search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Recommit r373598 "[yaml2obj/obj2yaml] - Add support for SHT_LLVM_ADDRSIG sections."
[llvm-complete.git] / lib / Transforms / Instrumentation / SanitizerCoverage.cpp
blobf09081314eb155713e81f4e0e36677b388cdae3a
1 //===-- SanitizerCoverage.cpp - coverage instrumentation for sanitizers ---===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Coverage instrumentation done on LLVM IR level, works with Sanitizers.
10 //
11 //===----------------------------------------------------------------------===//
12
13 #include "llvm/Transforms/Instrumentation/SanitizerCoverage.h"
14 #include "llvm/ADT/ArrayRef.h"
15 #include "llvm/ADT/SmallVector.h"
16 #include "llvm/Analysis/EHPersonalities.h"
17 #include "llvm/Analysis/PostDominators.h"
18 #include "llvm/IR/CFG.h"
19 #include "llvm/IR/CallSite.h"
20 #include "llvm/IR/Constant.h"
21 #include "llvm/IR/DataLayout.h"
22 #include "llvm/IR/DebugInfo.h"
23 #include "llvm/IR/Dominators.h"
24 #include "llvm/IR/Function.h"
25 #include "llvm/IR/GlobalVariable.h"
26 #include "llvm/IR/IRBuilder.h"
27 #include "llvm/IR/InlineAsm.h"
28 #include "llvm/IR/IntrinsicInst.h"
29 #include "llvm/IR/Intrinsics.h"
30 #include "llvm/IR/LLVMContext.h"
31 #include "llvm/IR/MDBuilder.h"
32 #include "llvm/IR/Mangler.h"
33 #include "llvm/IR/Module.h"
34 #include "llvm/IR/Type.h"
35 #include "llvm/Support/CommandLine.h"
36 #include "llvm/Support/Debug.h"
37 #include "llvm/Support/raw_ostream.h"
38 #include "llvm/Transforms/Instrumentation.h"
39 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
40 #include "llvm/Transforms/Utils/ModuleUtils.h"
41
42 using namespace llvm;
43
44 #define DEBUG_TYPE "sancov"
45
46 static const char *const SanCovTracePCIndirName =
47 "__sanitizer_cov_trace_pc_indir";
48 static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc";
49 static const char *const SanCovTraceCmp1 = "__sanitizer_cov_trace_cmp1";
50 static const char *const SanCovTraceCmp2 = "__sanitizer_cov_trace_cmp2";
51 static const char *const SanCovTraceCmp4 = "__sanitizer_cov_trace_cmp4";
52 static const char *const SanCovTraceCmp8 = "__sanitizer_cov_trace_cmp8";
53 static const char *const SanCovTraceConstCmp1 =
54 "__sanitizer_cov_trace_const_cmp1";
55 static const char *const SanCovTraceConstCmp2 =
56 "__sanitizer_cov_trace_const_cmp2";
57 static const char *const SanCovTraceConstCmp4 =
58 "__sanitizer_cov_trace_const_cmp4";
59 static const char *const SanCovTraceConstCmp8 =
60 "__sanitizer_cov_trace_const_cmp8";
61 static const char *const SanCovTraceDiv4 = "__sanitizer_cov_trace_div4";
62 static const char *const SanCovTraceDiv8 = "__sanitizer_cov_trace_div8";
63 static const char *const SanCovTraceGep = "__sanitizer_cov_trace_gep";
64 static const char *const SanCovTraceSwitchName = "__sanitizer_cov_trace_switch";
65 static const char *const SanCovModuleCtorTracePcGuardName =
66 "sancov.module_ctor_trace_pc_guard";
67 static const char *const SanCovModuleCtor8bitCountersName =
68 "sancov.module_ctor_8bit_counters";
69 static const uint64_t SanCtorAndDtorPriority = 2;
70
71 static const char *const SanCovTracePCGuardName =
72 "__sanitizer_cov_trace_pc_guard";
73 static const char *const SanCovTracePCGuardInitName =
74 "__sanitizer_cov_trace_pc_guard_init";
75 static const char *const SanCov8bitCountersInitName =
76 "__sanitizer_cov_8bit_counters_init";
77 static const char *const SanCovPCsInitName = "__sanitizer_cov_pcs_init";
78
79 static const char *const SanCovGuardsSectionName = "sancov_guards";
80 static const char *const SanCovCountersSectionName = "sancov_cntrs";
81 static const char *const SanCovPCsSectionName = "sancov_pcs";
82
83 static const char *const SanCovLowestStackName = "__sancov_lowest_stack";
84
85 static cl::opt<int> ClCoverageLevel(
86 "sanitizer-coverage-level",
87 cl::desc("Sanitizer Coverage. 0: none, 1: entry block, 2: all blocks, "
88 "3: all blocks and critical edges"),
89 cl::Hidden, cl::init(0));
90
91 static cl::opt<bool> ClTracePC("sanitizer-coverage-trace-pc",
92 cl::desc("Experimental pc tracing"), cl::Hidden,
93 cl::init(false));
94
95 static cl::opt<bool> ClTracePCGuard("sanitizer-coverage-trace-pc-guard",
96 cl::desc("pc tracing with a guard"),
97 cl::Hidden, cl::init(false));
98
99 // If true, we create a global variable that contains PCs of all instrumented
100 // BBs, put this global into a named section, and pass this section's bounds
101 // to __sanitizer_cov_pcs_init.
102 // This way the coverage instrumentation does not need to acquire the PCs
103 // at run-time. Works with trace-pc-guard and inline-8bit-counters.
104 static cl::opt<bool> ClCreatePCTable("sanitizer-coverage-pc-table",
105 cl::desc("create a static PC table"),
106 cl::Hidden, cl::init(false));
107
108 static cl::opt<bool>
109 ClInline8bitCounters("sanitizer-coverage-inline-8bit-counters",
110 cl::desc("increments 8-bit counter for every edge"),
111 cl::Hidden, cl::init(false));
112
113 static cl::opt<bool>
114 ClCMPTracing("sanitizer-coverage-trace-compares",
115 cl::desc("Tracing of CMP and similar instructions"),
116 cl::Hidden, cl::init(false));
117
118 static cl::opt<bool> ClDIVTracing("sanitizer-coverage-trace-divs",
119 cl::desc("Tracing of DIV instructions"),
120 cl::Hidden, cl::init(false));
121
122 static cl::opt<bool> ClGEPTracing("sanitizer-coverage-trace-geps",
123 cl::desc("Tracing of GEP instructions"),
124 cl::Hidden, cl::init(false));
125
126 static cl::opt<bool>
127 ClPruneBlocks("sanitizer-coverage-prune-blocks",
128 cl::desc("Reduce the number of instrumented blocks"),
129 cl::Hidden, cl::init(true));
130
131 static cl::opt<bool> ClStackDepth("sanitizer-coverage-stack-depth",
132 cl::desc("max stack depth tracing"),
133 cl::Hidden, cl::init(false));
134
135 namespace {
136
137 SanitizerCoverageOptions getOptions(int LegacyCoverageLevel) {
138 SanitizerCoverageOptions Res;
139 switch (LegacyCoverageLevel) {
140 case 0:
141 Res.CoverageType = SanitizerCoverageOptions::SCK_None;
142 break;
143 case 1:
144 Res.CoverageType = SanitizerCoverageOptions::SCK_Function;
145 break;
146 case 2:
147 Res.CoverageType = SanitizerCoverageOptions::SCK_BB;
148 break;
149 case 3:
150 Res.CoverageType = SanitizerCoverageOptions::SCK_Edge;
151 break;
152 case 4:
153 Res.CoverageType = SanitizerCoverageOptions::SCK_Edge;
154 Res.IndirectCalls = true;
155 break;
156 }
157 return Res;
158 }
159
160 SanitizerCoverageOptions OverrideFromCL(SanitizerCoverageOptions Options) {
161 // Sets CoverageType and IndirectCalls.
162 SanitizerCoverageOptions CLOpts = getOptions(ClCoverageLevel);
163 Options.CoverageType = std::max(Options.CoverageType, CLOpts.CoverageType);
164 Options.IndirectCalls |= CLOpts.IndirectCalls;
165 Options.TraceCmp |= ClCMPTracing;
166 Options.TraceDiv |= ClDIVTracing;
167 Options.TraceGep |= ClGEPTracing;
168 Options.TracePC |= ClTracePC;
169 Options.TracePCGuard |= ClTracePCGuard;
170 Options.Inline8bitCounters |= ClInline8bitCounters;
171 Options.PCTable |= ClCreatePCTable;
172 Options.NoPrune |= !ClPruneBlocks;
173 Options.StackDepth |= ClStackDepth;
174 if (!Options.TracePCGuard && !Options.TracePC &&
175 !Options.Inline8bitCounters && !Options.StackDepth)
176 Options.TracePCGuard = true; // TracePCGuard is default.
177 return Options;
178 }
179
180 using DomTreeCallback = function_ref<const DominatorTree *(Function &F)>;
181 using PostDomTreeCallback =
182 function_ref<const PostDominatorTree *(Function &F)>;
183
184 class ModuleSanitizerCoverage {
185 public:
186 ModuleSanitizerCoverage(
187 const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
188 : Options(OverrideFromCL(Options)) {}
189 bool instrumentModule(Module &M, DomTreeCallback DTCallback,
190 PostDomTreeCallback PDTCallback);
191
192 private:
193 void instrumentFunction(Function &F, DomTreeCallback DTCallback,
194 PostDomTreeCallback PDTCallback);
195 void InjectCoverageForIndirectCalls(Function &F,
196 ArrayRef<Instruction *> IndirCalls);
197 void InjectTraceForCmp(Function &F, ArrayRef<Instruction *> CmpTraceTargets);
198 void InjectTraceForDiv(Function &F,
199 ArrayRef<BinaryOperator *> DivTraceTargets);
200 void InjectTraceForGep(Function &F,
201 ArrayRef<GetElementPtrInst *> GepTraceTargets);
202 void InjectTraceForSwitch(Function &F,
203 ArrayRef<Instruction *> SwitchTraceTargets);
204 bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks,
205 bool IsLeafFunc = true);
206 GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements,
207 Function &F, Type *Ty,
208 const char *Section);
209 GlobalVariable *CreatePCArray(Function &F, ArrayRef<BasicBlock *> AllBlocks);
210 void CreateFunctionLocalArrays(Function &F, ArrayRef<BasicBlock *> AllBlocks);
211 void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx,
212 bool IsLeafFunc = true);
213 Function *CreateInitCallsForSections(Module &M, const char *CtorName,
214 const char *InitFunctionName, Type *Ty,
215 const char *Section);
216 std::pair<Value *, Value *> CreateSecStartEnd(Module &M, const char *Section,
217 Type *Ty);
218
219 void SetNoSanitizeMetadata(Instruction *I) {
220 I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
221 MDNode::get(*C, None));
222 }
223
224 std::string getSectionName(const std::string &Section) const;
225 std::string getSectionStart(const std::string &Section) const;
226 std::string getSectionEnd(const std::string &Section) const;
227 FunctionCallee SanCovTracePCIndir;
228 FunctionCallee SanCovTracePC, SanCovTracePCGuard;
229 FunctionCallee SanCovTraceCmpFunction[4];
230 FunctionCallee SanCovTraceConstCmpFunction[4];
231 FunctionCallee SanCovTraceDivFunction[2];
232 FunctionCallee SanCovTraceGepFunction;
233 FunctionCallee SanCovTraceSwitchFunction;
234 GlobalVariable *SanCovLowestStack;
235 InlineAsm *EmptyAsm;
236 Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
237 *Int16Ty, *Int8Ty, *Int8PtrTy;
238 Module *CurModule;
239 std::string CurModuleUniqueId;
240 Triple TargetTriple;
241 LLVMContext *C;
242 const DataLayout *DL;
243
244 GlobalVariable *FunctionGuardArray; // for trace-pc-guard.
245 GlobalVariable *Function8bitCounterArray; // for inline-8bit-counters.
246 GlobalVariable *FunctionPCsArray; // for pc-table.
247 SmallVector<GlobalValue *, 20> GlobalsToAppendToUsed;
248 SmallVector<GlobalValue *, 20> GlobalsToAppendToCompilerUsed;
249
250 SanitizerCoverageOptions Options;
251 };
252
253 class ModuleSanitizerCoverageLegacyPass : public ModulePass {
254 public:
255 ModuleSanitizerCoverageLegacyPass(
256 const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
257 : ModulePass(ID), Options(Options) {
258 initializeModuleSanitizerCoverageLegacyPassPass(
259 *PassRegistry::getPassRegistry());
260 }
261 bool runOnModule(Module &M) override {
262 ModuleSanitizerCoverage ModuleSancov(Options);
263 auto DTCallback = [this](Function &F) -> const DominatorTree * {
264 return &this->getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
265 };
266 auto PDTCallback = [this](Function &F) -> const PostDominatorTree * {
267 return &this->getAnalysis<PostDominatorTreeWrapperPass>(F)
268 .getPostDomTree();
269 };
270 return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback);
271 }
272
273 static char ID; // Pass identification, replacement for typeid
274 StringRef getPassName() const override { return "ModuleSanitizerCoverage"; }
275
276 void getAnalysisUsage(AnalysisUsage &AU) const override {
277 AU.addRequired<DominatorTreeWrapperPass>();
278 AU.addRequired<PostDominatorTreeWrapperPass>();
279 }
280
281 private:
282 SanitizerCoverageOptions Options;
283 };
284
285 } // namespace
286
287 PreservedAnalyses ModuleSanitizerCoveragePass::run(Module &M,
288 ModuleAnalysisManager &MAM) {
289 ModuleSanitizerCoverage ModuleSancov(Options);
290 auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
291 auto DTCallback = [&FAM](Function &F) -> const DominatorTree * {
292 return &FAM.getResult<DominatorTreeAnalysis>(F);
293 };
294 auto PDTCallback = [&FAM](Function &F) -> const PostDominatorTree * {
295 return &FAM.getResult<PostDominatorTreeAnalysis>(F);
296 };
297 if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
298 return PreservedAnalyses::none();
299 return PreservedAnalyses::all();
300 }
301
302 std::pair<Value *, Value *>
303 ModuleSanitizerCoverage::CreateSecStartEnd(Module &M, const char *Section,
304 Type *Ty) {
305 GlobalVariable *SecStart =
306 new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage, nullptr,
307 getSectionStart(Section));
308 SecStart->setVisibility(GlobalValue::HiddenVisibility);
309 GlobalVariable *SecEnd =
310 new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
311 nullptr, getSectionEnd(Section));
312 SecEnd->setVisibility(GlobalValue::HiddenVisibility);
313 IRBuilder<> IRB(M.getContext());
314 Value *SecEndPtr = IRB.CreatePointerCast(SecEnd, Ty);
315 if (!TargetTriple.isOSBinFormatCOFF())
316 return std::make_pair(IRB.CreatePointerCast(SecStart, Ty), SecEndPtr);
317
318 // Account for the fact that on windows-msvc __start_* symbols actually
319 // point to a uint64_t before the start of the array.
320 auto SecStartI8Ptr = IRB.CreatePointerCast(SecStart, Int8PtrTy);
321 auto GEP = IRB.CreateGEP(Int8Ty, SecStartI8Ptr,
322 ConstantInt::get(IntptrTy, sizeof(uint64_t)));
323 return std::make_pair(IRB.CreatePointerCast(GEP, Ty), SecEndPtr);
324 }
325
326 Function *ModuleSanitizerCoverage::CreateInitCallsForSections(
327 Module &M, const char *CtorName, const char *InitFunctionName, Type *Ty,
328 const char *Section) {
329 auto SecStartEnd = CreateSecStartEnd(M, Section, Ty);
330 auto SecStart = SecStartEnd.first;
331 auto SecEnd = SecStartEnd.second;
332 Function *CtorFunc;
333 std::tie(CtorFunc, std::ignore) = createSanitizerCtorAndInitFunctions(
334 M, CtorName, InitFunctionName, {Ty, Ty}, {SecStart, SecEnd});
335 assert(CtorFunc->getName() == CtorName);
336
337 if (TargetTriple.supportsCOMDAT()) {
338 // Use comdat to dedup CtorFunc.
339 CtorFunc->setComdat(M.getOrInsertComdat(CtorName));
340 appendToGlobalCtors(M, CtorFunc, SanCtorAndDtorPriority, CtorFunc);
341 } else {
342 appendToGlobalCtors(M, CtorFunc, SanCtorAndDtorPriority);
343 }
344
345 if (TargetTriple.isOSBinFormatCOFF()) {
346 // In COFF files, if the contructors are set as COMDAT (they are because
347 // COFF supports COMDAT) and the linker flag /OPT:REF (strip unreferenced
348 // functions and data) is used, the constructors get stripped. To prevent
349 // this, give the constructors weak ODR linkage and ensure the linker knows
350 // to include the sancov constructor. This way the linker can deduplicate
351 // the constructors but always leave one copy.
352 CtorFunc->setLinkage(GlobalValue::WeakODRLinkage);
353 appendToUsed(M, CtorFunc);
354 }
355 return CtorFunc;
356 }
357
358 bool ModuleSanitizerCoverage::instrumentModule(
359 Module &M, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
360 if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
361 return false;
362 C = &(M.getContext());
363 DL = &M.getDataLayout();
364 CurModule = &M;
365 CurModuleUniqueId = getUniqueModuleId(CurModule);
366 TargetTriple = Triple(M.getTargetTriple());
367 FunctionGuardArray = nullptr;
368 Function8bitCounterArray = nullptr;
369 FunctionPCsArray = nullptr;
370 IntptrTy = Type::getIntNTy(*C, DL->getPointerSizeInBits());
371 IntptrPtrTy = PointerType::getUnqual(IntptrTy);
372 Type *VoidTy = Type::getVoidTy(*C);
373 IRBuilder<> IRB(*C);
374 Int64PtrTy = PointerType::getUnqual(IRB.getInt64Ty());
375 Int32PtrTy = PointerType::getUnqual(IRB.getInt32Ty());
376 Int8PtrTy = PointerType::getUnqual(IRB.getInt8Ty());
377 Int64Ty = IRB.getInt64Ty();
378 Int32Ty = IRB.getInt32Ty();
379 Int16Ty = IRB.getInt16Ty();
380 Int8Ty = IRB.getInt8Ty();
381
382 SanCovTracePCIndir =
383 M.getOrInsertFunction(SanCovTracePCIndirName, VoidTy, IntptrTy);
384 // Make sure smaller parameters are zero-extended to i64 as required by the
385 // x86_64 ABI.
386 AttributeList SanCovTraceCmpZeroExtAL;
387 if (TargetTriple.getArch() == Triple::x86_64) {
388 SanCovTraceCmpZeroExtAL =
389 SanCovTraceCmpZeroExtAL.addParamAttribute(*C, 0, Attribute::ZExt);
390 SanCovTraceCmpZeroExtAL =
391 SanCovTraceCmpZeroExtAL.addParamAttribute(*C, 1, Attribute::ZExt);
392 }
393
394 SanCovTraceCmpFunction[0] =
395 M.getOrInsertFunction(SanCovTraceCmp1, SanCovTraceCmpZeroExtAL, VoidTy,
396 IRB.getInt8Ty(), IRB.getInt8Ty());
397 SanCovTraceCmpFunction[1] =
398 M.getOrInsertFunction(SanCovTraceCmp2, SanCovTraceCmpZeroExtAL, VoidTy,
399 IRB.getInt16Ty(), IRB.getInt16Ty());
400 SanCovTraceCmpFunction[2] =
401 M.getOrInsertFunction(SanCovTraceCmp4, SanCovTraceCmpZeroExtAL, VoidTy,
402 IRB.getInt32Ty(), IRB.getInt32Ty());
403 SanCovTraceCmpFunction[3] =
404 M.getOrInsertFunction(SanCovTraceCmp8, VoidTy, Int64Ty, Int64Ty);
405
406 SanCovTraceConstCmpFunction[0] = M.getOrInsertFunction(
407 SanCovTraceConstCmp1, SanCovTraceCmpZeroExtAL, VoidTy, Int8Ty, Int8Ty);
408 SanCovTraceConstCmpFunction[1] = M.getOrInsertFunction(
409 SanCovTraceConstCmp2, SanCovTraceCmpZeroExtAL, VoidTy, Int16Ty, Int16Ty);
410 SanCovTraceConstCmpFunction[2] = M.getOrInsertFunction(
411 SanCovTraceConstCmp4, SanCovTraceCmpZeroExtAL, VoidTy, Int32Ty, Int32Ty);
412 SanCovTraceConstCmpFunction[3] =
413 M.getOrInsertFunction(SanCovTraceConstCmp8, VoidTy, Int64Ty, Int64Ty);
414
415 {
416 AttributeList AL;
417 if (TargetTriple.getArch() == Triple::x86_64)
418 AL = AL.addParamAttribute(*C, 0, Attribute::ZExt);
419 SanCovTraceDivFunction[0] =
420 M.getOrInsertFunction(SanCovTraceDiv4, AL, VoidTy, IRB.getInt32Ty());
421 }
422 SanCovTraceDivFunction[1] =
423 M.getOrInsertFunction(SanCovTraceDiv8, VoidTy, Int64Ty);
424 SanCovTraceGepFunction =
425 M.getOrInsertFunction(SanCovTraceGep, VoidTy, IntptrTy);
426 SanCovTraceSwitchFunction =
427 M.getOrInsertFunction(SanCovTraceSwitchName, VoidTy, Int64Ty, Int64PtrTy);
428
429 Constant *SanCovLowestStackConstant =
430 M.getOrInsertGlobal(SanCovLowestStackName, IntptrTy);
431 SanCovLowestStack = dyn_cast<GlobalVariable>(SanCovLowestStackConstant);
432 if (!SanCovLowestStack) {
433 C->emitError(StringRef("'") + SanCovLowestStackName +
434 "' should not be declared by the user");
435 return true;
436 }
437 SanCovLowestStack->setThreadLocalMode(
438 GlobalValue::ThreadLocalMode::InitialExecTLSModel);
439 if (Options.StackDepth && !SanCovLowestStack->isDeclaration())
440 SanCovLowestStack->setInitializer(Constant::getAllOnesValue(IntptrTy));
441
442 // We insert an empty inline asm after cov callbacks to avoid callback merge.
443 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
444 StringRef(""), StringRef(""),
445 /*hasSideEffects=*/true);
446
447 SanCovTracePC = M.getOrInsertFunction(SanCovTracePCName, VoidTy);
448 SanCovTracePCGuard =
449 M.getOrInsertFunction(SanCovTracePCGuardName, VoidTy, Int32PtrTy);
450
451 for (auto &F : M)
452 instrumentFunction(F, DTCallback, PDTCallback);
453
454 Function *Ctor = nullptr;
455
456 if (FunctionGuardArray)
457 Ctor = CreateInitCallsForSections(M, SanCovModuleCtorTracePcGuardName,
458 SanCovTracePCGuardInitName, Int32PtrTy,
459 SanCovGuardsSectionName);
460 if (Function8bitCounterArray)
461 Ctor = CreateInitCallsForSections(M, SanCovModuleCtor8bitCountersName,
462 SanCov8bitCountersInitName, Int8PtrTy,
463 SanCovCountersSectionName);
464 if (Ctor && Options.PCTable) {
465 auto SecStartEnd = CreateSecStartEnd(M, SanCovPCsSectionName, IntptrPtrTy);
466 FunctionCallee InitFunction = declareSanitizerInitFunction(
467 M, SanCovPCsInitName, {IntptrPtrTy, IntptrPtrTy});
468 IRBuilder<> IRBCtor(Ctor->getEntryBlock().getTerminator());
469 IRBCtor.CreateCall(InitFunction, {SecStartEnd.first, SecStartEnd.second});
470 }
471 // We don't reference these arrays directly in any of our runtime functions,
472 // so we need to prevent them from being dead stripped.
473 if (TargetTriple.isOSBinFormatMachO())
474 appendToUsed(M, GlobalsToAppendToUsed);
475 appendToCompilerUsed(M, GlobalsToAppendToCompilerUsed);
476 return true;
477 }
478
479 // True if block has successors and it dominates all of them.
480 static bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
481 if (succ_begin(BB) == succ_end(BB))
482 return false;
483
484 for (const BasicBlock *SUCC : make_range(succ_begin(BB), succ_end(BB))) {
485 if (!DT->dominates(BB, SUCC))
486 return false;
487 }
488
489 return true;
490 }
491
492 // True if block has predecessors and it postdominates all of them.
493 static bool isFullPostDominator(const BasicBlock *BB,
494 const PostDominatorTree *PDT) {
495 if (pred_begin(BB) == pred_end(BB))
496 return false;
497
498 for (const BasicBlock *PRED : make_range(pred_begin(BB), pred_end(BB))) {
499 if (!PDT->dominates(BB, PRED))
500 return false;
501 }
502
503 return true;
504 }
505
506 static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
507 const DominatorTree *DT,
508 const PostDominatorTree *PDT,
509 const SanitizerCoverageOptions &Options) {
510 // Don't insert coverage for blocks containing nothing but unreachable: we
511 // will never call __sanitizer_cov() for them, so counting them in
512 // NumberOfInstrumentedBlocks() might complicate calculation of code coverage
513 // percentage. Also, unreachable instructions frequently have no debug
514 // locations.
515 if (isa<UnreachableInst>(BB->getFirstNonPHIOrDbgOrLifetime()))
516 return false;
517
518 // Don't insert coverage into blocks without a valid insertion point
519 // (catchswitch blocks).
520 if (BB->getFirstInsertionPt() == BB->end())
521 return false;
522
523 if (Options.NoPrune || &F.getEntryBlock() == BB)
524 return true;
525
526 if (Options.CoverageType == SanitizerCoverageOptions::SCK_Function &&
527 &F.getEntryBlock() != BB)
528 return false;
529
530 // Do not instrument full dominators, or full post-dominators with multiple
531 // predecessors.
532 return !isFullDominator(BB, DT)
533 && !(isFullPostDominator(BB, PDT) && !BB->getSinglePredecessor());
534 }
535
536
537 // Returns true iff From->To is a backedge.
538 // A twist here is that we treat From->To as a backedge if
539 // * To dominates From or
540 // * To->UniqueSuccessor dominates From
541 static bool IsBackEdge(BasicBlock *From, BasicBlock *To,
542 const DominatorTree *DT) {
543 if (DT->dominates(To, From))
544 return true;
545 if (auto Next = To->getUniqueSuccessor())
546 if (DT->dominates(Next, From))
547 return true;
548 return false;
549 }
550
551 // Prunes uninteresting Cmp instrumentation:
552 // * CMP instructions that feed into loop backedge branch.
553 //
554 // Note that Cmp pruning is controlled by the same flag as the
555 // BB pruning.
556 static bool IsInterestingCmp(ICmpInst *CMP, const DominatorTree *DT,
557 const SanitizerCoverageOptions &Options) {
558 if (!Options.NoPrune)
559 if (CMP->hasOneUse())
560 if (auto BR = dyn_cast<BranchInst>(CMP->user_back()))
561 for (BasicBlock *B : BR->successors())
562 if (IsBackEdge(BR->getParent(), B, DT))
563 return false;
564 return true;
565 }
566
567 void ModuleSanitizerCoverage::instrumentFunction(
568 Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
569 if (F.empty())
570 return;
571 if (F.getName().find(".module_ctor") != std::string::npos)
572 return; // Should not instrument sanitizer init functions.
573 if (F.getName().startswith("__sanitizer_"))
574 return; // Don't instrument __sanitizer_* callbacks.
575 // Don't touch available_externally functions, their actual body is elewhere.
576 if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage)
577 return;
578 // Don't instrument MSVC CRT configuration helpers. They may run before normal
579 // initialization.
580 if (F.getName() == "__local_stdio_printf_options" ||
581 F.getName() == "__local_stdio_scanf_options")
582 return;
583 if (isa<UnreachableInst>(F.getEntryBlock().getTerminator()))
584 return;
585 // Don't instrument functions using SEH for now. Splitting basic blocks like
586 // we do for coverage breaks WinEHPrepare.
587 // FIXME: Remove this when SEH no longer uses landingpad pattern matching.
588 if (F.hasPersonalityFn() &&
589 isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
590 return;
591 if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
592 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
593 SmallVector<Instruction *, 8> IndirCalls;
594 SmallVector<BasicBlock *, 16> BlocksToInstrument;
595 SmallVector<Instruction *, 8> CmpTraceTargets;
596 SmallVector<Instruction *, 8> SwitchTraceTargets;
597 SmallVector<BinaryOperator *, 8> DivTraceTargets;
598 SmallVector<GetElementPtrInst *, 8> GepTraceTargets;
599
600 const DominatorTree *DT = DTCallback(F);
601 const PostDominatorTree *PDT = PDTCallback(F);
602 bool IsLeafFunc = true;
603
604 for (auto &BB : F) {
605 if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
606 BlocksToInstrument.push_back(&BB);
607 for (auto &Inst : BB) {
608 if (Options.IndirectCalls) {
609 CallSite CS(&Inst);
610 if (CS && !CS.getCalledFunction())
611 IndirCalls.push_back(&Inst);
612 }
613 if (Options.TraceCmp) {
614 if (ICmpInst *CMP = dyn_cast<ICmpInst>(&Inst))
615 if (IsInterestingCmp(CMP, DT, Options))
616 CmpTraceTargets.push_back(&Inst);
617 if (isa<SwitchInst>(&Inst))
618 SwitchTraceTargets.push_back(&Inst);
619 }
620 if (Options.TraceDiv)
621 if (BinaryOperator *BO = dyn_cast<BinaryOperator>(&Inst))
622 if (BO->getOpcode() == Instruction::SDiv ||
623 BO->getOpcode() == Instruction::UDiv)
624 DivTraceTargets.push_back(BO);
625 if (Options.TraceGep)
626 if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(&Inst))
627 GepTraceTargets.push_back(GEP);
628 if (Options.StackDepth)
629 if (isa<InvokeInst>(Inst) ||
630 (isa<CallInst>(Inst) && !isa<IntrinsicInst>(Inst)))
631 IsLeafFunc = false;
632 }
633 }
634
635 InjectCoverage(F, BlocksToInstrument, IsLeafFunc);
636 InjectCoverageForIndirectCalls(F, IndirCalls);
637 InjectTraceForCmp(F, CmpTraceTargets);
638 InjectTraceForSwitch(F, SwitchTraceTargets);
639 InjectTraceForDiv(F, DivTraceTargets);
640 InjectTraceForGep(F, GepTraceTargets);
641 }
642
643 GlobalVariable *ModuleSanitizerCoverage::CreateFunctionLocalArrayInSection(
644 size_t NumElements, Function &F, Type *Ty, const char *Section) {
645 ArrayType *ArrayTy = ArrayType::get(Ty, NumElements);
646 auto Array = new GlobalVariable(
647 *CurModule, ArrayTy, false, GlobalVariable::PrivateLinkage,
648 Constant::getNullValue(ArrayTy), "__sancov_gen_");
649
650 if (TargetTriple.supportsCOMDAT() && !F.isInterposable())
651 if (auto Comdat =
652 GetOrCreateFunctionComdat(F, TargetTriple, CurModuleUniqueId))
653 Array->setComdat(Comdat);
654 Array->setSection(getSectionName(Section));
655 Array->setAlignment(Ty->isPointerTy() ? DL->getPointerSize()
656 : Ty->getPrimitiveSizeInBits() / 8);
657 GlobalsToAppendToUsed.push_back(Array);
658 GlobalsToAppendToCompilerUsed.push_back(Array);
659 MDNode *MD = MDNode::get(F.getContext(), ValueAsMetadata::get(&F));
660 Array->addMetadata(LLVMContext::MD_associated, *MD);
661
662 return Array;
663 }
664
665 GlobalVariable *
666 ModuleSanitizerCoverage::CreatePCArray(Function &F,
667 ArrayRef<BasicBlock *> AllBlocks) {
668 size_t N = AllBlocks.size();
669 assert(N);
670 SmallVector<Constant *, 32> PCs;
671 IRBuilder<> IRB(&*F.getEntryBlock().getFirstInsertionPt());
672 for (size_t i = 0; i < N; i++) {
673 if (&F.getEntryBlock() == AllBlocks[i]) {
674 PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
675 PCs.push_back((Constant *)IRB.CreateIntToPtr(
676 ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
677 } else {
678 PCs.push_back((Constant *)IRB.CreatePointerCast(
679 BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
680 PCs.push_back((Constant *)IRB.CreateIntToPtr(
681 ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
682 }
683 }
684 auto *PCArray = CreateFunctionLocalArrayInSection(N * 2, F, IntptrPtrTy,
685 SanCovPCsSectionName);
686 PCArray->setInitializer(
687 ConstantArray::get(ArrayType::get(IntptrPtrTy, N * 2), PCs));
688 PCArray->setConstant(true);
689
690 return PCArray;
691 }
692
693 void ModuleSanitizerCoverage::CreateFunctionLocalArrays(
694 Function &F, ArrayRef<BasicBlock *> AllBlocks) {
695 if (Options.TracePCGuard)
696 FunctionGuardArray = CreateFunctionLocalArrayInSection(
697 AllBlocks.size(), F, Int32Ty, SanCovGuardsSectionName);
698
699 if (Options.Inline8bitCounters)
700 Function8bitCounterArray = CreateFunctionLocalArrayInSection(
701 AllBlocks.size(), F, Int8Ty, SanCovCountersSectionName);
702
703 if (Options.PCTable)
704 FunctionPCsArray = CreatePCArray(F, AllBlocks);
705 }
706
707 bool ModuleSanitizerCoverage::InjectCoverage(Function &F,
708 ArrayRef<BasicBlock *> AllBlocks,
709 bool IsLeafFunc) {
710 if (AllBlocks.empty()) return false;
711 CreateFunctionLocalArrays(F, AllBlocks);
712 for (size_t i = 0, N = AllBlocks.size(); i < N; i++)
713 InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc);
714 return true;
715 }
716
717 // On every indirect call we call a run-time function
718 // __sanitizer_cov_indir_call* with two parameters:
719 // - callee address,
720 // - global cache array that contains CacheSize pointers (zero-initialized).
721 // The cache is used to speed up recording the caller-callee pairs.
722 // The address of the caller is passed implicitly via caller PC.
723 // CacheSize is encoded in the name of the run-time function.
724 void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls(
725 Function &F, ArrayRef<Instruction *> IndirCalls) {
726 if (IndirCalls.empty())
727 return;
728 assert(Options.TracePC || Options.TracePCGuard || Options.Inline8bitCounters);
729 for (auto I : IndirCalls) {
730 IRBuilder<> IRB(I);
731 CallSite CS(I);
732 Value *Callee = CS.getCalledValue();
733 if (isa<InlineAsm>(Callee))
734 continue;
735 IRB.CreateCall(SanCovTracePCIndir, IRB.CreatePointerCast(Callee, IntptrTy));
736 }
737 }
738
739 // For every switch statement we insert a call:
740 // __sanitizer_cov_trace_switch(CondValue,
741 // {NumCases, ValueSizeInBits, Case0Value, Case1Value, Case2Value, ... })
742
743 void ModuleSanitizerCoverage::InjectTraceForSwitch(
744 Function &, ArrayRef<Instruction *> SwitchTraceTargets) {
745 for (auto I : SwitchTraceTargets) {
746 if (SwitchInst *SI = dyn_cast<SwitchInst>(I)) {
747 IRBuilder<> IRB(I);
748 SmallVector<Constant *, 16> Initializers;
749 Value *Cond = SI->getCondition();
750 if (Cond->getType()->getScalarSizeInBits() >
751 Int64Ty->getScalarSizeInBits())
752 continue;
753 Initializers.push_back(ConstantInt::get(Int64Ty, SI->getNumCases()));
754 Initializers.push_back(
755 ConstantInt::get(Int64Ty, Cond->getType()->getScalarSizeInBits()));
756 if (Cond->getType()->getScalarSizeInBits() <
757 Int64Ty->getScalarSizeInBits())
758 Cond = IRB.CreateIntCast(Cond, Int64Ty, false);
759 for (auto It : SI->cases()) {
760 Constant *C = It.getCaseValue();
761 if (C->getType()->getScalarSizeInBits() <
762 Int64Ty->getScalarSizeInBits())
763 C = ConstantExpr::getCast(CastInst::ZExt, It.getCaseValue(), Int64Ty);
764 Initializers.push_back(C);
765 }
766 llvm::sort(Initializers.begin() + 2, Initializers.end(),
767 [](const Constant *A, const Constant *B) {
768 return cast<ConstantInt>(A)->getLimitedValue() <
769 cast<ConstantInt>(B)->getLimitedValue();
770 });
771 ArrayType *ArrayOfInt64Ty = ArrayType::get(Int64Ty, Initializers.size());
772 GlobalVariable *GV = new GlobalVariable(
773 *CurModule, ArrayOfInt64Ty, false, GlobalVariable::InternalLinkage,
774 ConstantArray::get(ArrayOfInt64Ty, Initializers),
775 "__sancov_gen_cov_switch_values");
776 IRB.CreateCall(SanCovTraceSwitchFunction,
777 {Cond, IRB.CreatePointerCast(GV, Int64PtrTy)});
778 }
779 }
780 }
781
782 void ModuleSanitizerCoverage::InjectTraceForDiv(
783 Function &, ArrayRef<BinaryOperator *> DivTraceTargets) {
784 for (auto BO : DivTraceTargets) {
785 IRBuilder<> IRB(BO);
786 Value *A1 = BO->getOperand(1);
787 if (isa<ConstantInt>(A1)) continue;
788 if (!A1->getType()->isIntegerTy())
789 continue;
790 uint64_t TypeSize = DL->getTypeStoreSizeInBits(A1->getType());
791 int CallbackIdx = TypeSize == 32 ? 0 :
792 TypeSize == 64 ? 1 : -1;
793 if (CallbackIdx < 0) continue;
794 auto Ty = Type::getIntNTy(*C, TypeSize);
795 IRB.CreateCall(SanCovTraceDivFunction[CallbackIdx],
796 {IRB.CreateIntCast(A1, Ty, true)});
797 }
798 }
799
800 void ModuleSanitizerCoverage::InjectTraceForGep(
801 Function &, ArrayRef<GetElementPtrInst *> GepTraceTargets) {
802 for (auto GEP : GepTraceTargets) {
803 IRBuilder<> IRB(GEP);
804 for (auto I = GEP->idx_begin(); I != GEP->idx_end(); ++I)
805 if (!isa<ConstantInt>(*I) && (*I)->getType()->isIntegerTy())
806 IRB.CreateCall(SanCovTraceGepFunction,
807 {IRB.CreateIntCast(*I, IntptrTy, true)});
808 }
809 }
810
811 void ModuleSanitizerCoverage::InjectTraceForCmp(
812 Function &, ArrayRef<Instruction *> CmpTraceTargets) {
813 for (auto I : CmpTraceTargets) {
814 if (ICmpInst *ICMP = dyn_cast<ICmpInst>(I)) {
815 IRBuilder<> IRB(ICMP);
816 Value *A0 = ICMP->getOperand(0);
817 Value *A1 = ICMP->getOperand(1);
818 if (!A0->getType()->isIntegerTy())
819 continue;
820 uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType());
821 int CallbackIdx = TypeSize == 8 ? 0 :
822 TypeSize == 16 ? 1 :
823 TypeSize == 32 ? 2 :
824 TypeSize == 64 ? 3 : -1;
825 if (CallbackIdx < 0) continue;
826 // __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1);
827 auto CallbackFunc = SanCovTraceCmpFunction[CallbackIdx];
828 bool FirstIsConst = isa<ConstantInt>(A0);
829 bool SecondIsConst = isa<ConstantInt>(A1);
830 // If both are const, then we don't need such a comparison.
831 if (FirstIsConst && SecondIsConst) continue;
832 // If only one is const, then make it the first callback argument.
833 if (FirstIsConst || SecondIsConst) {
834 CallbackFunc = SanCovTraceConstCmpFunction[CallbackIdx];
835 if (SecondIsConst)
836 std::swap(A0, A1);
837 }
838
839 auto Ty = Type::getIntNTy(*C, TypeSize);
840 IRB.CreateCall(CallbackFunc, {IRB.CreateIntCast(A0, Ty, true),
841 IRB.CreateIntCast(A1, Ty, true)});
842 }
843 }
844 }
845
846 void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
847 size_t Idx,
848 bool IsLeafFunc) {
849 BasicBlock::iterator IP = BB.getFirstInsertionPt();
850 bool IsEntryBB = &BB == &F.getEntryBlock();
851 DebugLoc EntryLoc;
852 if (IsEntryBB) {
853 if (auto SP = F.getSubprogram())
854 EntryLoc = DebugLoc::get(SP->getScopeLine(), 0, SP);
855 // Keep static allocas and llvm.localescape calls in the entry block. Even
856 // if we aren't splitting the block, it's nice for allocas to be before
857 // calls.
858 IP = PrepareToSplitEntryBlock(BB, IP);
859 } else {
860 EntryLoc = IP->getDebugLoc();
861 }
862
863 IRBuilder<> IRB(&*IP);
864 IRB.SetCurrentDebugLocation(EntryLoc);
865 if (Options.TracePC) {
866 IRB.CreateCall(SanCovTracePC); // gets the PC using GET_CALLER_PC.
867 IRB.CreateCall(EmptyAsm, {}); // Avoids callback merge.
868 }
869 if (Options.TracePCGuard) {
870 auto GuardPtr = IRB.CreateIntToPtr(
871 IRB.CreateAdd(IRB.CreatePointerCast(FunctionGuardArray, IntptrTy),
872 ConstantInt::get(IntptrTy, Idx * 4)),
873 Int32PtrTy);
874 IRB.CreateCall(SanCovTracePCGuard, GuardPtr);
875 IRB.CreateCall(EmptyAsm, {}); // Avoids callback merge.
876 }
877 if (Options.Inline8bitCounters) {
878 auto CounterPtr = IRB.CreateGEP(
879 Function8bitCounterArray->getValueType(), Function8bitCounterArray,
880 {ConstantInt::get(IntptrTy, 0), ConstantInt::get(IntptrTy, Idx)});
881 auto Load = IRB.CreateLoad(Int8Ty, CounterPtr);
882 auto Inc = IRB.CreateAdd(Load, ConstantInt::get(Int8Ty, 1));
883 auto Store = IRB.CreateStore(Inc, CounterPtr);
884 SetNoSanitizeMetadata(Load);
885 SetNoSanitizeMetadata(Store);
886 }
887 if (Options.StackDepth && IsEntryBB && !IsLeafFunc) {
888 // Check stack depth. If it's the deepest so far, record it.
889 Module *M = F.getParent();
890 Function *GetFrameAddr = Intrinsic::getDeclaration(
891 M, Intrinsic::frameaddress,
892 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace()));
893 auto FrameAddrPtr =
894 IRB.CreateCall(GetFrameAddr, {Constant::getNullValue(Int32Ty)});
895 auto FrameAddrInt = IRB.CreatePtrToInt(FrameAddrPtr, IntptrTy);
896 auto LowestStack = IRB.CreateLoad(IntptrTy, SanCovLowestStack);
897 auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack);
898 auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false);
899 IRBuilder<> ThenIRB(ThenTerm);
900 auto Store = ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack);
901 SetNoSanitizeMetadata(LowestStack);
902 SetNoSanitizeMetadata(Store);
903 }
904 }
905
906 std::string
907 ModuleSanitizerCoverage::getSectionName(const std::string &Section) const {
908 if (TargetTriple.isOSBinFormatCOFF()) {
909 if (Section == SanCovCountersSectionName)
910 return ".SCOV$CM";
911 if (Section == SanCovPCsSectionName)
912 return ".SCOVP$M";
913 return ".SCOV$GM"; // For SanCovGuardsSectionName.
914 }
915 if (TargetTriple.isOSBinFormatMachO())
916 return "__DATA,__" + Section;
917 return "__" + Section;
918 }
919
920 std::string
921 ModuleSanitizerCoverage::getSectionStart(const std::string &Section) const {
922 if (TargetTriple.isOSBinFormatMachO())
923 return "\1section$start$__DATA$__" + Section;
924 return "__start___" + Section;
925 }
926
927 std::string
928 ModuleSanitizerCoverage::getSectionEnd(const std::string &Section) const {
929 if (TargetTriple.isOSBinFormatMachO())
930 return "\1section$end$__DATA$__" + Section;
931 return "__stop___" + Section;
932 }
933
934 char ModuleSanitizerCoverageLegacyPass::ID = 0;
935 INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov",
936 "Pass for instrumenting coverage on functions", false,
937 false)
938 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
939 INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
940 INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
941 "Pass for instrumenting coverage on functions", false,
942 false)
943 ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
944 const SanitizerCoverageOptions &Options) {
945 return new ModuleSanitizerCoverageLegacyPass(Options);
946 }
The low level virtual machine