| blob | ebf806cffb64556a10091e492c8723d58584d749 |
1 /* AddressSanitizer, a fast memory error detector.
2 Copyright (C) 2012-2025 Free Software Foundation, Inc.
3 Contributed by Kostya Serebryany <kcc@google.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
69 /* AddressSanitizer finds out-of-bounds and use-after-free bugs
70 with <2x slowdown on average.
72 The tool consists of two parts:
73 instrumentation module (this file) and a run-time library.
74 The instrumentation module adds a run-time check before every memory insn.
75 For a 8- or 16- byte load accessing address X:
76 ShadowAddr = (X >> 3) + Offset
77 ShadowValue = *(char*)ShadowAddr; // *(short*) for 16-byte access.
78 if (ShadowValue)
79 __asan_report_load8(X);
80 For a load of N bytes (N=1, 2 or 4) from address X:
81 ShadowAddr = (X >> 3) + Offset
82 ShadowValue = *(char*)ShadowAddr;
83 if (ShadowValue)
84 if ((X & 7) + N - 1 > ShadowValue)
85 __asan_report_loadN(X);
86 Stores are instrumented similarly, but using __asan_report_storeN functions.
87 A call too __asan_init_vN() is inserted to the list of module CTORs.
88 N is the version number of the AddressSanitizer API. The changes between the
89 API versions are listed in libsanitizer/asan/asan_interface_internal.h.
91 The run-time library redefines malloc (so that redzone are inserted around
92 the allocated memory) and free (so that reuse of free-ed memory is delayed),
93 provides __asan_report* and __asan_init_vN functions.
95 Read more:
96 http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
98 The current implementation supports detection of out-of-bounds and
99 use-after-free in the heap, on the stack and for global variables.
101 [Protection of stack variables]
103 To understand how detection of out-of-bounds and use-after-free works
104 for stack variables, lets look at this example on x86_64 where the
105 stack grows downward:
107 int
108 foo ()
109 {
110 char a[24] = {0};
111 int b[2] = {0};
113 a[5] = 1;
114 b[1] = 2;
116 return a[5] + b[1];
117 }
119 For this function, the stack protected by asan will be organized as
120 follows, from the top of the stack to the bottom:
122 Slot 1/ [red zone of 32 bytes called 'RIGHT RedZone']
124 Slot 2/ [8 bytes of red zone, that adds up to the space of 'a' to make
125 the next slot be 32 bytes aligned; this one is called Partial
126 Redzone; this 32 bytes alignment is an asan constraint]
128 Slot 3/ [24 bytes for variable 'a']
130 Slot 4/ [red zone of 32 bytes called 'Middle RedZone']
132 Slot 5/ [24 bytes of Partial Red Zone (similar to slot 2]
134 Slot 6/ [8 bytes for variable 'b']
136 Slot 7/ [32 bytes of Red Zone at the bottom of the stack, called
137 'LEFT RedZone']
139 The 32 bytes of LEFT red zone at the bottom of the stack can be
140 decomposed as such:
142 1/ The first 8 bytes contain a magical asan number that is always
143 0x41B58AB3.
145 2/ The following 8 bytes contains a pointer to a string (to be
146 parsed at runtime by the runtime asan library), which format is
147 the following:
149 "<function-name> <space> <num-of-variables-on-the-stack>
150 (<32-bytes-aligned-offset-in-bytes-of-variable> <space>
151 <length-of-var-in-bytes> ){n} "
153 where '(...){n}' means the content inside the parenthesis occurs 'n'
154 times, with 'n' being the number of variables on the stack.
156 3/ The following 8 bytes contain the PC of the current function which
157 will be used by the run-time library to print an error message.
159 4/ The following 8 bytes are reserved for internal use by the run-time.
161 The shadow memory for that stack layout is going to look like this:
163 - content of shadow memory 8 bytes for slot 7: 0xF1F1F1F1.
164 The F1 byte pattern is a magic number called
165 ASAN_STACK_MAGIC_LEFT and is a way for the runtime to know that
166 the memory for that shadow byte is part of a the LEFT red zone
167 intended to seat at the bottom of the variables on the stack.
169 - content of shadow memory 8 bytes for slots 6 and 5:
170 0xF4F4F400. The F4 byte pattern is a magic number
171 called ASAN_STACK_MAGIC_PARTIAL. It flags the fact that the
172 memory region for this shadow byte is a PARTIAL red zone
173 intended to pad a variable A, so that the slot following
174 {A,padding} is 32 bytes aligned.
176 Note that the fact that the least significant byte of this
177 shadow memory content is 00 means that 8 bytes of its
178 corresponding memory (which corresponds to the memory of
179 variable 'b') is addressable.
181 - content of shadow memory 8 bytes for slot 4: 0xF2F2F2F2.
182 The F2 byte pattern is a magic number called
183 ASAN_STACK_MAGIC_MIDDLE. It flags the fact that the memory
184 region for this shadow byte is a MIDDLE red zone intended to
185 seat between two 32 aligned slots of {variable,padding}.
187 - content of shadow memory 8 bytes for slot 3 and 2:
188 0xF4000000. This represents is the concatenation of
189 variable 'a' and the partial red zone following it, like what we
190 had for variable 'b'. The least significant 3 bytes being 00
191 means that the 3 bytes of variable 'a' are addressable.
193 - content of shadow memory 8 bytes for slot 1: 0xF3F3F3F3.
194 The F3 byte pattern is a magic number called
195 ASAN_STACK_MAGIC_RIGHT. It flags the fact that the memory
196 region for this shadow byte is a RIGHT red zone intended to seat
197 at the top of the variables of the stack.
199 Note that the real variable layout is done in expand_used_vars in
200 cfgexpand.cc. As far as Address Sanitizer is concerned, it lays out
201 stack variables as well as the different red zones, emits some
202 prologue code to populate the shadow memory as to poison (mark as
203 non-accessible) the regions of the red zones and mark the regions of
204 stack variables as accessible, and emit some epilogue code to
205 un-poison (mark as accessible) the regions of red zones right before
206 the function exits.
208 [Protection of global variables]
210 The basic idea is to insert a red zone between two global variables
211 and install a constructor function that calls the asan runtime to do
212 the populating of the relevant shadow memory regions at load time.
214 So the global variables are laid out as to insert a red zone between
215 them. The size of the red zones is so that each variable starts on a
216 32 bytes boundary.
218 Then a constructor function is installed so that, for each global
219 variable, it calls the runtime asan library function
220 __asan_register_globals_with an instance of this type:
222 struct __asan_global
223 {
224 // Address of the beginning of the global variable.
225 const void *__beg;
227 // Initial size of the global variable.
228 uptr __size;
230 // Size of the global variable + size of the red zone. This
231 // size is 32 bytes aligned.
232 uptr __size_with_redzone;
234 // Name of the global variable.
235 const void *__name;
237 // Name of the module where the global variable is declared.
238 const void *__module_name;
240 // 1 if it has dynamic initialization, 0 otherwise.
241 uptr __has_dynamic_init;
243 // A pointer to struct that contains source location, could be NULL.
244 __asan_global_source_location *__location;
245 }
247 A destructor function that calls the runtime asan library function
248 _asan_unregister_globals is also installed. */
255 /* Set of variable declarations that are going to be guarded by
256 use-after-scope sanitizer. */
262 /* Global variables for HWASAN stack tagging. */
263 /* hwasan_frame_tag_offset records the offset from the frame base tag that the
264 next object should have. */
266 /* hwasan_frame_base_ptr is a pointer with the same address as
267 `virtual_stack_vars_rtx` for the current frame, and with the frame base tag
268 stored in it. N.b. this global RTX does not need to be marked GTY, but is
269 done so anyway. The need is not there since all uses are in just one pass
270 (cfgexpand) and there are no calls to ggc_collect between the uses. We mark
271 it GTY(()) anyway to allow the use of the variable later on if needed by
272 future features. */
274 /* hwasan_frame_base_init_seq is the sequence of RTL insns that will initialize
275 the hwasan_frame_base_ptr. When the hwasan_frame_base_ptr is requested, we
276 generate this sequence but do not emit it. If the sequence was created it
277 is emitted once the function body has been expanded.
279 This delay is because the frame base pointer may be needed anywhere in the
280 function body, or needed by the expand_used_vars function. Emitting once in
281 a known place is simpler than requiring the emission of the instructions to
282 be know where it should go depending on the first place the hwasan frame
283 base is needed. */
286 /* Structure defining the extent of one object on the stack that HWASAN needs
287 to tag in the corresponding shadow stack space.
289 The range this object spans on the stack is between `untagged_base +
290 nearest_offset` and `untagged_base + farthest_offset`.
291 `tagged_base` is an rtx containing the same value as `untagged_base` but
292 with a random tag stored in the top byte. We record both `untagged_base`
293 and `tagged_base` so that `hwasan_emit_prologue` can use both without having
294 to emit RTL into the instruction stream to re-calculate one from the other.
295 (`hwasan_emit_prologue` needs to use both bases since the
296 __hwasan_tag_memory call it emits uses an untagged value, and it calculates
297 the tag to store in shadow memory based on the tag_offset plus the tag in
298 tagged_base). */
299 struct hwasan_stack_var
300 {
301 rtx untagged_base;
302 rtx tagged_base;
303 poly_int64 nearest_offset;
304 poly_int64 farthest_offset;
306 };
308 /* Variable recording all stack variables that HWASAN needs to tag.
309 Does not need to be marked as GTY(()) since every use is in the cfgexpand
310 pass and gcc_collect is not called in the middle of that pass. */
314 /* Sets shadow offset to value in string VAL. */
316 bool
318 {
322 #ifdef HAVE_LONG_LONG
324 #else
326 #endif
333 }
335 /* Set list of user-defined sections that need to be sanitized. */
337 void
339 {
347 {
353 }
354 }
356 bool
358 {
361 }
363 bool
365 {
367 }
369 bool
371 {
373 }
375 bool
377 {
379 }
381 bool
383 {
385 }
387 bool
389 {
391 }
394 /* Support for --param asan-kernel-mem-intrinsic-prefix=1. */
397 rtx
399 {
405 {
410 }
412 {
418 else
429 }
431 }
434 /* Checks whether section SEC should be sanitized. */
436 static bool
438 {
445 }
447 /* Returns Asan shadow offset. */
449 static unsigned HOST_WIDE_INT
451 {
453 {
456 }
458 }
460 static bool
462 {
465 }
467 /* Returns Asan shadow offset has been set. */
468 bool
470 {
472 }
476 /* Pointer types to 1, 2 or 4 byte integers in shadow memory. A separate
477 alias set is used for all shadow memory accesses. */
480 /* Decl for __asan_option_detect_stack_use_after_return. */
485 /* Local copy for the asan_shadow_memory_dynamic_address within the
486 function. */
489 static tree
491 {
493 {
496 decl
507 }
510 }
512 void
514 {
530 }
532 /* Hashtable support for memory references used by gimple
533 statements. */
535 /* This type represents a reference to a memory region. */
536 struct asan_mem_ref
537 {
538 /* The expression of the beginning of the memory region. */
539 tree start;
541 /* The size of the access. */
542 HOST_WIDE_INT access_size;
543 };
547 /* Initializes an instance of asan_mem_ref. */
549 static void
551 {
554 }
556 /* Allocates memory for an instance of asan_mem_ref into the memory
557 pool returned by asan_mem_ref_get_alloc_pool and initialize it.
558 START is the address of (or the expression pointing to) the
559 beginning of memory reference. ACCESS_SIZE is the size of the
560 access to the referenced memory. */
564 {
569 }
571 /* This builds and returns a pointer to the end of the memory region
572 that starts at START and of length LEN. */
574 tree
576 {
584 }
586 /* Return a tree expression that represents the end of the referenced
587 memory region. Beware that this function can actually build a new
588 tree expression. */
590 tree
592 {
594 }
597 {
600 };
602 /* Hash a memory reference. */
604 inline hashval_t
606 {
608 }
610 /* Compare two memory references. We accept the length of either
611 memory references to be NULL_TREE. */
616 {
618 }
622 /* Returns a reference to the hash table containing memory references.
623 This function ensures that the hash table is created. Note that
624 this hash table is updated by the function
625 update_mem_ref_hash_table. */
629 {
634 }
636 /* Clear all entries from the memory references hash table. */
638 static void
640 {
643 }
645 /* Free the memory references hash table. */
647 static void
649 {
654 }
656 /* Return true iff the memory reference REF has been instrumented. */
658 static bool
660 {
661 asan_mem_ref r;
666 }
668 /* Return true iff the memory reference REF has been instrumented. */
670 static bool
672 {
674 }
676 /* Return true iff access to memory region starting at REF and of
677 length LEN has been instrumented. */
679 static bool
681 {
682 HOST_WIDE_INT size_in_bytes
687 }
689 /* Set REF to the memory reference present in a gimple assignment
690 ASSIGNMENT. Return true upon successful completion, false
691 otherwise. */
693 static bool
697 {
702 {
705 }
707 {
710 }
711 else
716 }
718 /* Return address of last allocated dynamic alloca. */
720 static tree
722 {
731 }
733 /* Insert __asan_allocas_unpoison (top, bottom) call before
734 __builtin_stack_restore (new_sp) call.
735 The pseudocode of this routine should look like this:
736 top = last_alloca_addr;
737 bot = new_sp;
738 __asan_allocas_unpoison (top, bot);
739 last_alloca_addr = new_sp;
740 __builtin_stack_restore (new_sp);
741 In general, we can't use new_sp as bot parameter because on some
742 architectures SP has non zero offset from dynamic stack area. Moreover, on
743 some architectures this offset (STACK_DYNAMIC_OFFSET) becomes known for each
744 particular function only after all callees were expanded to rtl.
745 The most noticeable example is PowerPC{,64}, see
746 http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#DYNAM-STACK.
747 To overcome the issue we use following trick: pass new_sp as a second
748 parameter to __asan_allocas_unpoison and rewrite it during expansion with
749 new_sp + (virtual_dynamic_stack_rtx - sp) later in
750 expand_asan_emit_allocas_unpoison function.
752 HWASAN needs to do very similar, the eventual pseudocode should be:
753 __hwasan_tag_memory (virtual_stack_dynamic_rtx,
754 0,
755 new_sp - sp);
756 __builtin_stack_restore (new_sp)
758 Need to use the same trick to handle STACK_DYNAMIC_OFFSET as described
759 above. */
761 static void
763 {
773 {
775 /* There is only one piece of information `expand_HWASAN_ALLOCA_UNPOISON`
776 needs to work. This is the length of the area that we're
777 deallocating. Since the stack pointer is known at expand time, the
778 position of the new stack pointer after deallocation is enough
779 information to calculate this length. */
781 }
782 else
783 {
789 }
792 }
794 /* Deploy and poison redzones around __builtin_alloca call. To do this, we
795 should replace this call with another one with changed parameters and
796 replace all its uses with new address, so
797 addr = __builtin_alloca (old_size, align);
798 is replaced by
799 left_redzone_size = max (align, ASAN_RED_ZONE_SIZE);
800 Following two statements are optimized out if we know that
801 old_size & (ASAN_RED_ZONE_SIZE - 1) == 0, i.e. alloca doesn't need partial
802 redzone.
803 misalign = old_size & (ASAN_RED_ZONE_SIZE - 1);
804 partial_redzone_size = ASAN_RED_ZONE_SIZE - misalign;
805 right_redzone_size = ASAN_RED_ZONE_SIZE;
806 additional_size = left_redzone_size + partial_redzone_size +
807 right_redzone_size;
808 new_size = old_size + additional_size;
809 new_alloca = __builtin_alloca (new_size, max (align, 32))
810 __asan_alloca_poison (new_alloca, old_size)
811 addr = new_alloca + max (align, ASAN_RED_ZONE_SIZE);
812 last_alloca_addr = new_alloca;
813 ADDITIONAL_SIZE is added to make new memory allocation contain not only
814 requested memory, but also left, partial and right redzones as well as some
815 additional space, required by alignment. */
817 static void
819 {
831 unsigned int align
838 {
843 }
846 {
849 /*
850 HWASAN needs a different expansion.
852 addr = __builtin_alloca (size, align);
854 should be replaced by
856 new_size = size rounded up to HWASAN_TAG_GRANULE_SIZE byte alignment;
857 untagged_addr = __builtin_alloca (new_size, align);
858 tag = __hwasan_choose_alloca_tag ();
859 addr = ifn_HWASAN_SET_TAG (untagged_addr, tag);
860 __hwasan_tag_memory (untagged_addr, tag, new_size);
861 */
862 /* Ensure alignment at least HWASAN_TAG_GRANULE_SIZE bytes so we start on
863 a tag granule. */
868 old_size,
869 HWASAN_TAG_GRANULE_SIZE);
871 /* Make the alloca call */
872 tree untagged_addr
877 /* Choose the tag.
878 Here we use an internal function so we can choose the tag at expand
879 time. We need the decision to be made after stack variables have been
880 assigned their tag (i.e. once the hwasan_frame_tag_offset variable has
881 been set to one after the last stack variables tag). */
883 unsigned_char_type_node);
885 /* Add tag to pointer. */
886 tree addr
890 /* Tag shadow memory.
891 NOTE: require using `untagged_addr` here for libhwasan API. */
895 /* Insert the built up code sequence into the original instruction stream
896 the iterator points to. */
899 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
902 }
907 /* If ALIGN > ASAN_RED_ZONE_SIZE, we embed left redzone into first ALIGN
908 bytes of allocated space. Otherwise, align alloca to ASAN_RED_ZONE_SIZE
909 manually. */
915 /* Extract lower bits from old_size. */
917 wide_int rz_mask
921 /* If alloca size is aligned to ASAN_RED_ZONE_SIZE, we don't need partial
922 redzone. Otherwise, compute its size here. */
924 {
925 /* misalign = size & (ASAN_RED_ZONE_SIZE - 1)
926 partial_size = ASAN_RED_ZONE_SIZE - misalign. */
935 }
937 /* additional_size = align + ASAN_RED_ZONE_SIZE. */
940 /* If alloca has partial redzone, include it to additional_size too. */
942 {
943 /* additional_size += partial_size. */
948 }
950 /* new_size = old_size + additional_size. */
952 additional_size);
956 /* Build new __builtin_alloca call:
957 new_alloca_with_rz = __builtin_alloca (new_size, align). */
964 {
967 }
968 else
971 /* new_alloca = new_alloca_with_rz + align. */
973 new_alloca_with_rz,
978 {
981 }
982 else
986 /* Poison newly created alloca redzones:
987 __asan_alloca_poison (new_alloca, old_size). */
992 else
995 /* Save new_alloca_with_rz value into last_alloca to use it during
996 allocas unpoisoning. */
1000 else
1003 /* Finally, replace old alloca ptr with NEW_ALLOCA. */
1005 {
1008 }
1009 else
1011 }
1013 /* Return the memory references contained in a gimple statement
1014 representing a builtin call that has to do with memory access. */
1016 static bool
1030 {
1042 {
1043 /* (s, s, n) style memops. */
1051 /* (src, dest, n) style memops. */
1058 /* (dest, src, n) style memops. */
1070 /* (dest, n) style memops. */
1076 /* (dest, x, n) style memops*/
1084 /* Special case strlen here since its length is taken from its return
1085 value.
1087 The approach taken by the sanitizers is to check a memory access
1088 before it's taken. For ASAN strlen is intercepted by libasan, so no
1089 check is inserted by the compiler.
1091 This function still returns `true` and provides a length to the rest
1092 of the ASAN pass in order to record what areas have been checked,
1093 avoiding superfluous checks later on.
1095 HWASAN does not intercept any of these internal functions.
1096 This means that checks for memory accesses must be inserted by the
1097 compiler.
1098 strlen is a special case, because we can tell the length from the
1099 return of the function, but that is not known until after the function
1100 has returned.
1102 Hence we can't check the memory access before it happens.
1103 We could check the memory access after it has already happened, but
1104 for now we choose to just ignore `strlen` calls.
1105 This decision was simply made because that means the special case is
1106 limited to this one case of this one function. */
1117 CASE_BUILT_IN_ALLOCA:
1120 /* And now the __atomic* and __sync builtins.
1121 These are handled differently from the classical memory
1122 access builtins above. */
1126 /* FALLTHRU */
1163 /* FALLTHRU */
1200 /* FALLTHRU */
1237 /* FALLTHRU */
1274 /* FALLTHRU */
1307 /* FALLTHRU */
1308 do_atomic:
1309 {
1311 /* DEST represents the address of a memory location.
1312 instrument_derefs wants the memory location, so lets
1313 dereference the address DEST before handing it to
1314 instrument_derefs. */
1320 }
1323 /* The other builtins memory access are not instrumented in this
1324 function because they either don't have any length parameter,
1325 or their length parameter is just a limit. */
1327 }
1330 {
1332 {
1337 }
1340 {
1345 }
1348 {
1353 }
1356 }
1358 {
1365 }
1368 }
1370 /* Return true iff a given gimple statement has been instrumented.
1371 Note that the statement is "defined" by the memory references it
1372 contains. */
1374 static bool
1376 {
1378 {
1380 asan_mem_ref r;
1385 {
1389 {
1390 asan_mem_ref src;
1396 }
1398 }
1399 }
1401 {
1415 {
1429 }
1430 }
1437 {
1438 asan_mem_ref r;
1444 }
1447 }
1449 /* Insert a memory reference into the hash table. */
1451 static void
1453 {
1456 asan_mem_ref r;
1462 }
1464 /* Initialize shadow_ptr_types array. */
1466 static void
1468 {
1471 integer_type_node };
1474 {
1478 }
1481 }
1483 /* Create ADDR_EXPR of STRING_CST with the PP pretty printer text. */
1485 static tree
1487 {
1497 }
1499 /* Clear shadow memory at SHADOW_MEM, LEN bytes. Can't call a library call here
1500 though. */
1502 static void
1504 {
1518 {
1521 }
1540 }
1542 void
1544 {
1546 }
1548 /* Return number of shadow bytes that are occupied by a local variable
1549 of SIZE bytes. */
1551 static unsigned HOST_WIDE_INT
1553 {
1554 /* It must be possible to align stack variables to granularity
1555 of shadow memory. */
1560 }
1562 /* Always emit 4 bytes at a time. */
1563 #define RZ_BUFFER_SIZE 4
1565 /* ASAN redzone buffer container that handles emission of shadow bytes. */
1566 class asan_redzone_buffer
1567 {
1569 /* Constructor. */
1573 {}
1575 /* Emit VALUE shadow byte at a given OFFSET. */
1578 /* Emit RTX emission of the content of the buffer. */
1582 /* Flush if the content of the buffer is full
1583 (equal to RZ_BUFFER_SIZE). */
1586 /* Memory where we last emitted a redzone payload. */
1587 rtx m_shadow_mem;
1589 /* Relative offset where we last emitted a redzone payload. */
1590 HOST_WIDE_INT m_prev_offset;
1592 /* Relative original offset. Used for checking only. */
1593 HOST_WIDE_INT m_original_offset;
1596 /* Buffer with redzone payload. */
1598 };
1600 /* Emit VALUE shadow byte at a given OFFSET. */
1602 void
1605 {
1609 HOST_WIDE_INT off
1616 {
1617 /* Shadow memory byte with a small gap. */
1620 }
1621 else
1622 {
1626 /* Maybe start earlier in order to use aligned store. */
1629 {
1633 }
1635 /* Adjust m_prev_offset and m_shadow_mem. */
1640 }
1643 }
1645 /* Emit RTX emission of the content of the buffer. */
1647 void
1649 {
1655 /* Be sure we always emit to an aligned address. */
1659 /* Fill it to RZ_BUFFER_SIZE bytes with zeros if needed. */
1670 {
1671 unsigned char v
1676 }
1685 }
1687 /* Flush if the content of the buffer is full
1688 (equal to RZ_BUFFER_SIZE). */
1690 void
1692 {
1695 }
1698 /* HWAddressSanitizer (hwasan) is a probabilistic method for detecting
1699 out-of-bounds and use-after-free bugs.
1700 Read more:
1701 http://code.google.com/p/address-sanitizer/
1703 Similar to AddressSanitizer (asan) it consists of two parts: the
1704 instrumentation module in this file, and a run-time library.
1706 The instrumentation module adds a run-time check before every memory insn in
1707 the same manner as asan (see the block comment for AddressSanitizer above).
1708 Currently, hwasan only adds out-of-line instrumentation, where each check is
1709 implemented as a function call to the run-time library. Hence a check for a
1710 load of N bytes from address X would be implemented with a function call to
1711 __hwasan_loadN(X), and checking a store of N bytes from address X would be
1712 implemented with a function call to __hwasan_storeN(X).
1714 The main difference between hwasan and asan is in the information stored to
1715 help this checking. Both sanitizers use a shadow memory area which stores
1716 data recording the state of main memory at a corresponding address.
1718 For hwasan, each 16 byte granule in main memory has a corresponding 1 byte
1719 in shadow memory. This shadow address can be calculated with equation:
1720 (addr >> log_2(HWASAN_TAG_GRANULE_SIZE))
1721 + __hwasan_shadow_memory_dynamic_address;
1722 The conversion between real and shadow memory for asan is given in the block
1723 comment at the top of this file.
1724 The description of how this shadow memory is laid out for asan is in the
1725 block comment at the top of this file, here we describe how this shadow
1726 memory is used for hwasan.
1728 For hwasan, each variable is assigned a byte-sized 'tag'. The extent of
1729 the shadow memory for that variable is filled with the assigned tag, and
1730 every pointer referencing that variable has its top byte set to the same
1731 tag. The run-time library redefines malloc so that every allocation returns
1732 a tagged pointer and tags the corresponding shadow memory with the same tag.
1734 On each pointer dereference the tag found in the pointer is compared to the
1735 tag found in the shadow memory corresponding to the accessed memory address.
1736 If these tags are found to differ then this memory access is judged to be
1737 invalid and a report is generated.
1739 This method of bug detection is not perfect -- it can not catch every bad
1740 access -- but catches them probabilistically instead. There is always the
1741 possibility that an invalid memory access will happen to access memory
1742 tagged with the same tag as the pointer that this access used.
1743 The chances of this are approx. 0.4% for any two uncorrelated objects.
1745 Random tag generation can mitigate this problem by decreasing the
1746 probability that an invalid access will be missed in the same manner over
1747 multiple runs. i.e. if two objects are tagged the same in one run of the
1748 binary they are unlikely to be tagged the same in the next run.
1749 Both heap and stack allocated objects have random tags by default.
1751 [16 byte granule implications]
1752 Since the shadow memory only has a resolution on real memory of 16 bytes,
1753 invalid accesses that are within the same 16 byte granule as a valid
1754 address will not be caught.
1756 There is a "short-granule" feature in the runtime library which does catch
1757 such accesses, but this feature is not implemented for stack objects (since
1758 stack objects are allocated and tagged by compiler instrumentation, and
1759 this feature has not yet been implemented in GCC instrumentation).
1761 Another outcome of this 16 byte resolution is that each tagged object must
1762 be 16 byte aligned. If two objects were to share any 16 byte granule in
1763 memory, then they both would have to be given the same tag, and invalid
1764 accesses to one using a pointer to the other would be undetectable.
1766 [Compiler instrumentation]
1767 Compiler instrumentation ensures that two adjacent buffers on the stack are
1768 given different tags, this means an access to one buffer using a pointer
1769 generated from the other (e.g. through buffer overrun) will have mismatched
1770 tags and be caught by hwasan.
1772 We don't randomly tag every object on the stack, since that would require
1773 keeping many registers to record each tag. Instead we randomly generate a
1774 tag for each function frame, and each new stack object uses a tag offset
1775 from that frame tag.
1776 i.e. each object is tagged as RFT + offset, where RFT is the "random frame
1777 tag" generated for this frame.
1778 This means that randomisation does not peturb the difference between tags
1779 on tagged stack objects within a frame, but this is mitigated by the fact
1780 that objects with the same tag within a frame are very far apart
1781 (approx. 2^HWASAN_TAG_SIZE objects apart).
1783 As a demonstration, using the same example program as in the asan block
1784 comment above:
1786 int
1787 foo ()
1788 {
1789 char a[24] = {0};
1790 int b[2] = {0};
1792 a[5] = 1;
1793 b[1] = 2;
1795 return a[5] + b[1];
1796 }
1798 On AArch64 the stack will be ordered as follows for the above function:
1800 Slot 1/ [24 bytes for variable 'a']
1801 Slot 2/ [8 bytes padding for alignment]
1802 Slot 3/ [8 bytes for variable 'b']
1803 Slot 4/ [8 bytes padding for alignment]
1805 (The padding is there to ensure 16 byte alignment as described in the 16
1806 byte granule implications).
1808 While the shadow memory will be ordered as follows:
1810 - 2 bytes (representing 32 bytes in real memory) tagged with RFT + 1.
1811 - 1 byte (representing 16 bytes in real memory) tagged with RFT + 2.
1813 And any pointer to "a" will have the tag RFT + 1, and any pointer to "b"
1814 will have the tag RFT + 2.
1816 [Top Byte Ignore requirements]
1817 Hwasan requires the ability to store an 8 bit tag in every pointer. There
1818 is no instrumentation done to remove this tag from pointers before
1819 dereferencing, which means the hardware must ignore this tag during memory
1820 accesses.
1822 Architectures where this feature is available should indicate this using
1823 the TARGET_MEMTAG_CAN_TAG_ADDRESSES hook.
1825 [Stack requires cleanup on unwinding]
1826 During normal operation of a hwasan sanitized program more space in the
1827 shadow memory becomes tagged as the stack grows. As the stack shrinks this
1828 shadow memory space must become untagged. If it is not untagged then when
1829 the stack grows again (during other function calls later on in the program)
1830 objects on the stack that are usually not tagged (e.g. parameters passed on
1831 the stack) can be placed in memory whose shadow space is tagged with
1832 something else, and accesses can cause false positive reports.
1834 Hence we place untagging code on every epilogue of functions which tag some
1835 stack objects.
1837 Moreover, the run-time library intercepts longjmp & setjmp to untag when
1838 the stack is unwound this way.
1840 C++ exceptions are not yet handled, which means this sanitizer can not
1841 handle C++ code that throws exceptions -- it will give false positives
1842 after an exception has been thrown. The implementation that the hwasan
1843 library has for handling these relies on the frame pointer being after any
1844 local variables. This is not generally the case for GCC. */
1847 /* Returns whether we are tagging pointers and checking those tags on memory
1848 access. */
1849 bool
1851 {
1853 }
1855 /* Are we tagging the stack? */
1856 bool
1858 {
1860 }
1862 /* Are we tagging alloca objects? */
1863 bool
1865 {
1867 }
1869 /* Should we instrument reads? */
1870 bool
1872 {
1874 }
1876 /* Should we instrument writes? */
1877 bool
1879 {
1881 }
1883 /* Should we instrument builtin calls? */
1884 bool
1886 {
1888 }
1890 /* Insert code to protect stack vars. The prologue sequence should be emitted
1891 directly, epilogue sequence returned. BASE is the register holding the
1892 stack base, against which OFFSETS array offsets are relative to, OFFSETS
1893 array contains pairs of offsets in reverse order, always the end offset
1894 of some gap that needs protection followed by starting offset,
1895 and DECLS is an array of representative decls for each var partition.
1896 LENGTH is the length of the OFFSETS array, DECLS array is LENGTH / 2 - 1
1897 elements long (OFFSETS include gap before the first variable as well
1898 as gaps after each stack variable). PBASE is, if non-NULL, some pseudo
1899 register which stack vars DECL_RTLs are based on. Either BASE should be
1900 assigned to PBASE, when not doing use after return protection, or
1901 corresponding address based on __asan_stack_malloc* return value. */
1903 rtx_insn *
1906 {
1920 /* Don't emit anything when doing error recovery, the assertions
1921 might fail e.g. if a function had a frame offset overflow. */
1928 expanded_location cfun_xloc
1931 /* First of all, prepare the description string. */
1932 pretty_printer asan_pp;
1937 {
1944 expanded_location xloc
1950 else
1954 {
1955 unsigned idlen
1961 }
1962 else
1967 }
1972 /* Emit the prologue sequence. */
1975 {
1977 /* The stack protector guard is allocated at the top of the frame
1978 and cfgexpand.cc then uses align_frame_offset (ASAN_RED_ZONE_SIZE);
1979 while in that case we can still use asan_frame_size, we need to take
1980 that into account when computing base_align_bias. */
1984 /* __asan_stack_malloc_N guarantees alignment
1985 N < 6 ? (64 << N) : 4096 bytes. */
1991 {
1992 base_align_bias
1995 use_after_return_class
1998 {
2001 }
2002 }
2003 }
2005 /* Align base if target is STRICT_ALIGNMENT. */
2007 {
2008 const HOST_WIDE_INT align
2012 }
2022 {
2024 {
2027 integer_type_node);
2037 }
2046 use_after_return_class);
2052 /* __asan_stack_malloc_[n] returns a pointer to fake stack if succeeded
2053 and NULL otherwise. Check RET value is NULL here and jump over the
2054 BASE reassignment in this case. Otherwise, reassign BASE to RET. */
2065 }
2093 {
2095 shadow_base
2100 }
2101 else
2102 {
2106 }
2117 {
2123 /* If a red-zone is not aligned to ASAN_SHADOW_GRANULARITY then
2124 the previous stack variable has size % ASAN_SHADOW_GRANULARITY != 0.
2125 In that case we have to emit one extra byte that will describe
2126 how many bytes (our of ASAN_SHADOW_GRANULARITY) can be accessed. */
2128 {
2129 HOST_WIDE_INT aoff
2134 }
2136 /* Calculate size of red zone payload. */
2138 {
2141 }
2144 }
2146 /* As the automatic variables are aligned to
2147 ASAN_RED_ZONE_SIZE / ASAN_SHADOW_GRANULARITY, the buffer should be
2148 flushed here. */
2153 /* Construct epilogue sequence. */
2158 {
2174 /* Emit memset (ShadowBase, kAsanStackAfterReturnMagic, ShadowSize). */
2183 {
2185 use_after_return_class);
2194 }
2196 {
2197 /* Emit **SavedFlagPtr (FakeStack, class_id) = 0. */
2207 }
2211 }
2224 {
2228 {
2236 }
2237 else
2243 /* Unpoison shadow memory that corresponds to a variable that is
2244 is subject of use-after-return sanitization. */
2246 {
2250 {
2253 {
2259 }
2262 }
2263 }
2264 last_size_aligned
2267 }
2269 {
2274 }
2276 /* Clean-up set with instrumented stack variables. */
2289 }
2291 /* Emit __asan_allocas_unpoison (top, bot) call. The BASE parameter corresponds
2292 to BOT argument, for TOP virtual_stack_dynamic_rtx is used. NEW_SEQUENCE
2293 indicates whether we're emitting new instructions sequence or not. */
2295 rtx_insn *
2297 {
2300 else
2312 }
2314 /* Return true if DECL, a global var, might be overridden and needs
2315 therefore a local alias. */
2317 static bool
2319 {
2321 }
2323 /* Return true if DECL, a global var, is an artificial ODR indicator symbol
2324 therefore doesn't need protection. */
2326 static bool
2328 {
2331 }
2333 /* Return true if DECL is a VAR_DECL that should be protected
2334 by Address Sanitizer, by appending a red zone with protected
2335 shadow memory after it and aligning it to at least
2336 ASAN_RED_ZONE_SIZE bytes. */
2338 bool
2340 {
2347 {
2348 /* Instrument all STRING_CSTs except those created
2349 by asan_pp_string here. */
2355 }
2357 /* TLS vars aren't statically protectable. */
2359 /* Externs will be protected elsewhere. */
2361 /* PR sanitizer/81697: For architectures that use section anchors first
2362 call to asan_protect_global may occur before DECL_RTL (decl) is set.
2363 We should ignore DECL_RTL_SET_P then, because otherwise the first call
2364 to asan_protect_global will return FALSE and the following calls on the
2365 same decl after setting DECL_RTL (decl) will return TRUE and we'll end
2366 up with inconsistency at runtime. */
2368 /* Comdat vars pose an ABI problem, we can't know if
2369 the var that is selected by the linker will have
2370 padding or not. */
2372 /* Similarly for common vars. People can use -fno-common.
2373 Note: Linux kernel is built with -fno-common, so we do instrument
2374 globals there even if it is C. */
2376 /* Don't protect if using user section, often vars placed
2377 into user section from multiple TUs are then assumed
2378 to be an array of such vars, putting padding in there
2379 breaks this assumption. */
2383 /* Don't protect variables in non-generic address-space. */
2395 {
2405 }
2414 }
2416 /* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16,_n}.
2417 IS_STORE is either 1 (for a store) or 0 (for a load). */
2419 static tree
2422 {
2433 BUILT_IN_ASAN_REPORT_LOAD2_NOABORT,
2434 BUILT_IN_ASAN_REPORT_LOAD4_NOABORT,
2435 BUILT_IN_ASAN_REPORT_LOAD8_NOABORT,
2436 BUILT_IN_ASAN_REPORT_LOAD16_NOABORT,
2437 BUILT_IN_ASAN_REPORT_LOAD_N_NOABORT },
2439 BUILT_IN_ASAN_REPORT_STORE2_NOABORT,
2440 BUILT_IN_ASAN_REPORT_STORE4_NOABORT,
2441 BUILT_IN_ASAN_REPORT_STORE8_NOABORT,
2442 BUILT_IN_ASAN_REPORT_STORE16_NOABORT,
2443 BUILT_IN_ASAN_REPORT_STORE_N_NOABORT } } };
2445 {
2448 }
2452 }
2454 /* Construct a function tree for __asan_{load,store}{1,2,4,8,16,_n}.
2455 IS_STORE is either 1 (for a store) or 0 (for a load). */
2457 static tree
2460 {
2469 BUILT_IN_ASAN_LOAD2_NOABORT,
2470 BUILT_IN_ASAN_LOAD4_NOABORT,
2471 BUILT_IN_ASAN_LOAD8_NOABORT,
2472 BUILT_IN_ASAN_LOAD16_NOABORT,
2473 BUILT_IN_ASAN_LOADN_NOABORT },
2475 BUILT_IN_ASAN_STORE2_NOABORT,
2476 BUILT_IN_ASAN_STORE4_NOABORT,
2477 BUILT_IN_ASAN_STORE8_NOABORT,
2478 BUILT_IN_ASAN_STORE16_NOABORT,
2479 BUILT_IN_ASAN_STOREN_NOABORT } } };
2481 {
2484 }
2488 }
2490 /* Split the current basic block and create a condition statement
2491 insertion point right before or after the statement pointed to by
2492 ITER. Return an iterator to the point at which the caller might
2493 safely insert the condition statement.
2495 THEN_BLOCK must be set to the address of an uninitialized instance
2496 of basic_block. The function will then set *THEN_BLOCK to the
2497 'then block' of the condition statement to be inserted by the
2498 caller.
2500 If CREATE_THEN_FALLTHRU_EDGE is false, no edge will be created from
2501 *THEN_BLOCK to *FALLTHROUGH_BLOCK.
2503 Similarly, the function will set *FALLTRHOUGH_BLOCK to the 'else
2504 block' of the condition statement to be inserted by the caller.
2506 Note that *FALLTHROUGH_BLOCK is a new block that contains the
2507 statements starting from *ITER, and *THEN_BLOCK is a new empty
2508 block.
2510 *ITER is adjusted to point to always point to the first statement
2511 of the basic block * FALLTHROUGH_BLOCK. That statement is the
2512 same as what ITER was pointing to prior to calling this function,
2513 if BEFORE_P is true; otherwise, it is its following statement. */
2515 gimple_stmt_iterator
2522 {
2532 /* Get a hold on the 'condition block', the 'then block' and the
2533 'else block'. */
2538 {
2541 }
2543 /* Set up the newly created 'then block'. */
2545 profile_probability fallthrough_probability
2546 = then_more_likely_p
2554 /* Set up the fallthrough basic block. */
2559 /* Update dominance info for the newly created then_bb; note that
2560 fallthru_bb's dominance info has already been updated by
2561 split_bock. */
2570 }
2572 /* Insert an if condition followed by a 'then block' right before the
2573 statement pointed to by ITER. The fallthrough block -- which is the
2574 else block of the condition as well as the destination of the
2575 outcoming edge of the 'then block' -- starts with the statement
2576 pointed to by ITER.
2578 COND is the condition of the if.
2580 If THEN_MORE_LIKELY_P is true, the probability of the edge to the
2581 'then block' is higher than the probability of the edge to the
2582 fallthrough block.
2584 Upon completion of the function, *THEN_BB is set to the newly
2585 inserted 'then block' and similarly, *FALLTHROUGH_BB is set to the
2586 fallthrough block.
2588 *ITER is adjusted to still point to the same statement it was
2589 pointing to initially. */
2591 static void
2597 {
2598 gimple_stmt_iterator cond_insert_point =
2601 then_more_likely_p,
2603 then_bb,
2604 fallthrough_bb);
2606 }
2608 /* Build (base_addr >> ASAN_SHADOW_SHIFT) + asan_shadow_offset ().
2609 If RETURN_ADDRESS is set to true, return memory location instread
2610 of a value in the shadow memory. */
2612 static tree
2616 {
2629 else
2642 {
2648 }
2651 }
2653 /* BASE can already be an SSA_NAME; in that case, do not create a
2654 new SSA_NAME for it. */
2656 static tree
2659 {
2667 else
2670 }
2672 /* LEN can already have necessary size and precision;
2673 in that case, do not create a new variable. */
2675 tree
2678 {
2686 else
2689 }
2691 /* Instrument the memory access instruction BASE. Insert new
2692 statements before or after ITER.
2694 Note that the memory access represented by BASE can be either an
2695 SSA_NAME, or a non-SSA expression. LOCATION is the source code
2696 location. IS_STORE is TRUE for a store, FALSE for a load.
2697 BEFORE_P is TRUE for inserting the instrumentation code before
2698 ITER, FALSE for inserting it after ITER. IS_SCALAR_ACCESS is TRUE
2699 for a scalar memory access and FALSE for memory region access.
2700 NON_ZERO_P is TRUE if memory region is guaranteed to have non-zero
2701 length. ALIGN tells alignment of accessed memory object.
2703 START_INSTRUMENTED and END_INSTRUMENTED are TRUE if start/end of
2704 memory region have already been instrumented.
2706 If BEFORE_P is TRUE, *ITER is arranged to still point to the
2707 statement it was pointing to prior to calling this function,
2708 otherwise, it points to the statement logically following it. */
2710 static void
2715 {
2725 {
2728 }
2729 else
2730 {
2733 }
2736 {
2741 {
2742 /* On non-strict alignment targets, if
2743 16-byte access is just 8-byte aligned,
2744 this will result in misaligned shadow
2745 memory 2 byte load, but otherwise can
2746 be handled using one read. */
2748 || STRICT_ALIGNMENT
2751 }
2752 }
2763 ? IFN_HWASAN_CHECK
2774 else
2775 {
2778 }
2779 }
2781 /* If T represents a memory access, add instrumentation code before ITER.
2782 LOCATION is source code location.
2783 IS_STORE is either TRUE (for a store) or FALSE (for a load). */
2785 static void
2788 {
2795 HOST_WIDE_INT size_in_bytes;
2801 {
2809 /* FALLTHRU */
2812 }
2819 tree offset;
2820 machine_mode mode;
2827 {
2834 }
2843 /* Accesses to non-generic address-spaces should not be instrumented. */
2847 poly_int64 decl_size;
2855 {
2858 /* If we're not sanitizing globals and we can tell statically that this
2859 access is inside a global variable, then there's no point adding
2860 instrumentation to check the access. N.b. hwasan currently never
2861 sanitizes globals. */
2866 {
2867 /* Automatic vars in the current function will be always
2868 accessible. */
2873 }
2874 /* Always instrument external vars, they might be dynamically
2875 initialized. */
2877 {
2878 /* For static vars if they are known not to be dynamically
2879 initialized, they will be always accessible. */
2883 }
2884 }
2893 {
2900 }
2902 }
2904 /* Insert a memory reference into the hash table if access length
2905 can be determined in compile time. */
2907 static void
2909 {
2918 }
2920 /* Instrument an access to a contiguous memory region that starts at
2921 the address pointed to by BASE, over a length of LEN (expressed in
2922 the sizeof (*BASE) bytes). ITER points to the instruction before
2923 which the instrumentation instructions must be inserted. LOCATION
2924 is the source location that the instrumentation instructions must
2925 have. If IS_STORE is true, then the memory access is a store;
2926 otherwise, it's a load. */
2928 static void
2932 {
2942 {
2946 }
2950 }
2952 /* Instrument the call to a built-in memory access function that is
2953 pointed to by the iterator ITER.
2955 Upon completion, return TRUE iff *ITER has been advanced to the
2956 statement following the one it was originally pointing to. */
2958 static bool
2960 {
2985 {
2987 {
2991 }
2994 {
3008 }
3009 else
3010 {
3017 }
3018 }
3020 }
3022 /* Instrument the assignment statement ITER if it is subject to
3023 instrumentation. Return TRUE iff instrumentation actually
3024 happened. In that case, the iterator ITER is advanced to the next
3025 logical expression following the one initially pointed to by ITER,
3026 and the relevant memory reference that which access has been
3027 instrumented is added to the memory references hash table. */
3029 static bool
3031 {
3040 {
3045 is_store);
3047 }
3050 {
3055 is_store);
3057 }
3063 }
3065 /* Instrument the function call pointed to by the iterator ITER, if it
3066 is subject to instrumentation. At the moment, the only function
3067 calls that are instrumented are some built-in functions that access
3068 memory. Look at instrument_builtin_call to learn more.
3070 Upon completion return TRUE iff *ITER was advanced to the statement
3071 following the one it was originally pointing to. */
3073 static bool
3075 {
3083 {
3085 {
3088 {
3092 /* Don't instrument these. */
3096 }
3097 }
3099 /* Don't instrument this. */
3101 /* If a function does not return, then we must handle clearing up the
3102 shadow stack accordingly. For ASAN we can simply set the entire stack
3103 to "valid" for accesses by setting the shadow space to 0 and all
3104 accesses will pass checks. That means that some bad accesses may be
3105 missed, but we will not report any false positives.
3107 This is not possible for HWASAN. Since there is no "always valid" tag
3108 we can not set any space to "always valid". If we were to clear the
3109 entire shadow stack then code resuming from `longjmp` or a caught
3110 exception would trigger false positives when correctly accessing
3111 variables on the stack. Hence we need to handle things like
3112 `longjmp`, thread exit, and exceptions in a different way. These
3113 problems must be handled externally to the compiler, e.g. in the
3114 language runtime. */
3116 {
3121 }
3122 }
3130 {
3137 }
3139 /* Walk through gimple_call arguments and check them id needed. */
3142 {
3144 /* If ARG is not a non-aggregate register variable, compiler in general
3145 creates temporary for it and pass it as argument to gimple call.
3146 But in some cases, e.g. when we pass by value a small structure that
3147 fits to register, compiler can avoid extra overhead by pulling out
3148 these temporaries. In this case, we should check the argument. */
3150 {
3155 }
3156 }
3160 }
3162 /* Walk each instruction of all basic block and instrument those that
3163 represent memory references: loads, stores, or function calls.
3164 In a given basic block, this function avoids instrumenting memory
3165 references that have already been instrumented. */
3167 static void
3169 {
3171 gimple_stmt_iterator i;
3175 {
3180 /* Flush the mem ref hash table, if current bb doesn't have
3181 exactly one predecessor, or if that predecessor (skipping
3182 over asan created basic blocks) isn't the last processed
3183 basic block. Thus we effectively flush on extended basic
3184 block boundaries. */
3186 {
3190 }
3196 {
3204 /* Nothing to do as maybe_instrument_assignment advanced
3207 /* Nothing to do as maybe_instrument_call
3209 else
3210 {
3211 /* No instrumentation happened.
3213 If the current instruction is a function call that
3214 might free something, let's forget about the memory
3215 references that got instrumented. Otherwise we might
3216 miss some instrumentation opportunities. Do the same
3217 for a ASAN_MARK poisoning internal function. */
3224 }
3225 }
3226 }
3228 }
3230 /* Build
3231 __asan_before_dynamic_init (module_name)
3232 or
3233 __asan_after_dynamic_init ()
3234 call. */
3236 tree
3238 {
3243 ? BUILT_IN_ASAN_AFTER_DYNAMIC_INIT
3247 {
3248 pretty_printer module_name_pp;
3253 module_name_cst);
3254 }
3257 }
3259 /* Build
3260 struct __asan_global
3261 {
3262 const void *__beg;
3263 uptr __size;
3264 uptr __size_with_redzone;
3265 const void *__name;
3266 const void *__module_name;
3267 uptr __has_dynamic_init;
3268 __asan_global_source_location *__location;
3269 char *__odr_indicator;
3270 } type. */
3272 static tree
3274 {
3284 {
3293 }
3304 }
3306 /* Create and return odr indicator symbol for DECL.
3307 TYPE is __asan_global struct type as returned by asan_global_struct. */
3309 static tree
3311 {
3314 tree decl_name
3317 /* DECL_NAME theoretically might be NULL. Bail out with 0 in this case. */
3326 #ifndef NO_DOT_IN_LABEL
3328 #elif !defined(NO_DOLLAR_IN_LABEL)
3330 #endif
3332 char_type_node);
3354 }
3356 /* Return true if DECL, a global var, might be overridden and needs
3357 an additional odr indicator symbol. */
3359 static bool
3361 {
3362 /* Don't emit ODR indicators for kernel because:
3363 a) Kernel is written in C thus doesn't need ODR indicators.
3364 b) Some kernel code may have assumptions about symbols containing specific
3365 patterns in their names. Since ODR indicators contain original names
3366 of symbols they are emitted for, these assumptions would be broken for
3367 ODR indicator symbols. */
3372 }
3374 /* Append description of a single global DECL into vector V.
3375 TYPE is __asan_global struct type as returned by asan_global_struct. */
3377 static void
3379 {
3389 else
3395 else
3396 {
3400 else
3402 }
3407 {
3422 }
3424 tree odr_indicator_ptr
3440 /* FIXME: Enable initialization order fiasco detection in LTO mode once
3441 proper fix for PR 79061 will be applied. */
3450 {
3460 pretty_printer filename_pp;
3474 }
3475 else
3481 }
3483 /* Initialize sanitizer.def builtins if the FE hasn't initialized them. */
3484 void
3486 {
3487 tree decl;
3493 tree BT_FN_VOID_PTR
3495 tree BT_FN_VOID_CONST_PTR
3497 tree BT_FN_VOID_PTR_PTR
3500 tree BT_FN_VOID_PTR_PTR_PTR
3503 tree BT_FN_VOID_PTR_PTRMODE
3506 tree BT_FN_VOID_INT
3508 tree BT_FN_SIZE_CONST_PTR_INT
3512 tree BT_FN_VOID_UINT8_UINT8
3515 tree BT_FN_VOID_UINT16_UINT16
3518 tree BT_FN_VOID_UINT32_UINT32
3521 tree BT_FN_VOID_UINT64_UINT64
3524 tree BT_FN_VOID_FLOAT_FLOAT
3527 tree BT_FN_VOID_DOUBLE_DOUBLE
3530 tree BT_FN_VOID_UINT64_PTR
3534 tree BT_FN_PTR_CONST_PTR_UINT8
3537 tree BT_FN_VOID_PTR_UINT8_PTRMODE
3539 unsigned_char_type_node,
3546 tree vptr
3548 TYPE_QUAL_VOLATILE));
3549 tree cvptr
3551 TYPE_QUAL_VOLATILE
3553 tree boolt
3557 {
3562 NULL_TREE);
3567 NULL_TREE);
3571 }
3572 #define BT_FN_BOOL_VPTR_PTR_I1_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[0]
3573 #define BT_FN_I1_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[0]
3574 #define BT_FN_I1_VPTR_I1_INT BT_FN_IX_VPTR_IX_INT[0]
3575 #define BT_FN_VOID_VPTR_I1_INT BT_FN_VOID_VPTR_IX_INT[0]
3576 #define BT_FN_BOOL_VPTR_PTR_I2_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[1]
3577 #define BT_FN_I2_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[1]
3578 #define BT_FN_I2_VPTR_I2_INT BT_FN_IX_VPTR_IX_INT[1]
3579 #define BT_FN_VOID_VPTR_I2_INT BT_FN_VOID_VPTR_IX_INT[1]
3580 #define BT_FN_BOOL_VPTR_PTR_I4_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[2]
3581 #define BT_FN_I4_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[2]
3582 #define BT_FN_I4_VPTR_I4_INT BT_FN_IX_VPTR_IX_INT[2]
3583 #define BT_FN_VOID_VPTR_I4_INT BT_FN_VOID_VPTR_IX_INT[2]
3584 #define BT_FN_BOOL_VPTR_PTR_I8_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[3]
3585 #define BT_FN_I8_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[3]
3586 #define BT_FN_I8_VPTR_I8_INT BT_FN_IX_VPTR_IX_INT[3]
3587 #define BT_FN_VOID_VPTR_I8_INT BT_FN_VOID_VPTR_IX_INT[3]
3588 #define BT_FN_BOOL_VPTR_PTR_I16_INT_INT BT_FN_BOOL_VPTR_PTR_IX_INT_INT[4]
3589 #define BT_FN_I16_CONST_VPTR_INT BT_FN_IX_CONST_VPTR_INT[4]
3590 #define BT_FN_I16_VPTR_I16_INT BT_FN_IX_VPTR_IX_INT[4]
3591 #define BT_FN_VOID_VPTR_I16_INT BT_FN_VOID_VPTR_IX_INT[4]
3592 #undef ATTR_NOTHROW_LIST
3593 #define ATTR_NOTHROW_LIST ECF_NOTHROW
3594 #undef ATTR_NOTHROW_LEAF_LIST
3595 #define ATTR_NOTHROW_LEAF_LIST ECF_NOTHROW | ECF_LEAF
3596 #undef ATTR_TMPURE_NOTHROW_LEAF_LIST
3597 #define ATTR_TMPURE_NOTHROW_LEAF_LIST ECF_TM_PURE | ATTR_NOTHROW_LEAF_LIST
3598 #undef ATTR_NORETURN_NOTHROW_LEAF_LIST
3599 #define ATTR_NORETURN_NOTHROW_LEAF_LIST ECF_NORETURN | ATTR_NOTHROW_LEAF_LIST
3600 #undef ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST
3601 #define ATTR_CONST_NORETURN_NOTHROW_LEAF_LIST \
3602 ECF_CONST | ATTR_NORETURN_NOTHROW_LEAF_LIST
3603 #undef ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST
3604 #define ATTR_TMPURE_NORETURN_NOTHROW_LEAF_LIST \
3605 ECF_TM_PURE | ATTR_NORETURN_NOTHROW_LEAF_LIST
3606 #undef ATTR_COLD_NOTHROW_LEAF_LIST
3607 #define ATTR_COLD_NOTHROW_LEAF_LIST \
3609 #undef ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST
3610 #define ATTR_COLD_NORETURN_NOTHROW_LEAF_LIST \
3612 #undef ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST
3613 #define ATTR_COLD_CONST_NORETURN_NOTHROW_LEAF_LIST \
3615 #undef ATTR_PURE_NOTHROW_LEAF_LIST
3616 #define ATTR_PURE_NOTHROW_LEAF_LIST ECF_PURE | ATTR_NOTHROW_LEAF_LIST
3617 #undef DEF_BUILTIN_STUB
3618 #define DEF_BUILTIN_STUB(ENUM, NAME)
3619 #undef DEF_SANITIZER_BUILTIN_1
3620 #define DEF_SANITIZER_BUILTIN_1(ENUM, NAME, TYPE, ATTRS) \
3621 do { \
3623 BUILT_IN_NORMAL, NAME, NULL_TREE); \
3624 set_call_expr_flags (decl, ATTRS); \
3625 set_builtin_decl (ENUM, decl, true); \
3626 } while (0)
3627 #undef DEF_SANITIZER_BUILTIN
3628 #define DEF_SANITIZER_BUILTIN(ENUM, NAME, TYPE, ATTRS) \
3629 DEF_SANITIZER_BUILTIN_1 (ENUM, NAME, TYPE, ATTRS);
3633 /* -fsanitize=object-size uses __builtin_dynamic_object_size and
3634 __builtin_object_size, but they might not be available for e.g. Fortran at
3635 this point. We use DEF_SANITIZER_BUILTIN here only as a convenience
3636 macro. */
3638 {
3641 BT_FN_SIZE_CONST_PTR_INT,
3642 ATTR_PURE_NOTHROW_LEAF_LIST);
3646 BT_FN_SIZE_CONST_PTR_INT,
3647 ATTR_PURE_NOTHROW_LEAF_LIST);
3648 }
3650 #undef DEF_SANITIZER_BUILTIN_1
3651 #undef DEF_SANITIZER_BUILTIN
3652 #undef DEF_BUILTIN_STUB
3653 }
3655 /* Called via htab_traverse. Count number of emitted
3656 STRING_CSTs in the constant hash table. */
3658 int
3661 {
3668 }
3670 /* Helper structure to pass two parameters to
3671 add_string_csts. */
3673 struct asan_add_string_csts_data
3674 {
3675 tree type;
3677 };
3679 /* Called via hash_table::traverse. Call asan_add_global
3680 on emitted STRING_CSTs from the constant hash table. */
3682 int
3685 {
3690 {
3693 }
3695 }
3697 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
3698 invoke ggc_collect. */
3701 /* Module-level instrumentation.
3702 - Insert __asan_init_vN() into the list of CTORs.
3703 - TODO: insert redzones around globals.
3704 */
3706 void
3708 {
3714 /* Avoid instrumenting code in the asan ctors/dtors.
3715 We don't need to insert padding after the description strings,
3716 nor after .LASAN* array. */
3719 /* For user-space we want asan constructors to run first.
3720 Linux kernel does not support priorities other than default, and the only
3721 other user of constructors is coverage. So we run with the default
3722 priority. */
3727 {
3732 }
3741 {
3750 type);
3778 gcount_tree),
3784 gcount_tree),
3787 }
3791 }
3793 /* Poison or unpoison (depending on IS_CLOBBER variable) shadow memory based
3794 on SHADOW address. Newly added statements will be added to ITER with
3795 given location LOC. We mark SIZE bytes in shadow memory, where
3796 LAST_CHUNK_SIZE is greater than zero in situation where we are at the
3797 end of a variable. */
3799 static void
3801 tree shadow,
3805 {
3806 tree shadow_ptr_type;
3809 {
3821 }
3829 {
3834 }
3836 /* Handle last chunk in unpoisoning. */
3845 }
3847 /* Expand the ASAN_MARK builtins. */
3849 bool
3851 {
3861 /* For a nested function, we can have: ASAN_MARK (2, &FRAME.2.fp_input, 4) */
3869 {
3872 /* Here we swap ASAN_MARK calls for HWASAN_MARK.
3873 This is because we are using the approach of using ASAN_MARK as a
3874 synonym until here.
3875 That approach means we don't yet have to duplicate all the special
3876 cases for ASAN_MARK and ASAN_POISON with the exact same handling but
3877 called HWASAN_MARK etc.
3879 N.b. __asan_poison_stack_memory (which implements ASAN_MARK for ASAN)
3880 rounds the size up to its shadow memory granularity, while
3881 __hwasan_tag_memory (which implements the same for HWASAN) does not.
3882 Hence we emit HWASAN_MARK with an aligned size unlike ASAN_MARK. */
3885 HWASAN_TAG_GRANULE_SIZE);
3891 }
3894 {
3898 }
3909 /* Generate direct emission if size_in_bytes is small. */
3912 {
3914 const unsigned HOST_WIDE_INT shadow_size
3916 const unsigned int shadow_align
3923 {
3940 }
3941 }
3942 else
3943 {
3950 tree fun
3956 }
3959 }
3961 /* Expand the ASAN_{LOAD,STORE} builtins. */
3963 bool
3965 {
3972 else
3985 HOST_WIDE_INT size_in_bytes
3989 {
3990 /* Instrument using callbacks. */
4001 else
4002 {
4010 }
4014 }
4024 {
4025 /* So, the length of the memory area to asan-protect is
4026 non-constant. Let's guard the generated instrumentation code
4027 like:
4029 if (len != 0)
4030 {
4031 //asan instrumentation code goes here.
4032 }
4033 // falltrough instructions, starting with *ITER. */
4036 len,
4045 /* Note that fallthrough_bb starts with the statement that was
4046 pointed to by ITER. */
4048 /* The 'then block' of the 'if (len != 0) condition is where
4049 we'll generate the asan instrumentation code now. */
4051 }
4053 /* Get an iterator on the point where we can add the condition
4054 statement for the instrumentation. */
4070 {
4072 shadow_ptr_type);
4074 }
4075 else
4076 {
4077 /* Slow path for 1, 2 and 4 byte accesses. */
4078 /* Test (shadow != 0)
4079 & ((base_addr & 7) + (real_size_in_bytes - 1)) >= shadow). */
4081 shadow_ptr_type);
4085 /* Aligned (>= 8 bytes) can test just
4086 (real_size_in_bytes - 1 >= shadow), as base_addr & 7 is known
4087 to be 0. */
4089 {
4101 }
4102 else
4111 /* For non-constant, misaligned or otherwise weird access sizes,
4112 check first and last byte. */
4114 {
4128 shadow_ptr_type);
4138 shadow));
4146 }
4147 }
4154 /* Generate call to the run-time library (e.g. __asan_report_load8). */
4166 }
4168 /* Create ASAN shadow variable for a VAR_DECL which has been rewritten
4169 into SSA. Already seen VAR_DECLs are stored in SHADOW_VARS_MAPPING. */
4171 static tree
4174 {
4177 {
4180 copy_body_data id;
4192 }
4193 else
4195 }
4197 /* Expand ASAN_POISON ifn. */
4199 bool
4203 {
4207 {
4210 }
4217 shadow_vars_mapping);
4222 else
4225 gimple *poison_call
4228 ASAN_MARK_POISON),
4232 imm_use_iterator imm_iter;
4234 {
4242 {
4244 /* NOTE: hwasan has no __hwasan_report_* functions like asan does.
4245 We use __hwasan_tag_mismatch4 with arguments that tell it the
4246 size of access and load to report all tag mismatches.
4248 The arguments to this function are:
4249 Address of invalid access.
4250 Bitfield containing information about the access
4251 (access_info)
4252 Pointer to a frame of registers
4253 (for use in printing the contents of registers in a dump)
4254 Not used yet -- to be used by inline instrumentation.
4255 Size of access.
4257 The access_info bitfield encodes the following pieces of
4258 information:
4259 - Is this a store or load?
4260 access_info & 0x10 => store
4261 - Should the program continue after reporting the error?
4262 access_info & 0x20 => recover
4263 - What size access is this (not used here since we can always
4264 pass the size in the last argument)
4266 if (access_info & 0xf == 0xf)
4267 size is taken from last argument.
4268 else
4269 size == 1 << (access_info & 0xf)
4271 The last argument contains the size of the access iff the
4272 access_info size indicator is 0xf (we always use this argument
4273 rather than storing the size in the access_info bitfield).
4275 See the function definition `__hwasan_tag_mismatch4` in
4276 libsanitizer/hwasan for the full definition.
4277 */
4284 access_info),
4286 size);
4287 }
4288 else
4289 {
4294 }
4298 /* The USE can be a gimple PHI node. If so, insert the call on
4299 all edges leading to the PHI node. */
4301 {
4305 {
4308 /* Do not insert on an edge we can't split. */
4318 }
4319 }
4320 else
4321 {
4325 else
4327 }
4328 }
4335 }
4337 /* Instrument the current function. */
4339 static unsigned int
4341 {
4343 {
4347 }
4354 }
4356 static bool
4358 {
4360 }
4365 {
4375 };
4378 {
4382 {}
4384 /* opt_pass methods: */
4387 {
4389 }
4391 {
4393 }
4399 gimple_opt_pass *
4401 {
4403 }
4408 {
4418 };
4421 {
4425 {}
4427 /* opt_pass methods: */
4429 {
4431 }
4433 {
4435 }
4441 gimple_opt_pass *
4443 {
4445 }
4447 /* HWASAN */
4449 /* For stack tagging:
4451 Return the offset from the frame base tag that the "next" expanded object
4452 should have. */
4453 uint8_t
4455 {
4457 }
4459 /* For stack tagging:
4461 Return the 'base pointer' for this function. If that base pointer has not
4462 yet been created then we create a register to hold it and record the insns
4463 to initialize the register in `hwasan_frame_base_init_seq` for later
4464 emission. */
4465 rtx
4467 {
4469 {
4471 hwasan_frame_base_ptr
4474 NULL_RTX));
4477 }
4480 }
4482 /* For stack tagging:
4484 Check whether this RTX is a standard pointer addressing the base of the
4485 stack variables for this frame. Returns true if the RTX is either
4486 virtual_stack_vars_rtx or hwasan_frame_base_ptr. */
4487 bool
4489 {
4491 }
4493 /* For stack tagging:
4495 Emit frame base initialisation.
4496 If hwasan_frame_base has been used before here then
4497 hwasan_frame_base_init_seq contains the sequence of instructions to
4498 initialize it. This must be put just before the hwasan prologue, so we emit
4499 the insns before parm_birth_insn (which will point to the first instruction
4500 of the hwasan prologue if it exists).
4502 We update `parm_birth_insn` to point to the start of this initialisation
4503 since that represents the end of the initialisation done by
4504 expand_function_{start,end} functions and we want to maintain that. */
4505 void
4507 {
4512 }
4514 /* Record a compile-time constant size stack variable that HWASAN will need to
4515 tag. This record of the range of a stack variable will be used by
4516 `hwasan_emit_prologue` to emit the RTL at the start of each frame which will
4517 set tags in the shadow memory according to the assigned tag for each object.
4519 The range that the object spans in stack space should be described by the
4520 bounds `untagged_base + nearest_offset` and
4521 `untagged_base + farthest_offset`.
4522 `tagged_base` is the base address which contains the "base frame tag" for
4523 this frame, and from which the value to address this object with will be
4524 calculated.
4526 We record the `untagged_base` since the functions in the hwasan library we
4527 use to tag memory take pointers without a tag. */
4528 void
4531 {
4532 hwasan_stack_var cur_var;
4540 }
4542 /* Return the RTX representing the farthest extent of the statically allocated
4543 stack objects for this frame. If hwasan_frame_base_ptr has not been
4544 initialized then we are not storing any static variables on the stack in
4545 this frame. In this case we return NULL_RTX to represent that.
4547 Otherwise simply return virtual_stack_vars_rtx + frame_offset. */
4548 rtx
4550 {
4554 }
4556 /* For stack tagging:
4558 Increment the frame tag offset modulo the size a tag can represent. */
4559 void
4561 {
4566 /* The "background tag" of the stack is zero by definition.
4567 This is the tag that objects like parameters passed on the stack and
4568 spilled registers are given. It is handy to avoid this tag for objects
4569 whose tags we decide ourselves, partly to ensure that buffer overruns
4570 can't affect these important variables (e.g. saved link register, saved
4571 stack pointer etc) and partly to make debugging easier (everything with a
4572 tag of zero is space allocated automatically by the compiler).
4574 This is not feasible when using random frame tags (the default
4575 configuration for hwasan) since the tag for the given frame is randomly
4576 chosen at runtime. In order to avoid any tags matching the stack
4577 background we would need to decide tag offsets at runtime instead of
4578 compile time (and pay the resulting performance cost).
4580 When not using random base tags for each frame (i.e. when compiled with
4581 `--param hwasan-random-frame-tag=0`) the base tag for each frame is zero.
4582 This means the tag that each object gets is equal to the
4583 hwasan_frame_tag_offset used in determining it.
4584 When this is the case we *can* ensure no object gets the tag of zero by
4585 simply ensuring no object has the hwasan_frame_tag_offset of zero.
4587 There is the extra complication that we only record the
4588 hwasan_frame_tag_offset here (which is the offset from the tag stored in
4589 the stack pointer). In the kernel, the tag in the stack pointer is 0xff
4590 rather than zero. This does not cause problems since tags of 0xff are
4591 never checked in the kernel. As mentioned at the beginning of this
4592 comment the background tag of the stack is zero by definition, which means
4593 that for the kernel we should skip offsets of both 0 and 1 from the stack
4594 pointer. Avoiding the offset of 0 ensures we use a tag which will be
4595 checked, avoiding the offset of 1 ensures we use a tag that is not the
4596 same as the background. */
4602 }
4604 /* Clear internal state for the next function.
4605 This function is called before variables on the stack get expanded, in
4606 `init_vars_expansion`. */
4607 void
4609 {
4613 /* If this isn't the case then some stack variable was recorded *before*
4614 hwasan_record_frame_init is called, yet *after* the hwasan prologue for
4615 the previous frame was emitted. Such stack variables would not have
4616 their shadow stack filled in. */
4621 /* When not using a random frame tag we can avoid the background stack
4622 color which gives the user a little better debug output upon a crash.
4623 Meanwhile, when using a random frame tag it will be nice to avoid adding
4624 tags for the first object since that is unnecessary extra work.
4625 Hence set the initial hwasan_frame_tag_offset to be 0 if using a random
4626 frame tag and 1 otherwise.
4628 As described in hwasan_increment_frame_tag, in the kernel the stack
4629 pointer has the tag 0xff. That means that to avoid 0xff and 0 (the tag
4630 which the kernel does not check and the background tag respectively) we
4631 start with a tag offset of 2. */
4632 hwasan_frame_tag_offset = param_hwasan_random_frame_tag
4635 }
4637 /* For stack tagging:
4638 (Emits HWASAN equivalent of what is emitted by
4639 `asan_emit_stack_protection`).
4641 Emits the extra prologue code to set the shadow stack as required for HWASAN
4642 stack instrumentation.
4644 Uses the vector of recorded stack variables hwasan_tagged_stack_vars. When
4645 this function has completed hwasan_tagged_stack_vars is empty and all
4646 objects it had pointed to are deallocated. */
4647 void
4649 {
4650 /* We need untagged base pointers since libhwasan only accepts untagged
4651 pointers in __hwasan_tag_memory. We need the tagged base pointer to obtain
4652 the base tag for an offset. */
4659 {
4664 {
4667 }
4668 else
4669 {
4670 /* Given how these values are calculated, one must be known greater
4671 than the other. */
4675 }
4678 /* Assert the edge of each variable is aligned to the HWASAN tag granule
4679 size. */
4692 bot));
4697 }
4698 /* Clear the stack vars, we've emitted the prologue for them all now. */
4700 }
4702 /* For stack tagging:
4704 Return RTL insns to clear the tags between DYNAMIC and VARS pointers
4705 into the stack. These instructions should be emitted at the end of
4706 every function.
4708 If `dynamic` is NULL_RTX then no insns are returned. */
4709 rtx_insn *
4711 {
4720 rtx top_rtx;
4721 rtx bot_rtx;
4723 {
4726 }
4727 else
4728 {
4731 }
4735 OPTAB_DIRECT);
4747 }
4749 /* Needs to be GTY(()), because cgraph_build_static_cdtor may
4750 invoke ggc_collect. */
4753 /* Insert module initialization into this TU. This initialization calls the
4754 initialization code for libhwasan. */
4755 void
4757 {
4758 /* Do not emit constructor initialization for the kernel.
4759 (the kernel has its own initialization already). */
4765 /* Avoid instrumenting code in the hwasan constructors/destructors. */
4772 }
4774 /* For stack tagging:
4776 Truncate `tag` to the number of bits that a tag uses (i.e. to
4777 HWASAN_TAG_SIZE). Store the result in `target` if it's convenient. */
4778 rtx
4780 {
4783 {
4786 QImode);
4790 }
4792 }
4794 /* Construct a function tree for __hwasan_{load,store}{1,2,4,8,16,_n}.
4795 IS_STORE is either 1 (for a store) or 0 (for a load). */
4796 static combined_fn
4799 {
4808 BUILT_IN_HWASAN_LOAD2_NOABORT,
4809 BUILT_IN_HWASAN_LOAD4_NOABORT,
4810 BUILT_IN_HWASAN_LOAD8_NOABORT,
4811 BUILT_IN_HWASAN_LOAD16_NOABORT,
4812 BUILT_IN_HWASAN_LOADN_NOABORT },
4814 BUILT_IN_HWASAN_STORE2_NOABORT,
4815 BUILT_IN_HWASAN_STORE4_NOABORT,
4816 BUILT_IN_HWASAN_STORE8_NOABORT,
4817 BUILT_IN_HWASAN_STORE16_NOABORT,
4818 BUILT_IN_HWASAN_STOREN_NOABORT } } };
4820 {
4823 }
4828 }
4830 /* Expand the HWASAN_{LOAD,STORE} builtins. */
4831 bool
4833 {
4839 else
4851 /* `align` is unused for HWASAN_CHECK, but we pass the argument anyway
4852 since that way the arguments match ASAN_CHECK. */
4853 /* HOST_WIDE_INT align = tree_to_shwi (gimple_call_arg (g, 3)); */
4855 unsigned HOST_WIDE_INT size_in_bytes
4861 {
4862 /* So, the length of the memory area to hwasan-protect is
4863 non-constant. Let's guard the generated instrumentation code
4864 like:
4866 if (len != 0)
4867 {
4868 // hwasan instrumentation code goes here.
4869 }
4870 // falltrough instructions, starting with *ITER. */
4873 len,
4882 /* Note that fallthrough_bb starts with the statement that was
4883 pointed to by ITER. */
4885 /* The 'then block' of the 'if (len != 0) condition is where
4886 we'll generate the hwasan instrumentation code now. */
4888 }
4895 combined_fn fn
4899 else
4900 {
4905 }
4911 }
4913 /* For stack tagging:
4915 Dummy: the HWASAN_MARK internal function should only ever be in the code
4916 after the sanopt pass. */
4917 bool
4919 {
4921 }
4923 bool
4925 {
4927 }