge,
1919 basic_block *then_block,
1920 basic_block *fallthrough_block)
1921 {
1922 gimple_stmt_iterator gsi = *iter;
1923
1924 if (!gsi_end_p (gsi) && before_p)
1925 gsi_prev (&gsi);
1926
1927 basic_block cur_bb = gsi_bb (*iter);
1928
1929 edge e = split_block (cur_bb, gsi_stmt (gsi));
1930
1931 /* Get a hold on the 'condition block', the 'then block' and the
1932 'else block'. */
1933 basic_block cond_bb = e->src;
1934 basic_block fallthru_bb = e->dest;
1935 basic_block then_bb = create_empty_bb (cond_bb);
1936 if (current_loops)
1937 {
1938 add_bb_to_loop (then_bb, cond_bb->loop_father);
1939 loops_state_set (LOOPS_NEED_FIXUP);
1940 }
1941
1942 /* Set up the newly created 'then block'. */
1943 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1944 profile_probability fallthrough_probability
1945 = then_more_likely_p
1946 ? profile_probability::very_unlikely ()
1947 : profile_probability::very_likely ();
1948 e->probability = fallthrough_probability.invert ();
1949 then_bb->count = e->count ();
1950 if (create_then_fallthru_edge)
1951 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1952
1953 /* Set up the fallthrough basic block. */
1954 e = find_edge (cond_bb, fallthru_bb);
1955 e->flags = EDGE_FALSE_VALUE;
1956 e->probability = fallthrough_probability;
1957
1958 /* Update dominance info for the newly created then_bb; note that
1959 fallthru_bb's dominance info has already been updated by
1960 split_bock. */
1961 if (dom_info_available_p (CDI_DOMINATORS))
1962 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1963
1964 *then_block = then_bb;
1965 *fallthrough_block = fallthru_bb;
1966 *iter = gsi_start_bb (fallthru_bb);
1967
1968 return gsi_last_bb (cond_bb);
1969 }
1970
1971 /* Insert an if condition followed by a 'then block' right before the
1972 statement pointed to by ITER. The fallthrough block -- which is the
1973 else block of the condition as well as the destination of the
1974 outcoming edge of the 'then block' -- starts with the statement
1975 pointed to by ITER.
1976
1977 COND is the condition of the if.
1978
1979 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
1980 'then block' is higher than the probability of the edge to the
1981 fallthrough block.
1982
1983 Upon completion of the function, *THEN_BB is set to the newly
1984 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
1985 fallthrough block.
1986
1987 *ITER is adjusted to still point to the same statement it was
1988 pointing to initially. */
1989
1990 static void
1991 insert_if_then_before_iter (gcond *cond,
1992 gimple_stmt_iterator *iter,
1993 bool then_more_likely_p,
1994 basic_block *then_bb,
1995 basic_block *fallthrough_bb)
1996 {
1997 gimple_stmt_iterator cond_insert_point =
1998 create_cond_insert_point (iter,
1999 /*before_p=*/true,
2000 then_more_likely_p,
2001 /*create_then_fallthru_edge=*/true,
2002 then_bb,
2003 fallthrough_bb);
2004 gsi_insert_after (&cond_insert_point, cond, GSI_NEW_STMT);
2005 }
2006
2007 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2008 If RETURN_ADDRESS is set to true, return memory location instread
2009 of a value in the shadow memory. */
2010
2011 static tree
2012 build_shadow_mem_access (gimple_stmt_iterator *gsi, location_t location,
2013 tree base_addr, tree shadow_ptr_type,
2014 bool return_address = false)
2015 {
2016 tree t, uintptr_type = TREE_TYPE (base_addr);
2017 tree shadow_type = TREE_TYPE (shadow_ptr_type);
2018 gimple *g;
2019
2020 t = build_int_cst (uintptr_type, ASAN_SHADOW_SHIFT);
2021 g = gimple_build_assign (make_ssa_name (uintptr_type), RSHIFT_EXPR,
2022 base_addr, t);
2023 gimple_set_location (g, location);
2024 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2025
2026 t = build_int_cst (uintptr_type, asan_shadow_offset ());
2027 g = gimple_build_assign (make_ssa_name (uintptr_type), PLUS_EXPR,
2028 gimple_assign_lhs (g), t);
2029 gimple_set_location (g, location);
2030 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2031
2032 g = gimple_build_assign (make_ssa_name (shadow_ptr_type), NOP_EXPR,
2033 gimple_assign_lhs (g));
2034 gimple_set_location (g, location);
2035 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2036
2037 if (!return_address)
2038 {
2039 t = build2 (MEM_REF, shadow_type, gimple_assign_lhs (g),
2040 build_int_cst (shadow_ptr_type, 0));
2041 g = gimple_build_assign (make_ssa_name (shadow_type), MEM_REF, t);
2042 gimple_set_location (g, location);
2043 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2044 }
2045
2046 return gimple_assign_lhs (g);
2047 }
2048
2049 /* BASE can already be an SSA_NAME; in that case, do not create a
2050 new SSA_NAME for it. */
2051
2052 static tree
2053 maybe_create_ssa_name (location_t loc, tree base, gimple_stmt_iterator *iter,
2054 bool before_p)
2055 {
2056 if (TREE_CODE (base) == SSA_NAME)
2057 return base;
2058 gimple *g = gimple_build_assign (make_ssa_name (TREE_TYPE (base)),
2059 TREE_CODE (base), base);
2060 gimple_set_location (g, loc);
2061 if (before_p)
2062 gsi_insert_before (iter, g, GSI_SAME_STMT);
2063 else
2064 gsi_insert_after (iter, g, GSI_NEW_STMT);
2065 return gimple_assign_lhs (g);
2066 }
2067
2068 /* LEN can already have necessary size and precision;
2069 in that case, do not create a new variable. */
2070
2071 tree
2072 maybe_cast_to_ptrmode (location_t loc, tree len, gimple_stmt_iterator *iter,
2073 bool before_p)
2074 {
2075 if (ptrofftype_p (len))
2076 return len;
2077 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
2078 NOP_EXPR, len);
2079 gimple_set_location (g, loc);
2080 if (before_p)
2081 gsi_insert_before (iter, g, GSI_SAME_STMT);
2082 else
2083 gsi_insert_after (iter, g, GSI_NEW_STMT);
2084 return gimple_assign_lhs (g);
2085 }
2086
2087 /* Instrument the memory access instruction BASE. Insert new
2088 statements before or after ITER.
2089
2090 Note that the memory access represented by BASE can be either an
2091 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2092 location. IS_STORE is TRUE for a store, FALSE for a load.
2093 BEFORE_P is TRUE for inserting the instrumentation code before
2094 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2095 for a scalar memory access and FALSE for memory region access.
2096 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2097 length. ALIGN tells alignment of accessed memory object.
2098
2099 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2100 memory region have already been instrumented.
2101
2102 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2103 statement it was pointing to prior to calling this function,
2104 otherwise, it points to the statement logically following it. */
2105
2106 static void
2107 build_check_stmt (location_t loc, tree base, tree len,
2108 HOST_WIDE_INT size_in_bytes, gimple_stmt_iterator *iter,
2109 bool is_non_zero_len, bool before_p, bool is_store,
2110 bool is_scalar_access, unsigned int align = 0)
2111 {
2112 gimple_stmt_iterator gsi = *iter;
2113 gimple *g;
2114
2115 gcc_assert (!(size_in_bytes > 0 && !is_non_zero_len));
2116
2117 gsi = *iter;
2118
2119 base = unshare_expr (base);
2120 base = maybe_create_ssa_name (loc, base, &gsi, before_p);
2121
2122 if (len)
2123 {
2124 len = unshare_expr (len);
2125 len = maybe_cast_to_ptrmode (loc, len, iter, before_p);
2126 }
2127 else
2128 {
2129 gcc_assert (size_in_bytes != -1);
2130 len = build_int_cst (pointer_sized_int_node, size_in_bytes);
2131 }
2132
2133 if (size_in_bytes > 1)
2134 {
2135 if ((size_in_bytes & (size_in_bytes - 1)) != 0
2136 || size_in_bytes > 16)
2137 is_scalar_access = false;
2138 else if (align && align < size_in_bytes * BITS_PER_UNIT)
2139 {
2140 /* On non-strict alignment targets, if
2141 16-byte access is just 8-byte aligned,
2142 this will result in misaligned shadow
2143 memory 2 byte load, but otherwise can
2144 be handled using one read. */
2145 if (size_in_bytes != 16
2146 || STRICT_ALIGNMENT
2147 || align < 8 * BITS_PER_UNIT)
2148 is_scalar_access = false;
2149 }
2150 }
2151
2152 HOST_WIDE_INT flags = 0;
2153 if (is_store)
2154 flags |= ASAN_CHECK_STORE;
2155 if (is_non_zero_len)
2156 flags |= ASAN_CHECK_NON_ZERO_LEN;
2157 if (is_scalar_access)
2158 flags |= ASAN_CHECK_SCALAR_ACCESS;
2159
2160 g = gimple_build_call_internal (IFN_ASAN_CHECK, 4,
2161 build_int_cst (integer_type_node, flags),
2162 base, len,
2163 build_int_cst (integer_type_node,
2164 align / BITS_PER_UNIT));
2165 gimple_set_location (g, loc);
2166 if (before_p)
2167 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
2168 else
2169 {
2170 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
2171 gsi_next (&gsi);
2172 *iter = gsi;
2173 }
2174 }
2175
2176 /* If T represents a memory access, add instrumentation code before ITER.
2177 LOCATION is source code location.
2178 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2179
2180 static void
2181 instrument_derefs (gimple_stmt_iterator *iter, tree t,
2182 location_t location, bool is_store)
2183 {
2184 if (is_store && !ASAN_INSTRUMENT_WRITES)
2185 return;
2186 if (!is_store && !ASAN_INSTRUMENT_READS)
2187 return;
2188
2189 tree type, base;
2190 HOST_WIDE_INT size_in_bytes;
2191 if (location == UNKNOWN_LOCATION)
2192 location = EXPR_LOCATION (t);
2193
2194 type = TREE_TYPE (t);
2195 switch (TREE_CODE (t))
2196 {
2197 case ARRAY_REF:
2198 case COMPONENT_REF:
2199 case INDIRECT_REF:
2200 case MEM_REF:
2201 case VAR_DECL:
2202 case BIT_FIELD_REF:
2203 break;
2204 /* FALLTHRU */
2205 default:
2206 return;
2207 }
2208
2209 size_in_bytes = int_size_in_bytes (type);
2210 if (size_in_bytes <= 0)
2211 return;
2212
2213 poly_int64 bitsize, bitpos;
2214 tree offset;
2215 machine_mode mode;
2216 int unsignedp, reversep, volatilep = 0;
2217 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2218 &unsignedp, &reversep, &volatilep);
2219
2220 if (TREE_CODE (t) == COMPONENT_REF
2221 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2222 {
2223 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2224 instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
2225 TREE_OPERAND (t, 0), repr,
2226 TREE_OPERAND (t, 2)),
2227 location, is_store);
2228 return;
2229 }
2230
2231 if (!multiple_p (bitpos, BITS_PER_UNIT)
2232 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2233 return;
2234
2235 if (VAR_P (inner) && DECL_HARD_REGISTER (inner))
2236 return;
2237
2238 poly_int64 decl_size;
2239 if (VAR_P (inner)
2240 && offset == NULL_TREE
2241 && DECL_SIZE (inner)
2242 && poly_int_tree_p (DECL_SIZE (inner), &decl_size)
2243 && known_subrange_p (bitpos, bitsize, 0, decl_size))
2244 {
2245 if (DECL_THREAD_LOCAL_P (inner))
2246 return;
2247 if (!ASAN_GLOBALS && is_global_var (inner))
2248 return;
2249 if (!TREE_STATIC (inner))
2250 {
2251 /* Automatic vars in the current function will be always
2252 accessible. */
2253 if (decl_function_context (inner) == current_function_decl
2254 && (!asan_sanitize_use_after_scope ()
2255 || !TREE_ADDRESSABLE (inner)))
2256 return;
2257 }
2258 /* Always instrument external vars, they might be dynamically
2259 initialized. */
2260 else if (!DECL_EXTERNAL (inner))
2261 {
2262 /* For static vars if they are known not to be dynamically
2263 initialized, they will be always accessible. */
2264 varpool_node *vnode = varpool_node::get (inner);
2265 if (vnode && !vnode->dynamically_initialized)
2266 return;
2267 }
2268 }
2269
2270 base = build_fold_addr_expr (t);
2271 if (!has_mem_ref_been_instrumented (base, size_in_bytes))
2272 {
2273 unsigned int align = get_object_alignment (t);
2274 build_check_stmt (location, base, NULL_TREE, size_in_bytes, iter,
2275 /*is_non_zero_len*/size_in_bytes > 0, /*before_p=*/true,
2276 is_store, /*is_scalar_access*/true, align);
2277 update_mem_ref_hash_table (base, size_in_bytes);
2278 update_mem_ref_hash_table (t, size_in_bytes);
2279 }
2280
2281 }
2282
2283 /* Insert a memory reference into the hash table if access length
2284 can be determined in compile time. */
2285
2286 static void
2287 maybe_update_mem_ref_hash_table (tree base, tree len)
2288 {
2289 if (!POINTER_TYPE_P (TREE_TYPE (base))
2290 || !INTEGRAL_TYPE_P (TREE_TYPE (len)))
2291 return;
2292
2293 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2294
2295 if (size_in_bytes != -1)
2296 update_mem_ref_hash_table (base, size_in_bytes);
2297 }
2298
2299 /* Instrument an access to a contiguous memory region that starts at
2300 the address pointed to by BASE, over a length of LEN (expressed in
2301 the sizeof (*BASE) bytes). ITER points to the instruction before
2302 which the instrumentation instructions must be inserted. LOCATION
2303 is the source location that the instrumentation instructions must
2304 have. If IS_STORE is true, then the memory access is a store;
2305 otherwise, it's a load. */
2306
2307 static void
2308 instrument_mem_region_access (tree base, tree len,
2309 gimple_stmt_iterator *iter,
2310 location_t location, bool is_store)
2311 {
2312 if (!POINTER_TYPE_P (TREE_TYPE (base))
2313 || !INTEGRAL_TYPE_P (TREE_TYPE (len))
2314 || integer_zerop (len))
2315 return;
2316
2317 HOST_WIDE_INT size_in_bytes = tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
2318
2319 if ((size_in_bytes == -1)
2320 || !has_mem_ref_been_instrumented (base, size_in_bytes))
2321 {
2322 build_check_stmt (location, base, len, size_in_bytes, iter,
2323 /*is_non_zero_len*/size_in_bytes > 0, /*before_p*/true,
2324 is_store, /*is_scalar_access*/false, /*align*/0);
2325 }
2326
2327 maybe_update_mem_ref_hash_table (base, len);
2328 *iter = gsi_for_stmt (gsi_stmt (*iter));
2329 }
2330
2331 /* Instrument the call to a built-in memory access function that is
2332 pointed to by the iterator ITER.
2333
2334 Upon completion, return TRUE iff *ITER has been advanced to the
2335 statement following the one it was originally pointing to. */
2336
2337 static bool
2338 instrument_builtin_call (gimple_stmt_iterator *iter)
2339 {
2340 if (!ASAN_MEMINTRIN)
2341 return false;
2342
2343 bool iter_advanced_p = false;
2344 gcall *call = as_a <gcall *> (gsi_stmt (*iter));
2345
2346 gcc_checking_assert (gimple_call_builtin_p (call, BUILT_IN_NORMAL));
2347
2348 location_t loc = gimple_location (call);
2349
2350 asan_mem_ref src0, src1, dest;
2351 asan_mem_ref_init (&src0, NULL, 1);
2352 asan_mem_ref_init (&src1, NULL, 1);
2353 asan_mem_ref_init (&dest, NULL, 1);
2354
2355 tree src0_len = NULL_TREE, src1_len = NULL_TREE, dest_len = NULL_TREE;
2356 bool src0_is_store = false, src1_is_store = false, dest_is_store = false,
2357 dest_is_deref = false, intercepted_p = true;
2358
2359 if (get_mem_refs_of_builtin_call (call,
2360 &src0, &src0_len, &src0_is_store,
2361 &src1, &src1_len, &src1_is_store,
2362 &dest, &dest_len, &dest_is_store,
2363 &dest_is_deref, &intercepted_p, iter))
2364 {
2365 if (dest_is_deref)
2366 {
2367 instrument_derefs (iter, dest.start, loc, dest_is_store);
2368 gsi_next (iter);
2369 iter_advanced_p = true;
2370 }
2371 else if (!intercepted_p
2372 && (src0_len || src1_len || dest_len))
2373 {
2374 if (src0.start != NULL_TREE)
2375 instrument_mem_region_access (src0.start, src0_len,
2376 iter, loc, /*is_store=*/false);
2377 if (src1.start != NULL_TREE)
2378 instrument_mem_region_access (src1.start, src1_len,
2379 iter, loc, /*is_store=*/false);
2380 if (dest.start != NULL_TREE)
2381 instrument_mem_region_access (dest.start, dest_len,
2382 iter, loc, /*is_store=*/true);
2383
2384 *iter = gsi_for_stmt (call);
2385 gsi_next (iter);
2386 iter_advanced_p = true;
2387 }
2388 else
2389 {
2390 if (src0.start != NULL_TREE)
2391 maybe_update_mem_ref_hash_table (src0.start, src0_len);
2392 if (src1.start != NULL_TREE)
2393 maybe_update_mem_ref_hash_table (src1.start, src1_len);
2394 if (dest.start != NULL_TREE)
2395 maybe_update_mem_ref_hash_table (dest.start, dest_len);
2396 }
2397 }
2398 return iter_advanced_p;
2399 }
2400
2401 /* Instrument the assignment statement ITER if it is subject to
2402 instrumentation. Return TRUE iff instrumentation actually
2403 happened. In that case, the iterator ITER is advanced to the next
2404 logical expression following the one initially pointed to by ITER,
2405 and the relevant memory reference that which access has been
2406 instrumented is added to the memory references hash table. */
2407
2408 static bool
2409 maybe_instrument_assignment (gimple_stmt_iterator *iter)
2410 {
2411 gimple *s = gsi_stmt (*iter);
2412
2413 gcc_assert (gimple_assign_single_p (s));
2414
2415 tree ref_expr = NULL_TREE;
2416 bool is_store, is_instrumented = false;
2417
2418 if (gimple_store_p (s))
2419 {
2420 ref_expr = gimple_assign_lhs (s);
2421 is_store = true;
2422 instrument_derefs (iter, ref_expr,
2423 gimple_location (s),
2424 is_store);
2425 is_instrumented = true;
2426 }
2427
2428 if (gimple_assign_load_p (s))
2429 {
2430 ref_expr = gimple_assign_rhs1 (s);
2431 is_store = false;
2432 instrument_derefs (iter, ref_expr,
2433 gimple_location (s),
2434 is_store);
2435 is_instrumented = true;
2436 }
2437
2438 if (is_instrumented)
2439 gsi_next (iter);
2440
2441 return is_instrumented;
2442 }
2443
2444 /* Instrument the function call pointed to by the iterator ITER, if it
2445 is subject to instrumentation. At the moment, the only function
2446 calls that are instrumented are some built-in functions that access
2447 memory. Look at instrument_builtin_call to learn more.
2448
2449 Upon completion return TRUE iff *ITER was advanced to the statement
2450 following the one it was originally pointing to. */
2451
2452 static bool
2453 maybe_instrument_call (gimple_stmt_iterator *iter)
2454 {
2455 gimple *stmt = gsi_stmt (*iter);
2456 bool is_builtin = gimple_call_builtin_p (stmt, BUILT_IN_NORMAL);
2457
2458 if (is_builtin && instrument_builtin_call (iter))
2459 return true;
2460
2461 if (gimple_call_noreturn_p (stmt))
2462 {
2463 if (is_builtin)
2464 {
2465 tree callee = gimple_call_fndecl (stmt);
2466 switch (DECL_FUNCTION_CODE (callee))
2467 {
2468 case BUILT_IN_UNREACHABLE:
2469 case BUILT_IN_TRAP:
2470 /* Don't instrument these. */
2471 return false;
2472 default:
2473 break;
2474 }
2475 }
2476 tree decl = builtin_decl_implicit (BUILT_IN_ASAN_HANDLE_NO_RETURN);
2477 gimple *g = gimple_build_call (decl, 0);
2478 gimple_set_location (g, gimple_location (stmt));
2479 gsi_insert_before (iter, g, GSI_SAME_STMT);
2480 }
2481
2482 bool instrumented = false;
2483 if (gimple_store_p (stmt))
2484 {
2485 tree ref_expr = gimple_call_lhs (stmt);
2486 instrument_derefs (iter, ref_expr,
2487 gimple_location (stmt),
2488 /*is_store=*/true);
2489
2490 instrumented = true;
2491 }
2492
2493 /* Walk through gimple_call arguments and check them id needed. */
2494 unsigned args_num = gimple_call_num_args (stmt);
2495 for (unsigned i = 0; i < args_num; ++i)
2496 {
2497 tree arg = gimple_call_arg (stmt, i);
2498 /* If ARG is not a non-aggregate register variable, compiler in general
2499 creates temporary for it and pass it as argument to gimple call.
2500 But in some cases, e.g. when we pass by value a small structure that
2501 fits to register, compiler can avoid extra overhead by pulling out
2502 these temporaries. In this case, we should check the argument. */
2503 if (!is_gimple_reg (arg) && !is_gimple_min_invariant (arg))
2504 {
2505 instrument_derefs (iter, arg,
2506 gimple_location (stmt),
2507 /*is_store=*/false);
2508 instrumented = true;
2509 }
2510 }
2511 if (instrumented)
2512 gsi_next (iter);
2513 return instrumented;
2514 }
2515
2516 /* Walk each instruction of all basic block and instrument those that
2517 represent memory references: loads, stores, or function calls.
2518 In a given basic block, this function avoids instrumenting memory
2519 references that have already been instrumented. */
2520
2521 static void
2522 transform_statements (void)
2523 {
2524 basic_block bb, last_bb = NULL;
2525 gimple_stmt_iterator i;
2526 int saved_last_basic_block = last_basic_block_for_fn (cfun);
2527
2528 FOR_EACH_BB_FN (bb, cfun)
2529 {
2530 basic_block prev_bb = bb;
2531
2532 if (bb->index >= saved_last_basic_block) continue;
2533
2534 /* Flush the mem ref hash table, if current bb doesn't have
2535 exactly one predecessor, or if that predecessor (skipping
2536 over asan created basic blocks) isn't the last processed
2537 basic block. Thus we effectively flush on extended basic
2538 block boundaries. */
2539 while (single_pred_p (prev_bb))
2540 {
2541 prev_bb = single_pred (prev_bb);
2542 if (prev_bb->index < saved_last_basic_block)
2543 break;
2544 }
2545 if (prev_bb != last_bb)
2546 empty_mem_ref_hash_table ();
2547 last_bb = bb;
2548
2549 for (i = gsi_start_bb (bb); !gsi_end_p (i);)
2550 {
2551 gimple *s = gsi_stmt (i);
2552
2553 if (has_stmt_been_instrumented_p (s))
2554 gsi_next (&i);
2555 else if (gimple_assign_single_p (s)
2556 && !gimple_clobber_p (s)
2557 && maybe_instrument_assignment (&i))
2558 /* Nothing to do as maybe_instrument_assignment advanced
2559 the iterator I. */;
2560 else if (is_gimple_call (s) && maybe_instrument_call (&i))
2561 /* Nothing to do as maybe_instrument_call
2562 advanced the iterator I. */;
2563 else
2564 {
2565 /* No instrumentation happened.
2566
2567 If the current instruction is a function call that
2568 might free something, let's forget about the memory
2569 references that got instrumented. Otherwise we might
2570 miss some instrumentation opportunities. Do the same
2571 for a ASAN_MARK poisoning internal function. */
2572 if (is_gimple_call (s)
2573 && (!nonfreeing_call_p (s)
2574 || asan_mark_p (s, ASAN_MARK_POISON)))
2575 empty_mem_ref_hash_table ();
2576
2577 gsi_next (&i);
2578 }
2579 }
2580 }
2581 free_mem_ref_resources ();
2582 }
2583
2584 /* Build
2585 __asan_before_dynamic_init (module_name)
2586 or
2587 __asan_after_dynamic_init ()
2588 call. */
2589
2590 tree
2591 asan_dynamic_init_call (bool after_p)
2592 {
2593 if (shadow_ptr_types[0] == NULL_TREE)
2594 asan_init_shadow_ptr_types ();
2595
2596 tree fn = builtin_decl_implicit (after_p
2597 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
2598 : BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT);
2599 tree module_name_cst = NULL_TREE;
2600 if (!after_p)
2601 {
2602 pretty_printer module_name_pp;
2603 pp_string (&module_name_pp, main_input_filename);
2604
2605 module_name_cst = asan_pp_string (&module_name_pp);
2606 module_name_cst = fold_convert (const_ptr_type_node,
2607 module_name_cst);
2608 }
2609
2610 return build_call_expr (fn, after_p ? 0 : 1, module_name_cst);
2611 }
2612
2613 /* Build
2614 struct __asan_global
2615 {
2616 const void *__beg;
2617 uptr __size;
2618 uptr __size_with_redzone;
2619 const void *__name;
2620 const void *__module_name;
2621 uptr __has_dynamic_init;
2622 __asan_global_source_location *__location;
2623 char *__odr_indicator;
2624 } type. */
2625
2626 static tree
2627 asan_global_struct (void)
2628 {
2629 static const char *field_names[]
2630 = { "__beg", "__size", "__size_with_redzone",
2631 "__name", "__module_name", "__has_dynamic_init", "__location",
2632 "__odr_indicator" };
2633 tree fields[ARRAY_SIZE (field_names)], ret;
2634 unsigned i;
2635
2636 ret = make_node (RECORD_TYPE);
2637 for (i = 0; i < ARRAY_SIZE (field_names); i++)
2638 {
2639 fields[i]
2640 = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
2641 get_identifier (field_names[i]),
2642 (i == 0 || i == 3) ? const_ptr_type_node
2643 : pointer_sized_int_node);
2644 DECL_CONTEXT (fields[i]) = ret;
2645 if (i)
2646 DECL_CHAIN (fields[i - 1]) = fields[i];
2647 }
2648 tree type_decl = build_decl (input_location, TYPE_DECL,
2649 get_identifier ("__asan_global"), ret);
2650 DECL_IGNORED_P (type_decl) = 1;
2651 DECL_ARTIFICIAL (type_decl) = 1;
2652 TYPE_FIELDS (ret) = fields[0];
2653 TYPE_NAME (ret) = type_decl;
2654 TYPE_STUB_DECL (ret) = type_decl;
2655 layout_type (ret);
2656 return ret;
2657 }
2658
2659 /* Create and return odr indicator symbol for DECL.
2660 TYPE is __asan_global struct type as returned by asan_global_struct. */
2661
2662 static tree
2663 create_odr_indicator (tree decl, tree type)
2664 {
2665 char *name;
2666 tree uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2667 tree decl_name
2668 = (HAS_DECL_ASSEMBLER_NAME_P (decl) ? DECL_ASSEMBLER_NAME (decl)
2669 : DECL_NAME (decl));
2670 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
2671 if (decl_name == NULL_TREE)
2672 return build_int_cst (uptr, 0);
2673 const char *dname = IDENTIFIER_POINTER (decl_name);
2674 if (HAS_DECL_ASSEMBLER_NAME_P (decl))
2675 dname = targetm.strip_name_encoding (dname);
2676 size_t len = strlen (dname) + sizeof ("__odr_asan_");
2677 name = XALLOCAVEC (char, len);
2678 snprintf (name, len, "__odr_asan_%s", dname);
2679 #ifndef NO_DOT_IN_LABEL
2680 name[sizeof ("__odr_asan") - 1] = '.';
2681 #elif !defined(NO_DOLLAR_IN_LABEL)
2682 name[sizeof ("__odr_asan") - 1] = '$';
2683 #endif
2684 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (name),
2685 char_type_node);
2686 TREE_ADDRESSABLE (var) = 1;
2687 TREE_READONLY (var) = 0;
2688 TREE_THIS_VOLATILE (var) = 1;
2689 DECL_GIMPLE_REG_P (var) = 0;
2690 DECL_ARTIFICIAL (var) = 1;
2691 DECL_IGNORED_P (var) = 1;
2692 TREE_STATIC (var) = 1;
2693 TREE_PUBLIC (var) = 1;
2694 DECL_VISIBILITY (var) = DECL_VISIBILITY (decl);
2695 DECL_VISIBILITY_SPECIFIED (var) = DECL_VISIBILITY_SPECIFIED (decl);
2696
2697 TREE_USED (var) = 1;
2698 tree ctor = build_constructor_va (TREE_TYPE (var), 1, NULL_TREE,
2699 build_int_cst (unsigned_type_node, 0));
2700 TREE_CONSTANT (ctor) = 1;
2701 TREE_STATIC (ctor) = 1;
2702 DECL_INITIAL (var) = ctor;
2703 DECL_ATTRIBUTES (var) = tree_cons (get_identifier ("asan odr indicator"),
2704 NULL, DECL_ATTRIBUTES (var));
2705 make_decl_rtl (var);
2706 varpool_node::finalize_decl (var);
2707 return fold_convert (uptr, build_fold_addr_expr (var));
2708 }
2709
2710 /* Return true if DECL, a global var, might be overridden and needs
2711 an additional odr indicator symbol. */
2712
2713 static bool
2714 asan_needs_odr_indicator_p (tree decl)
2715 {
2716 /* Don't emit ODR indicators for kernel because:
2717 a) Kernel is written in C thus doesn't need ODR indicators.
2718 b) Some kernel code may have assumptions about symbols containing specific
2719 patterns in their names. Since ODR indicators contain original names
2720 of symbols they are emitted for, these assumptions would be broken for
2721 ODR indicator symbols. */
2722 return (!(flag_sanitize & SANITIZE_KERNEL_ADDRESS)
2723 && !DECL_ARTIFICIAL (decl)
2724 && !DECL_WEAK (decl)
2725 && TREE_PUBLIC (decl));
2726 }
2727
2728 /* Append description of a single global DECL into vector V.
2729 TYPE is __asan_global struct type as returned by asan_global_struct. */
2730
2731 static void
2732 asan_add_global (tree decl, tree type, vec<constructor_elt, va_gc> *v)
2733 {
2734 tree init, uptr = TREE_TYPE (DECL_CHAIN (TYPE_FIELDS (type)));
2735 unsigned HOST_WIDE_INT size;
2736 tree str_cst, module_name_cst, refdecl = decl;
2737 vec<constructor_elt, va_gc> *vinner = NULL;
2738
2739 pretty_printer asan_pp, module_name_pp;
2740
2741 if (DECL_NAME (decl))
2742 pp_tree_identifier (&asan_pp, DECL_NAME (decl));
2743 else
2744 pp_string (&asan_pp, "<unknown>");
2745 str_cst = asan_pp_string (&asan_pp);
2746
2747 pp_string (&module_name_pp, main_input_filename);
2748 module_name_cst = asan_pp_string (&module_name_pp);
2749
2750 if (asan_needs_local_alias (decl))
2751 {
2752 char buf[20];
2753 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", vec_safe_length (v) + 1);
2754 refdecl = build_decl (DECL_SOURCE_LOCATION (decl),
2755 VAR_DECL, get_identifier (buf), TREE_TYPE (decl));
2756 TREE_ADDRESSABLE (refdecl) = TREE_ADDRESSABLE (decl);
2757 TREE_READONLY (refdecl) = TREE_READONLY (decl);
2758 TREE_THIS_VOLATILE (refdecl) = TREE_THIS_VOLATILE (decl);
2759 DECL_GIMPLE_REG_P (refdecl) = DECL_GIMPLE_REG_P (decl);
2760 DECL_ARTIFICIAL (refdecl) = DECL_ARTIFICIAL (decl);
2761 DECL_IGNORED_P (refdecl) = DECL_IGNORED_P (decl);
2762 TREE_STATIC (refdecl) = 1;
2763 TREE_PUBLIC (refdecl) = 0;
2764 TREE_USED (refdecl) = 1;
2765 assemble_alias (refdecl, DECL_ASSEMBLER_NAME (decl));
2766 }
2767
2768 tree odr_indicator_ptr
2769 = (asan_needs_odr_indicator_p (decl) ? create_odr_indicator (decl, type)
2770 : build_int_cst (uptr, 0));
2771 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2772 fold_convert (const_ptr_type_node,
2773 build_fold_addr_expr (refdecl)));
2774 size = tree_to_uhwi (DECL_SIZE_UNIT (decl));
2775 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2776 size += asan_red_zone_size (size);
2777 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, build_int_cst (uptr, size));
2778 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2779 fold_convert (const_ptr_type_node, str_cst));
2780 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2781 fold_convert (const_ptr_type_node, module_name_cst));
2782 varpool_node *vnode = varpool_node::get (decl);
2783 int has_dynamic_init = 0;
2784 /* FIXME: Enable initialization order fiasco detection in LTO mode once
2785 proper fix for PR 79061 will be applied. */
2786 if (!in_lto_p)
2787 has_dynamic_init = vnode ? vnode->dynamically_initialized : 0;
2788 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE,
2789 build_int_cst (uptr, has_dynamic_init));
2790 tree locptr = NULL_TREE;
2791 location_t loc = DECL_SOURCE_LOCATION (decl);
2792 expanded_location xloc = expand_location (loc);
2793 if (xloc.file != NULL)
2794 {
2795 static int lasanloccnt = 0;
2796 char buf[25];
2797 ASM_GENERATE_INTERNAL_LABEL (buf, "LASANLOC", ++lasanloccnt);
2798 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
2799 ubsan_get_source_location_type ());
2800 TREE_STATIC (var) = 1;
2801 TREE_PUBLIC (var) = 0;
2802 DECL_ARTIFICIAL (var) = 1;
2803 DECL_IGNORED_P (var) = 1;
2804 pretty_printer filename_pp;
2805 pp_string (&filename_pp, xloc.file);
2806 tree str = asan_pp_string (&filename_pp);
2807 tree ctor = build_constructor_va (TREE_TYPE (var), 3,
2808 NULL_TREE, str, NULL_TREE,
2809 build_int_cst (unsigned_type_node,
2810 xloc.line), NULL_TREE,
2811 build_int_cst (unsigned_type_node,
2812 xloc.column));
2813 TREE_CONSTANT (ctor) = 1;
2814 TREE_STATIC (ctor) = 1;
2815 DECL_INITIAL (var) = ctor;
2816 varpool_node::finalize_decl (var);
2817 locptr = fold_convert (uptr, build_fold_addr_expr (var));
2818 }
2819 else
2820 locptr = build_int_cst (uptr, 0);
2821 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, locptr);
2822 CONSTRUCTOR_APPEND_ELT (vinner, NULL_TREE, odr_indicator_ptr);
2823 init = build_constructor (type, vinner);
2824 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, init);
2825 }
2826
2827 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
2828 void
2829 initialize_sanitizer_builtins (void)
2830 {
2831 tree decl;
2832
2833 if (builtin_decl_implicit_p (BUILT_IN_ASAN_INIT))
2834 return;
2835
2836 tree BT_FN_VOID = build_function_type_list (void_type_node, NULL_TREE);
2837 tree BT_FN_VOID_PTR
2838 = build_function_type_list (void_type_node, ptr_type_node, NULL_TREE);
2839 tree BT_FN_VOID_CONST_PTR
2840 = build_function_type_list (void_type_node, const_ptr_type_node, NULL_TREE);
2841 tree BT_FN_VOID_PTR_PTR
2842 = build_function_type_list (void_type_node, ptr_type_node,
2843 ptr_type_node, NULL_TREE);
2844 tree BT_FN_VOID_PTR_PTR_PTR
2845 = build_function_type_list (void_type_node, ptr_type_node,
2846 ptr_type_node, ptr_type_node, NULL_TREE);
2847 tree BT_FN_VOID_PTR_PTRMODE
2848 = build_function_type_list (void_type_node, ptr_type_node,
2849 pointer_sized_int_node, NULL_TREE);
2850 tree BT_FN_VOID_INT
2851 = build_function_type_list (void_type_node, integer_type_node, NULL_TREE);
2852 tree BT_FN_SIZE_CONST_PTR_INT
2853 = build_function_type_list (size_type_node, const_ptr_type_node,
2854 integer_type_node, NULL_TREE);
2855
2856 tree BT_FN_VOID_UINT8_UINT8
2857 = build_function_type_list (void_type_node, unsigned_char_type_node,
2858 unsigned_char_type_node, NULL_TREE);
2859 tree BT_FN_VOID_UINT16_UINT16
2860 = build_function_type_list (void_type_node, uint16_type_node,
2861 uint16_type_node, NULL_TREE);
2862 tree BT_FN_VOID_UINT32_UINT32
2863 = build_function_type_list (void_type_node, uint32_type_node,
2864 uint32_type_node, NULL_TREE);
2865 tree BT_FN_VOID_UINT64_UINT64
2866 = build_function_type_list (void_type_node, uint64_type_node,
2867 uint64_type_node, NULL_TREE);
2868 tree BT_FN_VOID_FLOAT_FLOAT
2869 = build_function_type_list (void_type_node, float_type_node,
2870 float_type_node, NULL_TREE);
2871 tree BT_FN_VOID_DOUBLE_DOUBLE
2872 = build_function_type_list (void_type_node, double_type_node,
2873 double_type_node, NULL_TREE);
2874 tree BT_FN_VOID_UINT64_PTR
2875 = build_function_type_list (void_type_node, uint64_type_node,
2876 ptr_type_node, NULL_TREE);
2877
2878 tree BT_FN_BOOL_VPTR_PTR_IX_INT_INT[5];
2879 tree BT_FN_IX_CONST_VPTR_INT[5];
2880 tree BT_FN_IX_VPTR_IX_INT[5];
2881 tree BT_FN_VOID_VPTR_IX_INT[5];
2882 tree vptr
2883 = build_pointer_type (build_qualified_type (void_type_node,
2884 TYPE_QUAL_VOLATILE));
2885 tree cvptr
2886 = build_pointer_type (build_qualified_type (void_type_node,
2887 TYPE_QUAL_VOLATILE
2888 |TYPE_QUAL_CONST));
2889 tree boolt
2890 = lang_hooks.types.type_for_size (BOOL_TYPE_SIZE, 1);
2891 int i;
2892 for (i = 0; i < 5; i++)
2893 {
2894 tree ix = build_nonstandard_integer_type (BITS_PER_UNIT * (1 << i), 1);
2895 BT_FN_BOOL_VPTR_PTR_IX_INT_INT[i]
2896 = build_function_type_list (boolt, vptr, ptr_type_node, ix,
2897 integer_type_node, integer_type_node,
2898 NULL_TREE);
2899 BT_FN_IX_CONST_VPTR_INT[i]
2900 = build_function_type_list (ix, cvptr, integer_type_node, NULL_TREE);
2901 BT_FN_IX_VPTR_IX_INT[i]
2902 = build_function_type_list (ix, vptr, ix, integer_type_node,
2903 NULL_TREE);
2904 BT_FN_VOID_VPTR_IX_INT[i]
2905 = build_function_type_list (void_type_node, vptr, ix,
2906 integer_type_node, NULL_TREE);
2907 }
2908 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
2909 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
2910 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
2911 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
2912 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
2913 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
2914 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
2915 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
2916 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
2917 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
2918 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
2919 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
2920 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
2921 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
2922 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
2923 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
2924 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
2925 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
2926 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
2927 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
2928 #undef ATTR_NOTHROW_LEAF_LIST
2929 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
2930 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
2931 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
2932 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
2933 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
2934 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2935 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
2936 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
2937 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
2938 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
2939 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
2940 #undef ATTR_COLD_NOTHROW_LEAF_LIST
2941 #define ATTR_COLD_NOTHROW_LEAF_LIST \
2942 /* ECF_COLD missing */ ATTR_NOTHROW_LEAF_LIST
2943 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
2944 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
2945 /* ECF_COLD missing */ ATTR_NORETURN_NOTHROW_LEAF_LIST
2946 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
2947 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
2948 /* ECF_COLD missing */ ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
2949 #undef ATTR_PURE_NOTHROW_LEAF_LIST
2950 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
2951 #undef DEF_BUILTIN_STUB
2952 #define DEF_BUILTIN_STUB(ENUM, NAME)
2953 #undef DEF_SANITIZER_BUILTIN_1
2954 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
2955 do { \
2956 decl = add_builtin_function ("__builtin_" NAME, TYPE, ENUM, \
2957 BUILT_IN_NORMAL, NAME, NULL_TREE); \
2958 set_call_expr_flags (decl, ATTRS); \
2959 set_builtin_decl (ENUM, decl, true); \
2960 } while (0)
2961 #undef DEF_SANITIZER_BUILTIN
2962 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
2963 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
2964
2965 #include "sanitizer.def"
2966
2967 /* -fsanitize=object-size uses __builtin_object_size, but that might
2968 not be available for e.g. Fortran at this point. We use
2969 DEF_SANITIZER_BUILTIN here only as a convenience macro. */
2970 if ((flag_sanitize & SANITIZE_OBJECT_SIZE)
2971 && !builtin_decl_implicit_p (BUILT_IN_OBJECT_SIZE))
2972 DEF_SANITIZER_BUILTIN_1 (BUILT_IN_OBJECT_SIZE, "object_size",
2973 BT_FN_SIZE_CONST_PTR_INT,
2974 ATTR_PURE_NOTHROW_LEAF_LIST);
2975
2976 #undef DEF_SANITIZER_BUILTIN_1
2977 #undef DEF_SANITIZER_BUILTIN
2978 #undef DEF_BUILTIN_STUB
2979 }
2980
2981 /* Called via htab_traverse. Count number of emitted
2982 STRING_CSTs in the constant hash table. */
2983
2984 int
2985 count_string_csts (constant_descriptor_tree **slot,
2986 unsigned HOST_WIDE_INT *data)
2987 {
2988 struct constant_descriptor_tree *desc = *slot;
2989 if (TREE_CODE (desc->value) == STRING_CST
2990 && TREE_ASM_WRITTEN (desc->value)
2991 && asan_protect_global (desc->value))
2992 ++*data;
2993 return 1;
2994 }
2995
2996 /* Helper structure to pass two parameters to
2997 add_string_csts. */
2998
2999 struct asan_add_string_csts_data
3000 {
3001 tree type;
3002 vec<constructor_elt, va_gc> *v;
3003 };
3004
3005 /* Called via hash_table::traverse. Call asan_add_global
3006 on emitted STRING_CSTs from the constant hash table. */
3007
3008 int
3009 add_string_csts (constant_descriptor_tree **slot,
3010 asan_add_string_csts_data *aascd)
3011 {
3012 struct constant_descriptor_tree *desc = *slot;
3013 if (TREE_CODE (desc->value) == STRING_CST
3014 && TREE_ASM_WRITTEN (desc->value)
3015 && asan_protect_global (desc->value))
3016 {
3017 asan_add_global (SYMBOL_REF_DECL (XEXP (desc->rtl, 0)),
3018 aascd->type, aascd->v);
3019 }
3020 return 1;
3021 }
3022
3023 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3024 invoke ggc_collect. */
3025 static GTY(()) tree asan_ctor_statements;
3026
3027 /* Module-level instrumentation.
3028 - Insert __asan_init_vN() into the list of CTORs.
3029 - TODO: insert redzones around globals.
3030 */
3031
3032 void
3033 asan_finish_file (void)
3034 {
3035 varpool_node *vnode;
3036 unsigned HOST_WIDE_INT gcount = 0;
3037
3038 if (shadow_ptr_types[0] == NULL_TREE)
3039 asan_init_shadow_ptr_types ();
3040 /* Avoid instrumenting code in the asan ctors/dtors.
3041 We don't need to insert padding after the description strings,
3042 nor after .LASAN* array. */
3043 flag_sanitize &= ~SANITIZE_ADDRESS;
3044
3045 /* For user-space we want asan constructors to run first.
3046 Linux kernel does not support priorities other than default, and the only
3047 other user of constructors is coverage. So we run with the default
3048 priority. */
3049 int priority = flag_sanitize & SANITIZE_USER_ADDRESS
3050 ? MAX_RESERVED_INIT_PRIORITY - 1 : DEFAULT_INIT_PRIORITY;
3051
3052 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3053 {
3054 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_INIT);
3055 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3056 fn = builtin_decl_implicit (BUILT_IN_ASAN_VERSION_MISMATCH_CHECK);
3057 append_to_statement_list (build_call_expr (fn, 0), &asan_ctor_statements);
3058 }
3059 FOR_EACH_DEFINED_VARIABLE (vnode)
3060 if (TREE_ASM_WRITTEN (vnode->decl)
3061 && asan_protect_global (vnode->decl))
3062 ++gcount;
3063 hash_table<tree_descriptor_hasher> *const_desc_htab = constant_pool_htab ();
3064 const_desc_htab->traverse<unsigned HOST_WIDE_INT *, count_string_csts>
3065 (&gcount);
3066 if (gcount)
3067 {
3068 tree type = asan_global_struct (), var, ctor;
3069 tree dtor_statements = NULL_TREE;
3070 vec<constructor_elt, va_gc> *v;
3071 char buf[20];
3072
3073 type = build_array_type_nelts (type, gcount);
3074 ASM_GENERATE_INTERNAL_LABEL (buf, "LASAN", 0);
3075 var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (buf),
3076 type);
3077 TREE_STATIC (var) = 1;
3078 TREE_PUBLIC (var) = 0;
3079 DECL_ARTIFICIAL (var) = 1;
3080 DECL_IGNORED_P (var) = 1;
3081 vec_alloc (v, gcount);
3082 FOR_EACH_DEFINED_VARIABLE (vnode)
3083 if (TREE_ASM_WRITTEN (vnode->decl)
3084 && asan_protect_global (vnode->decl))
3085 asan_add_global (vnode->decl, TREE_TYPE (type), v);
3086 struct asan_add_string_csts_data aascd;
3087 aascd.type = TREE_TYPE (type);
3088 aascd.v = v;
3089 const_desc_htab->traverse<asan_add_string_csts_data *, add_string_csts>
3090 (&aascd);
3091 ctor = build_constructor (type, v);
3092 TREE_CONSTANT (ctor) = 1;
3093 TREE_STATIC (ctor) = 1;
3094 DECL_INITIAL (var) = ctor;
3095 SET_DECL_ALIGN (var, MAX (DECL_ALIGN (var),
3096 ASAN_SHADOW_GRANULARITY * BITS_PER_UNIT));
3097
3098 varpool_node::finalize_decl (var);
3099
3100 tree fn = builtin_decl_implicit (BUILT_IN_ASAN_REGISTER_GLOBALS);
3101 tree gcount_tree = build_int_cst (pointer_sized_int_node, gcount);
3102 append_to_statement_list (build_call_expr (fn, 2,
3103 build_fold_addr_expr (var),
3104 gcount_tree),
3105 &asan_ctor_statements);
3106
3107 fn = builtin_decl_implicit (BUILT_IN_ASAN_UNREGISTER_GLOBALS);
3108 append_to_statement_list (build_call_expr (fn, 2,
3109 build_fold_addr_expr (var),
3110 gcount_tree),
3111 &dtor_statements);
3112 cgraph_build_static_cdtor ('D', dtor_statements, priority);
3113 }
3114 if (asan_ctor_statements)
3115 cgraph_build_static_cdtor ('I', asan_ctor_statements, priority);
3116 flag_sanitize |= SANITIZE_ADDRESS;
3117 }
3118
3119 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3120 on SHADOW address. Newly added statements will be added to ITER with
3121 given location LOC. We mark SIZE bytes in shadow memory, where
3122 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3123 end of a variable. */
3124
3125 static void
3126 asan_store_shadow_bytes (gimple_stmt_iterator *iter, location_t loc,
3127 tree shadow,
3128 unsigned HOST_WIDE_INT base_addr_offset,
3129 bool is_clobber, unsigned size,
3130 unsigned last_chunk_size)
3131 {
3132 tree shadow_ptr_type;
3133
3134 switch (size)
3135 {
3136 case 1:
3137 shadow_ptr_type = shadow_ptr_types[0];
3138 break;
3139 case 2:
3140 shadow_ptr_type = shadow_ptr_types[1];
3141 break;
3142 case 4:
3143 shadow_ptr_type = shadow_ptr_types[2];
3144 break;
3145 default:
3146 gcc_unreachable ();
3147 }
3148
3149 unsigned char c = (char) is_clobber ? ASAN_STACK_MAGIC_USE_AFTER_SCOPE : 0;
3150 unsigned HOST_WIDE_INT val = 0;
3151 unsigned last_pos = size;
3152 if (last_chunk_size && !is_clobber)
3153 last_pos = BYTES_BIG_ENDIAN ? 0 : size - 1;
3154 for (unsigned i = 0; i < size; ++i)
3155 {
3156 unsigned char shadow_c = c;
3157 if (i == last_pos)
3158 shadow_c = last_chunk_size;
3159 val |= (unsigned HOST_WIDE_INT) shadow_c << (BITS_PER_UNIT * i);
3160 }
3161
3162 /* Handle last chunk in unpoisoning. */
3163 tree magic = build_int_cst (TREE_TYPE (shadow_ptr_type), val);
3164
3165 tree dest = build2 (MEM_REF, TREE_TYPE (shadow_ptr_type), shadow,
3166 build_int_cst (shadow_ptr_type, base_addr_offset));
3167
3168 gimple *g = gimple_build_assign (dest, magic);
3169 gimple_set_location (g, loc);
3170 gsi_insert_after (iter, g, GSI_NEW_STMT);
3171 }
3172
3173 /* Expand the ASAN_MARK builtins. */
3174
3175 bool
3176 asan_expand_mark_ifn (gimple_stmt_iterator *iter)
3177 {
3178 gimple *g = gsi_stmt (*iter);
3179 location_t loc = gimple_location (g);
3180 HOST_WIDE_INT flag = tree_to_shwi (gimple_call_arg (g, 0));
3181 bool is_poison = ((asan_mark_flags)flag) == ASAN_MARK_POISON;
3182
3183 tree base = gimple_call_arg (g, 1);
3184 gcc_checking_assert (TREE_CODE (base) == ADDR_EXPR);
3185 tree decl = TREE_OPERAND (base, 0);
3186
3187 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3188 if (TREE_CODE (decl) == COMPONENT_REF
3189 && DECL_NONLOCAL_FRAME (TREE_OPERAND (decl, 0)))
3190 decl = TREE_OPERAND (decl, 0);
3191
3192 gcc_checking_assert (TREE_CODE (decl) == VAR_DECL);
3193
3194 if (is_poison)
3195 {
3196 if (asan_handled_variables == NULL)
3197 asan_handled_variables = new hash_set<tree> (16);
3198 asan_handled_variables->add (decl);
3199 }
3200 tree len = gimple_call_arg (g, 2);
3201
3202 gcc_assert (tree_fits_shwi_p (len));
3203 unsigned HOST_WIDE_INT size_in_bytes = tree_to_shwi (len);
3204 gcc_assert (size_in_bytes);
3205
3206 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3207 NOP_EXPR, base);
3208 gimple_set_location (g, loc);
3209 gsi_replace (iter, g, false);
3210 tree base_addr = gimple_assign_lhs (g);
3211
3212 /* Generate direct emission if size_in_bytes is small. */
3213 if (size_in_bytes <= ASAN_PARAM_USE_AFTER_SCOPE_DIRECT_EMISSION_THRESHOLD)
3214 {
3215 unsigned HOST_WIDE_INT shadow_size = shadow_mem_size (size_in_bytes);
3216
3217 tree shadow = build_shadow_mem_access (iter, loc, base_addr,
3218 shadow_ptr_types[0], true);
3219
3220 for (unsigned HOST_WIDE_INT offset = 0; offset < shadow_size;)
3221 {
3222 unsigned size = 1;
3223 if (shadow_size - offset >= 4)
3224 size = 4;
3225 else if (shadow_size - offset >= 2)
3226 size = 2;
3227
3228 unsigned HOST_WIDE_INT last_chunk_size = 0;
3229 unsigned HOST_WIDE_INT s = (offset + size) * ASAN_SHADOW_GRANULARITY;
3230 if (s > size_in_bytes)
3231 last_chunk_size = ASAN_SHADOW_GRANULARITY - (s - size_in_bytes);
3232
3233 asan_store_shadow_bytes (iter, loc, shadow, offset, is_poison,
3234 size, last_chunk_size);
3235 offset += size;
3236 }
3237 }
3238 else
3239 {
3240 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3241 NOP_EXPR, len);
3242 gimple_set_location (g, loc);
3243 gsi_insert_before (iter, g, GSI_SAME_STMT);
3244 tree sz_arg = gimple_assign_lhs (g);
3245
3246 tree fun
3247 = builtin_decl_implicit (is_poison ? BUILT_IN_ASAN_POISON_STACK_MEMORY
3248 : BUILT_IN_ASAN_UNPOISON_STACK_MEMORY);
3249 g = gimple_build_call (fun, 2, base_addr, sz_arg);
3250 gimple_set_location (g, loc);
3251 gsi_insert_after (iter, g, GSI_NEW_STMT);
3252 }
3253
3254 return false;
3255 }
3256
3257 /* Expand the ASAN_{LOAD,STORE} builtins. */
3258
3259 bool
3260 asan_expand_check_ifn (gimple_stmt_iterator *iter, bool use_calls)
3261 {
3262 gimple *g = gsi_stmt (*iter);
3263 location_t loc = gimple_location (g);
3264 bool recover_p;
3265 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3266 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3267 else
3268 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3269
3270 HOST_WIDE_INT flags = tree_to_shwi (gimple_call_arg (g, 0));
3271 gcc_assert (flags < ASAN_CHECK_LAST);
3272 bool is_scalar_access = (flags & ASAN_CHECK_SCALAR_ACCESS) != 0;
3273 bool is_store = (flags & ASAN_CHECK_STORE) != 0;
3274 bool is_non_zero_len = (flags & ASAN_CHECK_NON_ZERO_LEN) != 0;
3275
3276 tree base = gimple_call_arg (g, 1);
3277 tree len = gimple_call_arg (g, 2);
3278 HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3));
3279
3280 HOST_WIDE_INT size_in_bytes
3281 = is_scalar_access && tree_fits_shwi_p (len) ? tree_to_shwi (len) : -1;
3282
3283 if (use_calls)
3284 {
3285 /* Instrument using callbacks. */
3286 gimple *g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3287 NOP_EXPR, base);
3288 gimple_set_location (g, loc);
3289 gsi_insert_before (iter, g, GSI_SAME_STMT);
3290 tree base_addr = gimple_assign_lhs (g);
3291
3292 int nargs;
3293 tree fun = check_func (is_store, recover_p, size_in_bytes, &nargs);
3294 if (nargs == 1)
3295 g = gimple_build_call (fun, 1, base_addr);
3296 else
3297 {
3298 gcc_assert (nargs == 2);
3299 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3300 NOP_EXPR, len);
3301 gimple_set_location (g, loc);
3302 gsi_insert_before (iter, g, GSI_SAME_STMT);
3303 tree sz_arg = gimple_assign_lhs (g);
3304 g = gimple_build_call (fun, nargs, base_addr, sz_arg);
3305 }
3306 gimple_set_location (g, loc);
3307 gsi_replace (iter, g, false);
3308 return false;
3309 }
3310
3311 HOST_WIDE_INT real_size_in_bytes = size_in_bytes == -1 ? 1 : size_in_bytes;
3312
3313 tree shadow_ptr_type = shadow_ptr_types[real_size_in_bytes == 16 ? 1 : 0];
3314 tree shadow_type = TREE_TYPE (shadow_ptr_type);
3315
3316 gimple_stmt_iterator gsi = *iter;
3317
3318 if (!is_non_zero_len)
3319 {
3320 /* So, the length of the memory area to asan-protect is
3321 non-constant. Let's guard the generated instrumentation code
3322 like:
3323
3324 if (len != 0)
3325 {
3326 //asan instrumentation code goes here.
3327 }
3328 // falltrough instructions, starting with *ITER. */
3329
3330 g = gimple_build_cond (NE_EXPR,
3331 len,
3332 build_int_cst (TREE_TYPE (len), 0),
3333 NULL_TREE, NULL_TREE);
3334 gimple_set_location (g, loc);
3335
3336 basic_block then_bb, fallthrough_bb;
3337 insert_if_then_before_iter (as_a <gcond *> (g), iter,
3338 /*then_more_likely_p=*/true,
3339 &then_bb, &fallthrough_bb);
3340 /* Note that fallthrough_bb starts with the statement that was
3341 pointed to by ITER. */
3342
3343 /* The 'then block' of the 'if (len != 0) condition is where
3344 we'll generate the asan instrumentation code now. */
3345 gsi = gsi_last_bb (then_bb);
3346 }
3347
3348 /* Get an iterator on the point where we can add the condition
3349 statement for the instrumentation. */
3350 basic_block then_bb, else_bb;
3351 gsi = create_cond_insert_point (&gsi, /*before_p*/false,
3352 /*then_more_likely_p=*/false,
3353 /*create_then_fallthru_edge*/recover_p,
3354 &then_bb,
3355 &else_bb);
3356
3357 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3358 NOP_EXPR, base);
3359 gimple_set_location (g, loc);
3360 gsi_insert_before (&gsi, g, GSI_NEW_STMT);
3361 tree base_addr = gimple_assign_lhs (g);
3362
3363 tree t = NULL_TREE;
3364 if (real_size_in_bytes >= 8)
3365 {
3366 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3367 shadow_ptr_type);
3368 t = shadow;
3369 }
3370 else
3371 {
3372 /* Slow path for 1, 2 and 4 byte accesses. */
3373 /* Test (shadow != 0)
3374 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
3375 tree shadow = build_shadow_mem_access (&gsi, loc, base_addr,
3376 shadow_ptr_type);
3377 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3378 gimple_seq seq = NULL;
3379 gimple_seq_add_stmt (&seq, shadow_test);
3380 /* Aligned (>= 8 bytes) can test just
3381 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
3382 to be 0. */
3383 if (align < 8)
3384 {
3385 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3386 base_addr, 7));
3387 gimple_seq_add_stmt (&seq,
3388 build_type_cast (shadow_type,
3389 gimple_seq_last (seq)));
3390 if (real_size_in_bytes > 1)
3391 gimple_seq_add_stmt (&seq,
3392 build_assign (PLUS_EXPR,
3393 gimple_seq_last (seq),
3394 real_size_in_bytes - 1));
3395 t = gimple_assign_lhs (gimple_seq_last_stmt (seq));
3396 }
3397 else
3398 t = build_int_cst (shadow_type, real_size_in_bytes - 1);
3399 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR, t, shadow));
3400 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3401 gimple_seq_last (seq)));
3402 t = gimple_assign_lhs (gimple_seq_last (seq));
3403 gimple_seq_set_location (seq, loc);
3404 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3405
3406 /* For non-constant, misaligned or otherwise weird access sizes,
3407 check first and last byte. */
3408 if (size_in_bytes == -1)
3409 {
3410 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3411 MINUS_EXPR, len,
3412 build_int_cst (pointer_sized_int_node, 1));
3413 gimple_set_location (g, loc);
3414 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3415 tree last = gimple_assign_lhs (g);
3416 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
3417 PLUS_EXPR, base_addr, last);
3418 gimple_set_location (g, loc);
3419 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3420 tree base_end_addr = gimple_assign_lhs (g);
3421
3422 tree shadow = build_shadow_mem_access (&gsi, loc, base_end_addr,
3423 shadow_ptr_type);
3424 gimple *shadow_test = build_assign (NE_EXPR, shadow, 0);
3425 gimple_seq seq = NULL;
3426 gimple_seq_add_stmt (&seq, shadow_test);
3427 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR,
3428 base_end_addr, 7));
3429 gimple_seq_add_stmt (&seq, build_type_cast (shadow_type,
3430 gimple_seq_last (seq)));
3431 gimple_seq_add_stmt (&seq, build_assign (GE_EXPR,
3432 gimple_seq_last (seq),
3433 shadow));
3434 gimple_seq_add_stmt (&seq, build_assign (BIT_AND_EXPR, shadow_test,
3435 gimple_seq_last (seq)));
3436 gimple_seq_add_stmt (&seq, build_assign (BIT_IOR_EXPR, t,
3437 gimple_seq_last (seq)));
3438 t = gimple_assign_lhs (gimple_seq_last (seq));
3439 gimple_seq_set_location (seq, loc);
3440 gsi_insert_seq_after (&gsi, seq, GSI_CONTINUE_LINKING);
3441 }
3442 }
3443
3444 g = gimple_build_cond (NE_EXPR, t, build_int_cst (TREE_TYPE (t), 0),
3445 NULL_TREE, NULL_TREE);
3446 gimple_set_location (g, loc);
3447 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3448
3449 /* Generate call to the run-time library (e.g. __asan_report_load8). */
3450 gsi = gsi_start_bb (then_bb);
3451 int nargs;
3452 tree fun = report_error_func (is_store, recover_p, size_in_bytes, &nargs);
3453 g = gimple_build_call (fun, nargs, base_addr, len);
3454 gimple_set_location (g, loc);
3455 gsi_insert_after (&gsi, g, GSI_NEW_STMT);
3456
3457 gsi_remove (iter, true);
3458 *iter = gsi_start_bb (else_bb);
3459
3460 return true;
3461 }
3462
3463 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
3464 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
3465
3466 static tree
3467 create_asan_shadow_var (tree var_decl,
3468 hash_map<tree, tree> &shadow_vars_mapping)
3469 {
3470 tree *slot = shadow_vars_mapping.get (var_decl);
3471 if (slot == NULL)
3472 {
3473 tree shadow_var = copy_node (var_decl);
3474
3475 copy_body_data id;
3476 memset (&id, 0, sizeof (copy_body_data));
3477 id.src_fn = id.dst_fn = current_function_decl;
3478 copy_decl_for_dup_finish (&id, var_decl, shadow_var);
3479
3480 DECL_ARTIFICIAL (shadow_var) = 1;
3481 DECL_IGNORED_P (shadow_var) = 1;
3482 DECL_SEEN_IN_BIND_EXPR_P (shadow_var) = 0;
3483 gimple_add_tmp_var (shadow_var);
3484
3485 shadow_vars_mapping.put (var_decl, shadow_var);
3486 return shadow_var;
3487 }
3488 else
3489 return *slot;
3490 }
3491
3492 /* Expand ASAN_POISON ifn. */
3493
3494 bool
3495 asan_expand_poison_ifn (gimple_stmt_iterator *iter,
3496 bool *need_commit_edge_insert,
3497 hash_map<tree, tree> &shadow_vars_mapping)
3498 {
3499 gimple *g = gsi_stmt (*iter);
3500 tree poisoned_var = gimple_call_lhs (g);
3501 if (!poisoned_var || has_zero_uses (poisoned_var))
3502 {
3503 gsi_remove (iter, true);
3504 return true;
3505 }
3506
3507 if (SSA_NAME_VAR (poisoned_var) == NULL_TREE)
3508 SET_SSA_NAME_VAR_OR_IDENTIFIER (poisoned_var,
3509 create_tmp_var (TREE_TYPE (poisoned_var)));
3510
3511 tree shadow_var = create_asan_shadow_var (SSA_NAME_VAR (poisoned_var),
3512 shadow_vars_mapping);
3513
3514 bool recover_p;
3515 if (flag_sanitize & SANITIZE_USER_ADDRESS)
3516 recover_p = (flag_sanitize_recover & SANITIZE_USER_ADDRESS) != 0;
3517 else
3518 recover_p = (flag_sanitize_recover & SANITIZE_KERNEL_ADDRESS) != 0;
3519 tree size = DECL_SIZE_UNIT (shadow_var);
3520 gimple *poison_call
3521 = gimple_build_call_internal (IFN_ASAN_MARK, 3,
3522 build_int_cst (integer_type_node,
3523 ASAN_MARK_POISON),
3524 build_fold_addr_expr (shadow_var), size);
3525
3526 gimple *use;
3527 imm_use_iterator imm_iter;
3528 FOR_EACH_IMM_USE_STMT (use, imm_iter, poisoned_var)
3529 {
3530 if (is_gimple_debug (use))
3531 continue;
3532
3533 int nargs;
3534 bool store_p = gimple_call_internal_p (use, IFN_ASAN_POISON_USE);
3535 tree fun = report_error_func (store_p, recover_p, tree_to_uhwi (size),
3536 &nargs);
3537
3538 gcall *call = gimple_build_call (fun, 1,
3539 build_fold_addr_expr (shadow_var));
3540 gimple_set_location (call, gimple_location (use));
3541 gimple *call_to_insert = call;
3542
3543 /* The USE can be a gimple PHI node. If so, insert the call on
3544 all edges leading to the PHI node. */
3545 if (is_a <gphi *> (use))
3546 {
3547 gphi *phi = dyn_cast<gphi *> (use);
3548 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
3549 if (gimple_phi_arg_def (phi, i) == poisoned_var)
3550 {
3551 edge e = gimple_phi_arg_edge (phi, i);
3552
3553 /* Do not insert on an edge we can't split. */
3554 if (e->flags & EDGE_ABNORMAL)
3555 continue;
3556
3557 if (call_to_insert == NULL)
3558 call_to_insert = gimple_copy (call);
3559
3560 gsi_insert_seq_on_edge (e, call_to_insert);
3561 *need_commit_edge_insert = true;
3562 call_to_insert = NULL;
3563 }
3564 }
3565 else
3566 {
3567 gimple_stmt_iterator gsi = gsi_for_stmt (use);
3568 if (store_p)
3569 gsi_replace (&gsi, call, true);
3570 else
3571 gsi_insert_before (&gsi, call, GSI_NEW_STMT);
3572 }
3573 }
3574
3575 SSA_NAME_IS_DEFAULT_DEF (poisoned_var) = true;
3576 SSA_NAME_DEF_STMT (poisoned_var) = gimple_build_nop ();
3577 gsi_replace (iter, poison_call, false);
3578
3579 return true;
3580 }
3581
3582 /* Instrument the current function. */
3583
3584 static unsigned int
3585 asan_instrument (void)
3586 {
3587 if (shadow_ptr_types[0] == NULL_TREE)
3588 asan_init_shadow_ptr_types ();
3589 transform_statements ();
3590 last_alloca_addr = NULL_TREE;
3591 return 0;
3592 }
3593
3594 static bool
3595 gate_asan (void)
3596 {
3597 return sanitize_flags_p (SANITIZE_ADDRESS);
3598 }
3599
3600 namespace {
3601
3602 const pass_data pass_data_asan =
3603 {
3604 GIMPLE_PASS, /* type */
3605 "asan", /* name */
3606 OPTGROUP_NONE, /* optinfo_flags */
3607 TV_NONE, /* tv_id */
3608 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3609 0, /* properties_provided */
3610 0, /* properties_destroyed */
3611 0, /* todo_flags_start */
3612 TODO_update_ssa, /* todo_flags_finish */
3613 };
3614
3615 class pass_asan : public gimple_opt_pass
3616 {
3617 public:
3618 pass_asan (gcc::context *ctxt)
3619 : gimple_opt_pass (pass_data_asan, ctxt)
3620 {}
3621
3622 /* opt_pass methods: */
3623 opt_pass * clone () { return new pass_asan (m_ctxt); }
3624 virtual bool gate (function *) { return gate_asan (); }
3625 virtual unsigned int execute (function *) { return asan_instrument (); }
3626
3627 }; // class pass_asan
3628
3629 } // anon namespace
3630
3631 gimple_opt_pass *
3632 make_pass_asan (gcc::context *ctxt)
3633 {
3634 return new pass_asan (ctxt);
3635 }
3636
3637 namespace {
3638
3639 const pass_data pass_data_asan_O0 =
3640 {
3641 GIMPLE_PASS, /* type */
3642 "asan0", /* name */
3643 OPTGROUP_NONE, /* optinfo_flags */
3644 TV_NONE, /* tv_id */
3645 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
3646 0, /* properties_provided */
3647 0, /* properties_destroyed */
3648 0, /* todo_flags_start */
3649 TODO_update_ssa, /* todo_flags_finish */
3650 };
3651
3652 class pass_asan_O0 : public gimple_opt_pass
3653 {
3654 public:
3655 pass_asan_O0 (gcc::context *ctxt)
3656 : gimple_opt_pass (pass_data_asan_O0, ctxt)
3657 {}
3658
3659 /* opt_pass methods: */
3660 virtual bool gate (function *) { return !optimize && gate_asan (); }
3661 virtual unsigned int execute (function *) { return asan_instrument (); }
3662
3663 }; // class pass_asan_O0
3664
3665 } // anon namespace
3666
3667 gimple_opt_pass *
3668 make_pass_asan_O0 (gcc::context *ctxt)
3669 {
3670 return new pass_asan_O0 (ctxt);
3671 }
3672
3673 #include "gt-asan.h"