search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[ORC] Add std::tuple support to SimplePackedSerialization.
[llvm-project.git] / llvm / lib / Transforms / Instrumentation / HWAddressSanitizer.cpp
blobaa791eb286c8a8d7e99a349d1f0fdeff29639092
1 //===- HWAddressSanitizer.cpp - detector of uninitialized reads -------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 /// \file
10 /// This file is a part of HWAddressSanitizer, an address sanity checker
11 /// based on tagged addressing.
12 //===----------------------------------------------------------------------===//
13
14 #include "llvm/Transforms/Instrumentation/HWAddressSanitizer.h"
15 #include "llvm/ADT/MapVector.h"
16 #include "llvm/ADT/SmallVector.h"
17 #include "llvm/ADT/StringExtras.h"
18 #include "llvm/ADT/StringRef.h"
19 #include "llvm/ADT/Triple.h"
20 #include "llvm/Analysis/PostDominators.h"
21 #include "llvm/Analysis/StackSafetyAnalysis.h"
22 #include "llvm/Analysis/ValueTracking.h"
23 #include "llvm/BinaryFormat/ELF.h"
24 #include "llvm/IR/Attributes.h"
25 #include "llvm/IR/BasicBlock.h"
26 #include "llvm/IR/Constant.h"
27 #include "llvm/IR/Constants.h"
28 #include "llvm/IR/DataLayout.h"
29 #include "llvm/IR/DebugInfoMetadata.h"
30 #include "llvm/IR/DerivedTypes.h"
31 #include "llvm/IR/Dominators.h"
32 #include "llvm/IR/Function.h"
33 #include "llvm/IR/IRBuilder.h"
34 #include "llvm/IR/InlineAsm.h"
35 #include "llvm/IR/InstVisitor.h"
36 #include "llvm/IR/Instruction.h"
37 #include "llvm/IR/Instructions.h"
38 #include "llvm/IR/IntrinsicInst.h"
39 #include "llvm/IR/Intrinsics.h"
40 #include "llvm/IR/LLVMContext.h"
41 #include "llvm/IR/MDBuilder.h"
42 #include "llvm/IR/Module.h"
43 #include "llvm/IR/Type.h"
44 #include "llvm/IR/Value.h"
45 #include "llvm/InitializePasses.h"
46 #include "llvm/Pass.h"
47 #include "llvm/PassRegistry.h"
48 #include "llvm/Support/Casting.h"
49 #include "llvm/Support/CommandLine.h"
50 #include "llvm/Support/Debug.h"
51 #include "llvm/Support/raw_ostream.h"
52 #include "llvm/Transforms/Instrumentation.h"
53 #include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h"
54 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
55 #include "llvm/Transforms/Utils/ModuleUtils.h"
56 #include "llvm/Transforms/Utils/PromoteMemToReg.h"
57 #include <sstream>
58
59 using namespace llvm;
60
61 #define DEBUG_TYPE "hwasan"
62
63 const char kHwasanModuleCtorName[] = "hwasan.module_ctor";
64 const char kHwasanNoteName[] = "hwasan.note";
65 const char kHwasanInitName[] = "__hwasan_init";
66 const char kHwasanPersonalityThunkName[] = "__hwasan_personality_thunk";
67
68 const char kHwasanShadowMemoryDynamicAddress[] =
69 "__hwasan_shadow_memory_dynamic_address";
70
71 // Accesses sizes are powers of two: 1, 2, 4, 8, 16.
72 static const size_t kNumberOfAccessSizes = 5;
73
74 static const size_t kDefaultShadowScale = 4;
75 static const uint64_t kDynamicShadowSentinel =
76 std::numeric_limits<uint64_t>::max();
77
78 static const unsigned kShadowBaseAlignment = 32;
79
80 static cl::opt<std::string>
81 ClMemoryAccessCallbackPrefix("hwasan-memory-access-callback-prefix",
82 cl::desc("Prefix for memory access callbacks"),
83 cl::Hidden, cl::init("__hwasan_"));
84
85 static cl::opt<bool> ClInstrumentWithCalls(
86 "hwasan-instrument-with-calls",
87 cl::desc("instrument reads and writes with callbacks"), cl::Hidden,
88 cl::init(false));
89
90 static cl::opt<bool> ClInstrumentReads("hwasan-instrument-reads",
91 cl::desc("instrument read instructions"),
92 cl::Hidden, cl::init(true));
93
94 static cl::opt<bool>
95 ClInstrumentWrites("hwasan-instrument-writes",
96 cl::desc("instrument write instructions"), cl::Hidden,
97 cl::init(true));
98
99 static cl::opt<bool> ClInstrumentAtomics(
100 "hwasan-instrument-atomics",
101 cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
102 cl::init(true));
103
104 static cl::opt<bool> ClInstrumentByval("hwasan-instrument-byval",
105 cl::desc("instrument byval arguments"),
106 cl::Hidden, cl::init(true));
107
108 static cl::opt<bool>
109 ClRecover("hwasan-recover",
110 cl::desc("Enable recovery mode (continue-after-error)."),
111 cl::Hidden, cl::init(false));
112
113 static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack",
114 cl::desc("instrument stack (allocas)"),
115 cl::Hidden, cl::init(true));
116
117 static cl::opt<bool>
118 ClUseStackSafety("hwasan-use-stack-safety", cl::Hidden, cl::init(true),
119 cl::Hidden, cl::desc("Use Stack Safety analysis results"),
120 cl::Optional);
121
122 static cl::opt<bool>
123 ClUseAfterScope("hwasan-use-after-scope",
124 cl::desc("detect use after scope within function"),
125 cl::Hidden, cl::init(false));
126
127 static cl::opt<bool> ClUARRetagToZero(
128 "hwasan-uar-retag-to-zero",
129 cl::desc("Clear alloca tags before returning from the function to allow "
130 "non-instrumented and instrumented function calls mix. When set "
131 "to false, allocas are retagged before returning from the "
132 "function to detect use after return."),
133 cl::Hidden, cl::init(true));
134
135 static cl::opt<bool> ClGenerateTagsWithCalls(
136 "hwasan-generate-tags-with-calls",
137 cl::desc("generate new tags with runtime library calls"), cl::Hidden,
138 cl::init(false));
139
140 static cl::opt<bool> ClGlobals("hwasan-globals", cl::desc("Instrument globals"),
141 cl::Hidden, cl::init(false), cl::ZeroOrMore);
142
143 static cl::opt<int> ClMatchAllTag(
144 "hwasan-match-all-tag",
145 cl::desc("don't report bad accesses via pointers with this tag"),
146 cl::Hidden, cl::init(-1));
147
148 static cl::opt<bool>
149 ClEnableKhwasan("hwasan-kernel",
150 cl::desc("Enable KernelHWAddressSanitizer instrumentation"),
151 cl::Hidden, cl::init(false));
152
153 // These flags allow to change the shadow mapping and control how shadow memory
154 // is accessed. The shadow mapping looks like:
155 // Shadow = (Mem >> scale) + offset
156
157 static cl::opt<uint64_t>
158 ClMappingOffset("hwasan-mapping-offset",
159 cl::desc("HWASan shadow mapping offset [EXPERIMENTAL]"),
160 cl::Hidden, cl::init(0));
161
162 static cl::opt<bool>
163 ClWithIfunc("hwasan-with-ifunc",
164 cl::desc("Access dynamic shadow through an ifunc global on "
165 "platforms that support this"),
166 cl::Hidden, cl::init(false));
167
168 static cl::opt<bool> ClWithTls(
169 "hwasan-with-tls",
170 cl::desc("Access dynamic shadow through an thread-local pointer on "
171 "platforms that support this"),
172 cl::Hidden, cl::init(true));
173
174 static cl::opt<bool>
175 ClRecordStackHistory("hwasan-record-stack-history",
176 cl::desc("Record stack frames with tagged allocations "
177 "in a thread-local ring buffer"),
178 cl::Hidden, cl::init(true));
179 static cl::opt<bool>
180 ClInstrumentMemIntrinsics("hwasan-instrument-mem-intrinsics",
181 cl::desc("instrument memory intrinsics"),
182 cl::Hidden, cl::init(true));
183
184 static cl::opt<bool>
185 ClInstrumentLandingPads("hwasan-instrument-landing-pads",
186 cl::desc("instrument landing pads"), cl::Hidden,
187 cl::init(false), cl::ZeroOrMore);
188
189 static cl::opt<bool> ClUseShortGranules(
190 "hwasan-use-short-granules",
191 cl::desc("use short granules in allocas and outlined checks"), cl::Hidden,
192 cl::init(false), cl::ZeroOrMore);
193
194 static cl::opt<bool> ClInstrumentPersonalityFunctions(
195 "hwasan-instrument-personality-functions",
196 cl::desc("instrument personality functions"), cl::Hidden, cl::init(false),
197 cl::ZeroOrMore);
198
199 static cl::opt<bool> ClInlineAllChecks("hwasan-inline-all-checks",
200 cl::desc("inline all checks"),
201 cl::Hidden, cl::init(false));
202
203 // Enabled from clang by "-fsanitize-hwaddress-experimental-aliasing".
204 static cl::opt<bool> ClUsePageAliases("hwasan-experimental-use-page-aliases",
205 cl::desc("Use page aliasing in HWASan"),
206 cl::Hidden, cl::init(false));
207
208 namespace {
209
210 bool shouldUsePageAliases(const Triple &TargetTriple) {
211 return ClUsePageAliases && TargetTriple.getArch() == Triple::x86_64;
212 }
213
214 bool shouldInstrumentStack(const Triple &TargetTriple) {
215 return !shouldUsePageAliases(TargetTriple) && ClInstrumentStack;
216 }
217
218 bool shouldInstrumentWithCalls(const Triple &TargetTriple) {
219 return ClInstrumentWithCalls || TargetTriple.getArch() == Triple::x86_64;
220 }
221
222 bool mightUseStackSafetyAnalysis(bool DisableOptimization) {
223 return ClUseStackSafety.getNumOccurrences() ? ClUseStackSafety
224 : !DisableOptimization;
225 }
226
227 bool shouldUseStackSafetyAnalysis(const Triple &TargetTriple,
228 bool DisableOptimization) {
229 return shouldInstrumentStack(TargetTriple) &&
230 mightUseStackSafetyAnalysis(DisableOptimization);
231 }
232
233 bool shouldDetectUseAfterScope(const Triple &TargetTriple) {
234 return ClUseAfterScope && shouldInstrumentStack(TargetTriple);
235 }
236
237 /// An instrumentation pass implementing detection of addressability bugs
238 /// using tagged pointers.
239 class HWAddressSanitizer {
240 private:
241 struct AllocaInfo {
242 AllocaInst *AI;
243 SmallVector<IntrinsicInst *, 2> LifetimeStart;
244 SmallVector<IntrinsicInst *, 2> LifetimeEnd;
245 };
246
247 public:
248 HWAddressSanitizer(Module &M, bool CompileKernel, bool Recover,
249 const StackSafetyGlobalInfo *SSI)
250 : M(M), SSI(SSI) {
251 this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover;
252 this->CompileKernel = ClEnableKhwasan.getNumOccurrences() > 0
253 ? ClEnableKhwasan
254 : CompileKernel;
255
256 initializeModule();
257 }
258
259 void setSSI(const StackSafetyGlobalInfo *S) { SSI = S; }
260
261 DenseMap<AllocaInst *, AllocaInst *> padInterestingAllocas(
262 const MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument);
263 bool sanitizeFunction(Function &F,
264 llvm::function_ref<const DominatorTree &()> GetDT,
265 llvm::function_ref<const PostDominatorTree &()> GetPDT);
266 void initializeModule();
267 void createHwasanCtorComdat();
268
269 void initializeCallbacks(Module &M);
270
271 Value *getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val);
272
273 Value *getDynamicShadowIfunc(IRBuilder<> &IRB);
274 Value *getShadowNonTls(IRBuilder<> &IRB);
275
276 void untagPointerOperand(Instruction *I, Value *Addr);
277 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
278 void instrumentMemAccessInline(Value *Ptr, bool IsWrite,
279 unsigned AccessSizeIndex,
280 Instruction *InsertBefore);
281 void instrumentMemIntrinsic(MemIntrinsic *MI);
282 bool instrumentMemAccess(InterestingMemoryOperand &O);
283 bool ignoreAccess(Value *Ptr);
284 void getInterestingMemoryOperands(
285 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting);
286
287 bool isInterestingAlloca(const AllocaInst &AI);
288 void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size);
289 Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag);
290 Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong);
291 bool instrumentStack(
292 MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument,
293 SmallVector<Instruction *, 4> &UnrecognizedLifetimes,
294 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap,
295 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag,
296 llvm::function_ref<const DominatorTree &()> GetDT,
297 llvm::function_ref<const PostDominatorTree &()> GetPDT);
298 Value *readRegister(IRBuilder<> &IRB, StringRef Name);
299 bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec);
300 Value *getNextTagWithCall(IRBuilder<> &IRB);
301 Value *getStackBaseTag(IRBuilder<> &IRB);
302 Value *getAllocaTag(IRBuilder<> &IRB, Value *StackTag, AllocaInst *AI,
303 unsigned AllocaNo);
304 Value *getUARTag(IRBuilder<> &IRB, Value *StackTag);
305
306 Value *getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty);
307 Value *applyTagMask(IRBuilder<> &IRB, Value *OldTag);
308 unsigned retagMask(unsigned AllocaNo);
309
310 void emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord);
311
312 void instrumentGlobal(GlobalVariable *GV, uint8_t Tag);
313 void instrumentGlobals();
314
315 void instrumentPersonalityFunctions();
316
317 private:
318 LLVMContext *C;
319 Module &M;
320 const StackSafetyGlobalInfo *SSI;
321 Triple TargetTriple;
322 FunctionCallee HWAsanMemmove, HWAsanMemcpy, HWAsanMemset;
323 FunctionCallee HWAsanHandleVfork;
324
325 /// This struct defines the shadow mapping using the rule:
326 /// shadow = (mem >> Scale) + Offset.
327 /// If InGlobal is true, then
328 /// extern char __hwasan_shadow[];
329 /// shadow = (mem >> Scale) + &__hwasan_shadow
330 /// If InTls is true, then
331 /// extern char *__hwasan_tls;
332 /// shadow = (mem>>Scale) + align_up(__hwasan_shadow, kShadowBaseAlignment)
333 ///
334 /// If WithFrameRecord is true, then __hwasan_tls will be used to access the
335 /// ring buffer for storing stack allocations on targets that support it.
336 struct ShadowMapping {
337 int Scale;
338 uint64_t Offset;
339 bool InGlobal;
340 bool InTls;
341 bool WithFrameRecord;
342
343 void init(Triple &TargetTriple, bool InstrumentWithCalls);
344 unsigned getObjectAlignment() const { return 1U << Scale; }
345 };
346
347 ShadowMapping Mapping;
348
349 Type *VoidTy = Type::getVoidTy(M.getContext());
350 Type *IntptrTy;
351 Type *Int8PtrTy;
352 Type *Int8Ty;
353 Type *Int32Ty;
354 Type *Int64Ty = Type::getInt64Ty(M.getContext());
355
356 bool CompileKernel;
357 bool Recover;
358 bool OutlinedChecks;
359 bool UseShortGranules;
360 bool InstrumentLandingPads;
361 bool InstrumentWithCalls;
362 bool InstrumentStack;
363 bool DetectUseAfterScope;
364 bool UsePageAliases;
365
366 bool HasMatchAllTag = false;
367 uint8_t MatchAllTag = 0;
368
369 unsigned PointerTagShift;
370 uint64_t TagMaskByte;
371
372 Function *HwasanCtorFunction;
373
374 FunctionCallee HwasanMemoryAccessCallback[2][kNumberOfAccessSizes];
375 FunctionCallee HwasanMemoryAccessCallbackSized[2];
376
377 FunctionCallee HwasanTagMemoryFunc;
378 FunctionCallee HwasanGenerateTagFunc;
379
380 Constant *ShadowGlobal;
381
382 Value *ShadowBase = nullptr;
383 Value *StackBaseTag = nullptr;
384 GlobalValue *ThreadPtrGlobal = nullptr;
385 };
386
387 class HWAddressSanitizerLegacyPass : public FunctionPass {
388 public:
389 // Pass identification, replacement for typeid.
390 static char ID;
391
392 explicit HWAddressSanitizerLegacyPass(bool CompileKernel = false,
393 bool Recover = false,
394 bool DisableOptimization = false)
395 : FunctionPass(ID), CompileKernel(CompileKernel), Recover(Recover),
396 DisableOptimization(DisableOptimization) {
397 initializeHWAddressSanitizerLegacyPassPass(
398 *PassRegistry::getPassRegistry());
399 }
400
401 StringRef getPassName() const override { return "HWAddressSanitizer"; }
402
403 bool doInitialization(Module &M) override {
404 HWASan = std::make_unique<HWAddressSanitizer>(M, CompileKernel, Recover,
405 /*SSI=*/nullptr);
406 return true;
407 }
408
409 bool runOnFunction(Function &F) override {
410 auto TargetTriple = Triple(F.getParent()->getTargetTriple());
411 if (shouldUseStackSafetyAnalysis(TargetTriple, DisableOptimization)) {
412 // We cannot call getAnalysis in doInitialization, that would cause a
413 // crash as the required analyses are not initialized yet.
414 HWASan->setSSI(
415 &getAnalysis<StackSafetyGlobalInfoWrapperPass>().getResult());
416 }
417 return HWASan->sanitizeFunction(
418 F,
419 [&]() -> const DominatorTree & {
420 return getAnalysis<DominatorTreeWrapperPass>().getDomTree();
421 },
422 [&]() -> const PostDominatorTree & {
423 return getAnalysis<PostDominatorTreeWrapperPass>().getPostDomTree();
424 });
425 }
426
427 bool doFinalization(Module &M) override {
428 HWASan.reset();
429 return false;
430 }
431
432 void getAnalysisUsage(AnalysisUsage &AU) const override {
433 // This is an over-estimation of, in case we are building for an
434 // architecture that doesn't allow stack tagging we will still load the
435 // analysis.
436 // This is so we don't need to plumb TargetTriple all the way to here.
437 if (mightUseStackSafetyAnalysis(DisableOptimization))
438 AU.addRequired<StackSafetyGlobalInfoWrapperPass>();
439 AU.addRequired<DominatorTreeWrapperPass>();
440 AU.addRequired<PostDominatorTreeWrapperPass>();
441 }
442
443 private:
444 std::unique_ptr<HWAddressSanitizer> HWASan;
445 bool CompileKernel;
446 bool Recover;
447 bool DisableOptimization;
448 };
449
450 } // end anonymous namespace
451
452 char HWAddressSanitizerLegacyPass::ID = 0;
453
454 INITIALIZE_PASS_BEGIN(
455 HWAddressSanitizerLegacyPass, "hwasan",
456 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false,
457 false)
458 INITIALIZE_PASS_DEPENDENCY(StackSafetyGlobalInfoWrapperPass)
459 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
460 INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
461 INITIALIZE_PASS_END(
462 HWAddressSanitizerLegacyPass, "hwasan",
463 "HWAddressSanitizer: detect memory bugs using tagged addressing.", false,
464 false)
465
466 FunctionPass *
467 llvm::createHWAddressSanitizerLegacyPassPass(bool CompileKernel, bool Recover,
468 bool DisableOptimization) {
469 assert(!CompileKernel || Recover);
470 return new HWAddressSanitizerLegacyPass(CompileKernel, Recover,
471 DisableOptimization);
472 }
473
474 PreservedAnalyses HWAddressSanitizerPass::run(Module &M,
475 ModuleAnalysisManager &MAM) {
476 const StackSafetyGlobalInfo *SSI = nullptr;
477 auto TargetTriple = llvm::Triple(M.getTargetTriple());
478 if (shouldUseStackSafetyAnalysis(TargetTriple, Options.DisableOptimization))
479 SSI = &MAM.getResult<StackSafetyGlobalAnalysis>(M);
480
481 HWAddressSanitizer HWASan(M, Options.CompileKernel, Options.Recover, SSI);
482 bool Modified = false;
483 auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
484 for (Function &F : M) {
485 Modified |= HWASan.sanitizeFunction(
486 F,
487 [&]() -> const DominatorTree & {
488 return FAM.getResult<DominatorTreeAnalysis>(F);
489 },
490 [&]() -> const PostDominatorTree & {
491 return FAM.getResult<PostDominatorTreeAnalysis>(F);
492 });
493 }
494 if (Modified)
495 return PreservedAnalyses::none();
496 return PreservedAnalyses::all();
497 }
498
499 void HWAddressSanitizer::createHwasanCtorComdat() {
500 std::tie(HwasanCtorFunction, std::ignore) =
501 getOrCreateSanitizerCtorAndInitFunctions(
502 M, kHwasanModuleCtorName, kHwasanInitName,
503 /*InitArgTypes=*/{},
504 /*InitArgs=*/{},
505 // This callback is invoked when the functions are created the first
506 // time. Hook them into the global ctors list in that case:
507 [&](Function *Ctor, FunctionCallee) {
508 Comdat *CtorComdat = M.getOrInsertComdat(kHwasanModuleCtorName);
509 Ctor->setComdat(CtorComdat);
510 appendToGlobalCtors(M, Ctor, 0, Ctor);
511 });
512
513 // Create a note that contains pointers to the list of global
514 // descriptors. Adding a note to the output file will cause the linker to
515 // create a PT_NOTE program header pointing to the note that we can use to
516 // find the descriptor list starting from the program headers. A function
517 // provided by the runtime initializes the shadow memory for the globals by
518 // accessing the descriptor list via the note. The dynamic loader needs to
519 // call this function whenever a library is loaded.
520 //
521 // The reason why we use a note for this instead of a more conventional
522 // approach of having a global constructor pass a descriptor list pointer to
523 // the runtime is because of an order of initialization problem. With
524 // constructors we can encounter the following problematic scenario:
525 //
526 // 1) library A depends on library B and also interposes one of B's symbols
527 // 2) B's constructors are called before A's (as required for correctness)
528 // 3) during construction, B accesses one of its "own" globals (actually
529 // interposed by A) and triggers a HWASAN failure due to the initialization
530 // for A not having happened yet
531 //
532 // Even without interposition it is possible to run into similar situations in
533 // cases where two libraries mutually depend on each other.
534 //
535 // We only need one note per binary, so put everything for the note in a
536 // comdat. This needs to be a comdat with an .init_array section to prevent
537 // newer versions of lld from discarding the note.
538 //
539 // Create the note even if we aren't instrumenting globals. This ensures that
540 // binaries linked from object files with both instrumented and
541 // non-instrumented globals will end up with a note, even if a comdat from an
542 // object file with non-instrumented globals is selected. The note is harmless
543 // if the runtime doesn't support it, since it will just be ignored.
544 Comdat *NoteComdat = M.getOrInsertComdat(kHwasanModuleCtorName);
545
546 Type *Int8Arr0Ty = ArrayType::get(Int8Ty, 0);
547 auto Start =
548 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage,
549 nullptr, "__start_hwasan_globals");
550 Start->setVisibility(GlobalValue::HiddenVisibility);
551 Start->setDSOLocal(true);
552 auto Stop =
553 new GlobalVariable(M, Int8Arr0Ty, true, GlobalVariable::ExternalLinkage,
554 nullptr, "__stop_hwasan_globals");
555 Stop->setVisibility(GlobalValue::HiddenVisibility);
556 Stop->setDSOLocal(true);
557
558 // Null-terminated so actually 8 bytes, which are required in order to align
559 // the note properly.
560 auto *Name = ConstantDataArray::get(*C, "LLVM\0\0\0");
561
562 auto *NoteTy = StructType::get(Int32Ty, Int32Ty, Int32Ty, Name->getType(),
563 Int32Ty, Int32Ty);
564 auto *Note =
565 new GlobalVariable(M, NoteTy, /*isConstant=*/true,
566 GlobalValue::PrivateLinkage, nullptr, kHwasanNoteName);
567 Note->setSection(".note.hwasan.globals");
568 Note->setComdat(NoteComdat);
569 Note->setAlignment(Align(4));
570 Note->setDSOLocal(true);
571
572 // The pointers in the note need to be relative so that the note ends up being
573 // placed in rodata, which is the standard location for notes.
574 auto CreateRelPtr = [&](Constant *Ptr) {
575 return ConstantExpr::getTrunc(
576 ConstantExpr::getSub(ConstantExpr::getPtrToInt(Ptr, Int64Ty),
577 ConstantExpr::getPtrToInt(Note, Int64Ty)),
578 Int32Ty);
579 };
580 Note->setInitializer(ConstantStruct::getAnon(
581 {ConstantInt::get(Int32Ty, 8), // n_namesz
582 ConstantInt::get(Int32Ty, 8), // n_descsz
583 ConstantInt::get(Int32Ty, ELF::NT_LLVM_HWASAN_GLOBALS), // n_type
584 Name, CreateRelPtr(Start), CreateRelPtr(Stop)}));
585 appendToCompilerUsed(M, Note);
586
587 // Create a zero-length global in hwasan_globals so that the linker will
588 // always create start and stop symbols.
589 auto Dummy = new GlobalVariable(
590 M, Int8Arr0Ty, /*isConstantGlobal*/ true, GlobalVariable::PrivateLinkage,
591 Constant::getNullValue(Int8Arr0Ty), "hwasan.dummy.global");
592 Dummy->setSection("hwasan_globals");
593 Dummy->setComdat(NoteComdat);
594 Dummy->setMetadata(LLVMContext::MD_associated,
595 MDNode::get(*C, ValueAsMetadata::get(Note)));
596 appendToCompilerUsed(M, Dummy);
597 }
598
599 /// Module-level initialization.
600 ///
601 /// inserts a call to __hwasan_init to the module's constructor list.
602 void HWAddressSanitizer::initializeModule() {
603 LLVM_DEBUG(dbgs() << "Init " << M.getName() << "\n");
604 auto &DL = M.getDataLayout();
605
606 TargetTriple = Triple(M.getTargetTriple());
607
608 // x86_64 currently has two modes:
609 // - Intel LAM (default)
610 // - pointer aliasing (heap only)
611 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
612 UsePageAliases = shouldUsePageAliases(TargetTriple);
613 InstrumentWithCalls = shouldInstrumentWithCalls(TargetTriple);
614 InstrumentStack = shouldInstrumentStack(TargetTriple);
615 DetectUseAfterScope = shouldDetectUseAfterScope(TargetTriple);
616 PointerTagShift = IsX86_64 ? 57 : 56;
617 TagMaskByte = IsX86_64 ? 0x3F : 0xFF;
618
619 Mapping.init(TargetTriple, InstrumentWithCalls);
620
621 C = &(M.getContext());
622 IRBuilder<> IRB(*C);
623 IntptrTy = IRB.getIntPtrTy(DL);
624 Int8PtrTy = IRB.getInt8PtrTy();
625 Int8Ty = IRB.getInt8Ty();
626 Int32Ty = IRB.getInt32Ty();
627
628 HwasanCtorFunction = nullptr;
629
630 // Older versions of Android do not have the required runtime support for
631 // short granules, global or personality function instrumentation. On other
632 // platforms we currently require using the latest version of the runtime.
633 bool NewRuntime =
634 !TargetTriple.isAndroid() || !TargetTriple.isAndroidVersionLT(30);
635
636 UseShortGranules =
637 ClUseShortGranules.getNumOccurrences() ? ClUseShortGranules : NewRuntime;
638 OutlinedChecks =
639 TargetTriple.isAArch64() && TargetTriple.isOSBinFormatELF() &&
640 (ClInlineAllChecks.getNumOccurrences() ? !ClInlineAllChecks : !Recover);
641
642 if (ClMatchAllTag.getNumOccurrences()) {
643 if (ClMatchAllTag != -1) {
644 HasMatchAllTag = true;
645 MatchAllTag = ClMatchAllTag & 0xFF;
646 }
647 } else if (CompileKernel) {
648 HasMatchAllTag = true;
649 MatchAllTag = 0xFF;
650 }
651
652 // If we don't have personality function support, fall back to landing pads.
653 InstrumentLandingPads = ClInstrumentLandingPads.getNumOccurrences()
654 ? ClInstrumentLandingPads
655 : !NewRuntime;
656
657 if (!CompileKernel) {
658 createHwasanCtorComdat();
659 bool InstrumentGlobals =
660 ClGlobals.getNumOccurrences() ? ClGlobals : NewRuntime;
661
662 if (InstrumentGlobals && !UsePageAliases)
663 instrumentGlobals();
664
665 bool InstrumentPersonalityFunctions =
666 ClInstrumentPersonalityFunctions.getNumOccurrences()
667 ? ClInstrumentPersonalityFunctions
668 : NewRuntime;
669 if (InstrumentPersonalityFunctions)
670 instrumentPersonalityFunctions();
671 }
672
673 if (!TargetTriple.isAndroid()) {
674 Constant *C = M.getOrInsertGlobal("__hwasan_tls", IntptrTy, [&] {
675 auto *GV = new GlobalVariable(M, IntptrTy, /*isConstant=*/false,
676 GlobalValue::ExternalLinkage, nullptr,
677 "__hwasan_tls", nullptr,
678 GlobalVariable::InitialExecTLSModel);
679 appendToCompilerUsed(M, GV);
680 return GV;
681 });
682 ThreadPtrGlobal = cast<GlobalVariable>(C);
683 }
684 }
685
686 void HWAddressSanitizer::initializeCallbacks(Module &M) {
687 IRBuilder<> IRB(*C);
688 for (size_t AccessIsWrite = 0; AccessIsWrite <= 1; AccessIsWrite++) {
689 const std::string TypeStr = AccessIsWrite ? "store" : "load";
690 const std::string EndingStr = Recover ? "_noabort" : "";
691
692 HwasanMemoryAccessCallbackSized[AccessIsWrite] = M.getOrInsertFunction(
693 ClMemoryAccessCallbackPrefix + TypeStr + "N" + EndingStr,
694 FunctionType::get(IRB.getVoidTy(), {IntptrTy, IntptrTy}, false));
695
696 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
697 AccessSizeIndex++) {
698 HwasanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] =
699 M.getOrInsertFunction(
700 ClMemoryAccessCallbackPrefix + TypeStr +
701 itostr(1ULL << AccessSizeIndex) + EndingStr,
702 FunctionType::get(IRB.getVoidTy(), {IntptrTy}, false));
703 }
704 }
705
706 HwasanTagMemoryFunc = M.getOrInsertFunction(
707 "__hwasan_tag_memory", IRB.getVoidTy(), Int8PtrTy, Int8Ty, IntptrTy);
708 HwasanGenerateTagFunc =
709 M.getOrInsertFunction("__hwasan_generate_tag", Int8Ty);
710
711 ShadowGlobal = M.getOrInsertGlobal("__hwasan_shadow",
712 ArrayType::get(IRB.getInt8Ty(), 0));
713
714 const std::string MemIntrinCallbackPrefix =
715 CompileKernel ? std::string("") : ClMemoryAccessCallbackPrefix;
716 HWAsanMemmove = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memmove",
717 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
718 IRB.getInt8PtrTy(), IntptrTy);
719 HWAsanMemcpy = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memcpy",
720 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
721 IRB.getInt8PtrTy(), IntptrTy);
722 HWAsanMemset = M.getOrInsertFunction(MemIntrinCallbackPrefix + "memset",
723 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
724 IRB.getInt32Ty(), IntptrTy);
725
726 HWAsanHandleVfork =
727 M.getOrInsertFunction("__hwasan_handle_vfork", IRB.getVoidTy(), IntptrTy);
728 }
729
730 Value *HWAddressSanitizer::getOpaqueNoopCast(IRBuilder<> &IRB, Value *Val) {
731 // An empty inline asm with input reg == output reg.
732 // An opaque no-op cast, basically.
733 // This prevents code bloat as a result of rematerializing trivial definitions
734 // such as constants or global addresses at every load and store.
735 InlineAsm *Asm =
736 InlineAsm::get(FunctionType::get(Int8PtrTy, {Val->getType()}, false),
737 StringRef(""), StringRef("=r,0"),
738 /*hasSideEffects=*/false);
739 return IRB.CreateCall(Asm, {Val}, ".hwasan.shadow");
740 }
741
742 Value *HWAddressSanitizer::getDynamicShadowIfunc(IRBuilder<> &IRB) {
743 return getOpaqueNoopCast(IRB, ShadowGlobal);
744 }
745
746 Value *HWAddressSanitizer::getShadowNonTls(IRBuilder<> &IRB) {
747 if (Mapping.Offset != kDynamicShadowSentinel)
748 return getOpaqueNoopCast(
749 IRB, ConstantExpr::getIntToPtr(
750 ConstantInt::get(IntptrTy, Mapping.Offset), Int8PtrTy));
751
752 if (Mapping.InGlobal) {
753 return getDynamicShadowIfunc(IRB);
754 } else {
755 Value *GlobalDynamicAddress =
756 IRB.GetInsertBlock()->getParent()->getParent()->getOrInsertGlobal(
757 kHwasanShadowMemoryDynamicAddress, Int8PtrTy);
758 return IRB.CreateLoad(Int8PtrTy, GlobalDynamicAddress);
759 }
760 }
761
762 bool HWAddressSanitizer::ignoreAccess(Value *Ptr) {
763 // Do not instrument acesses from different address spaces; we cannot deal
764 // with them.
765 Type *PtrTy = cast<PointerType>(Ptr->getType()->getScalarType());
766 if (PtrTy->getPointerAddressSpace() != 0)
767 return true;
768
769 // Ignore swifterror addresses.
770 // swifterror memory addresses are mem2reg promoted by instruction
771 // selection. As such they cannot have regular uses like an instrumentation
772 // function and it makes no sense to track them as memory.
773 if (Ptr->isSwiftError())
774 return true;
775
776 return false;
777 }
778
779 void HWAddressSanitizer::getInterestingMemoryOperands(
780 Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) {
781 // Skip memory accesses inserted by another instrumentation.
782 if (I->hasMetadata("nosanitize"))
783 return;
784
785 // Do not instrument the load fetching the dynamic shadow address.
786 if (ShadowBase == I)
787 return;
788
789 if (LoadInst *LI = dyn_cast<LoadInst>(I)) {
790 if (!ClInstrumentReads || ignoreAccess(LI->getPointerOperand()))
791 return;
792 Interesting.emplace_back(I, LI->getPointerOperandIndex(), false,
793 LI->getType(), LI->getAlign());
794 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {
795 if (!ClInstrumentWrites || ignoreAccess(SI->getPointerOperand()))
796 return;
797 Interesting.emplace_back(I, SI->getPointerOperandIndex(), true,
798 SI->getValueOperand()->getType(), SI->getAlign());
799 } else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {
800 if (!ClInstrumentAtomics || ignoreAccess(RMW->getPointerOperand()))
801 return;
802 Interesting.emplace_back(I, RMW->getPointerOperandIndex(), true,
803 RMW->getValOperand()->getType(), None);
804 } else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
805 if (!ClInstrumentAtomics || ignoreAccess(XCHG->getPointerOperand()))
806 return;
807 Interesting.emplace_back(I, XCHG->getPointerOperandIndex(), true,
808 XCHG->getCompareOperand()->getType(), None);
809 } else if (auto CI = dyn_cast<CallInst>(I)) {
810 for (unsigned ArgNo = 0; ArgNo < CI->getNumArgOperands(); ArgNo++) {
811 if (!ClInstrumentByval || !CI->isByValArgument(ArgNo) ||
812 ignoreAccess(CI->getArgOperand(ArgNo)))
813 continue;
814 Type *Ty = CI->getParamByValType(ArgNo);
815 Interesting.emplace_back(I, ArgNo, false, Ty, Align(1));
816 }
817 }
818 }
819
820 static unsigned getPointerOperandIndex(Instruction *I) {
821 if (LoadInst *LI = dyn_cast<LoadInst>(I))
822 return LI->getPointerOperandIndex();
823 if (StoreInst *SI = dyn_cast<StoreInst>(I))
824 return SI->getPointerOperandIndex();
825 if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I))
826 return RMW->getPointerOperandIndex();
827 if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I))
828 return XCHG->getPointerOperandIndex();
829 report_fatal_error("Unexpected instruction");
830 return -1;
831 }
832
833 static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {
834 size_t Res = countTrailingZeros(TypeSize / 8);
835 assert(Res < kNumberOfAccessSizes);
836 return Res;
837 }
838
839 void HWAddressSanitizer::untagPointerOperand(Instruction *I, Value *Addr) {
840 if (TargetTriple.isAArch64() || TargetTriple.getArch() == Triple::x86_64)
841 return;
842
843 IRBuilder<> IRB(I);
844 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
845 Value *UntaggedPtr =
846 IRB.CreateIntToPtr(untagPointer(IRB, AddrLong), Addr->getType());
847 I->setOperand(getPointerOperandIndex(I), UntaggedPtr);
848 }
849
850 Value *HWAddressSanitizer::memToShadow(Value *Mem, IRBuilder<> &IRB) {
851 // Mem >> Scale
852 Value *Shadow = IRB.CreateLShr(Mem, Mapping.Scale);
853 if (Mapping.Offset == 0)
854 return IRB.CreateIntToPtr(Shadow, Int8PtrTy);
855 // (Mem >> Scale) + Offset
856 return IRB.CreateGEP(Int8Ty, ShadowBase, Shadow);
857 }
858
859 void HWAddressSanitizer::instrumentMemAccessInline(Value *Ptr, bool IsWrite,
860 unsigned AccessSizeIndex,
861 Instruction *InsertBefore) {
862 assert(!UsePageAliases);
863 const int64_t AccessInfo =
864 (CompileKernel << HWASanAccessInfo::CompileKernelShift) +
865 (HasMatchAllTag << HWASanAccessInfo::HasMatchAllShift) +
866 (MatchAllTag << HWASanAccessInfo::MatchAllShift) +
867 (Recover << HWASanAccessInfo::RecoverShift) +
868 (IsWrite << HWASanAccessInfo::IsWriteShift) +
869 (AccessSizeIndex << HWASanAccessInfo::AccessSizeShift);
870 IRBuilder<> IRB(InsertBefore);
871
872 if (OutlinedChecks) {
873 Module *M = IRB.GetInsertBlock()->getParent()->getParent();
874 Ptr = IRB.CreateBitCast(Ptr, Int8PtrTy);
875 IRB.CreateCall(Intrinsic::getDeclaration(
876 M, UseShortGranules
877 ? Intrinsic::hwasan_check_memaccess_shortgranules
878 : Intrinsic::hwasan_check_memaccess),
879 {ShadowBase, Ptr, ConstantInt::get(Int32Ty, AccessInfo)});
880 return;
881 }
882
883 Value *PtrLong = IRB.CreatePointerCast(Ptr, IntptrTy);
884 Value *PtrTag = IRB.CreateTrunc(IRB.CreateLShr(PtrLong, PointerTagShift),
885 IRB.getInt8Ty());
886 Value *AddrLong = untagPointer(IRB, PtrLong);
887 Value *Shadow = memToShadow(AddrLong, IRB);
888 Value *MemTag = IRB.CreateLoad(Int8Ty, Shadow);
889 Value *TagMismatch = IRB.CreateICmpNE(PtrTag, MemTag);
890
891 if (HasMatchAllTag) {
892 Value *TagNotIgnored = IRB.CreateICmpNE(
893 PtrTag, ConstantInt::get(PtrTag->getType(), MatchAllTag));
894 TagMismatch = IRB.CreateAnd(TagMismatch, TagNotIgnored);
895 }
896
897 Instruction *CheckTerm =
898 SplitBlockAndInsertIfThen(TagMismatch, InsertBefore, false,
899 MDBuilder(*C).createBranchWeights(1, 100000));
900
901 IRB.SetInsertPoint(CheckTerm);
902 Value *OutOfShortGranuleTagRange =
903 IRB.CreateICmpUGT(MemTag, ConstantInt::get(Int8Ty, 15));
904 Instruction *CheckFailTerm =
905 SplitBlockAndInsertIfThen(OutOfShortGranuleTagRange, CheckTerm, !Recover,
906 MDBuilder(*C).createBranchWeights(1, 100000));
907
908 IRB.SetInsertPoint(CheckTerm);
909 Value *PtrLowBits = IRB.CreateTrunc(IRB.CreateAnd(PtrLong, 15), Int8Ty);
910 PtrLowBits = IRB.CreateAdd(
911 PtrLowBits, ConstantInt::get(Int8Ty, (1 << AccessSizeIndex) - 1));
912 Value *PtrLowBitsOOB = IRB.CreateICmpUGE(PtrLowBits, MemTag);
913 SplitBlockAndInsertIfThen(PtrLowBitsOOB, CheckTerm, false,
914 MDBuilder(*C).createBranchWeights(1, 100000),
915 (DomTreeUpdater *)nullptr, nullptr,
916 CheckFailTerm->getParent());
917
918 IRB.SetInsertPoint(CheckTerm);
919 Value *InlineTagAddr = IRB.CreateOr(AddrLong, 15);
920 InlineTagAddr = IRB.CreateIntToPtr(InlineTagAddr, Int8PtrTy);
921 Value *InlineTag = IRB.CreateLoad(Int8Ty, InlineTagAddr);
922 Value *InlineTagMismatch = IRB.CreateICmpNE(PtrTag, InlineTag);
923 SplitBlockAndInsertIfThen(InlineTagMismatch, CheckTerm, false,
924 MDBuilder(*C).createBranchWeights(1, 100000),
925 (DomTreeUpdater *)nullptr, nullptr,
926 CheckFailTerm->getParent());
927
928 IRB.SetInsertPoint(CheckFailTerm);
929 InlineAsm *Asm;
930 switch (TargetTriple.getArch()) {
931 case Triple::x86_64:
932 // The signal handler will find the data address in rdi.
933 Asm = InlineAsm::get(
934 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false),
935 "int3\nnopl " +
936 itostr(0x40 + (AccessInfo & HWASanAccessInfo::RuntimeMask)) +
937 "(%rax)",
938 "{rdi}",
939 /*hasSideEffects=*/true);
940 break;
941 case Triple::aarch64:
942 case Triple::aarch64_be:
943 // The signal handler will find the data address in x0.
944 Asm = InlineAsm::get(
945 FunctionType::get(IRB.getVoidTy(), {PtrLong->getType()}, false),
946 "brk #" + itostr(0x900 + (AccessInfo & HWASanAccessInfo::RuntimeMask)),
947 "{x0}",
948 /*hasSideEffects=*/true);
949 break;
950 default:
951 report_fatal_error("unsupported architecture");
952 }
953 IRB.CreateCall(Asm, PtrLong);
954 if (Recover)
955 cast<BranchInst>(CheckFailTerm)->setSuccessor(0, CheckTerm->getParent());
956 }
957
958 void HWAddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) {
959 IRBuilder<> IRB(MI);
960 if (isa<MemTransferInst>(MI)) {
961 IRB.CreateCall(
962 isa<MemMoveInst>(MI) ? HWAsanMemmove : HWAsanMemcpy,
963 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()),
964 IRB.CreatePointerCast(MI->getOperand(1), IRB.getInt8PtrTy()),
965 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)});
966 } else if (isa<MemSetInst>(MI)) {
967 IRB.CreateCall(
968 HWAsanMemset,
969 {IRB.CreatePointerCast(MI->getOperand(0), IRB.getInt8PtrTy()),
970 IRB.CreateIntCast(MI->getOperand(1), IRB.getInt32Ty(), false),
971 IRB.CreateIntCast(MI->getOperand(2), IntptrTy, false)});
972 }
973 MI->eraseFromParent();
974 }
975
976 bool HWAddressSanitizer::instrumentMemAccess(InterestingMemoryOperand &O) {
977 Value *Addr = O.getPtr();
978
979 LLVM_DEBUG(dbgs() << "Instrumenting: " << O.getInsn() << "\n");
980
981 if (O.MaybeMask)
982 return false; // FIXME
983
984 IRBuilder<> IRB(O.getInsn());
985 if (isPowerOf2_64(O.TypeSize) &&
986 (O.TypeSize / 8 <= (1ULL << (kNumberOfAccessSizes - 1))) &&
987 (!O.Alignment || *O.Alignment >= (1ULL << Mapping.Scale) ||
988 *O.Alignment >= O.TypeSize / 8)) {
989 size_t AccessSizeIndex = TypeSizeToSizeIndex(O.TypeSize);
990 if (InstrumentWithCalls) {
991 IRB.CreateCall(HwasanMemoryAccessCallback[O.IsWrite][AccessSizeIndex],
992 IRB.CreatePointerCast(Addr, IntptrTy));
993 } else {
994 instrumentMemAccessInline(Addr, O.IsWrite, AccessSizeIndex, O.getInsn());
995 }
996 } else {
997 IRB.CreateCall(HwasanMemoryAccessCallbackSized[O.IsWrite],
998 {IRB.CreatePointerCast(Addr, IntptrTy),
999 ConstantInt::get(IntptrTy, O.TypeSize / 8)});
1000 }
1001 untagPointerOperand(O.getInsn(), Addr);
1002
1003 return true;
1004 }
1005
1006 static uint64_t getAllocaSizeInBytes(const AllocaInst &AI) {
1007 uint64_t ArraySize = 1;
1008 if (AI.isArrayAllocation()) {
1009 const ConstantInt *CI = dyn_cast<ConstantInt>(AI.getArraySize());
1010 assert(CI && "non-constant array size");
1011 ArraySize = CI->getZExtValue();
1012 }
1013 Type *Ty = AI.getAllocatedType();
1014 uint64_t SizeInBytes = AI.getModule()->getDataLayout().getTypeAllocSize(Ty);
1015 return SizeInBytes * ArraySize;
1016 }
1017
1018 void HWAddressSanitizer::tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag,
1019 size_t Size) {
1020 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
1021 if (!UseShortGranules)
1022 Size = AlignedSize;
1023
1024 Value *JustTag = IRB.CreateTrunc(Tag, IRB.getInt8Ty());
1025 if (InstrumentWithCalls) {
1026 IRB.CreateCall(HwasanTagMemoryFunc,
1027 {IRB.CreatePointerCast(AI, Int8PtrTy), JustTag,
1028 ConstantInt::get(IntptrTy, AlignedSize)});
1029 } else {
1030 size_t ShadowSize = Size >> Mapping.Scale;
1031 Value *ShadowPtr = memToShadow(IRB.CreatePointerCast(AI, IntptrTy), IRB);
1032 // If this memset is not inlined, it will be intercepted in the hwasan
1033 // runtime library. That's OK, because the interceptor skips the checks if
1034 // the address is in the shadow region.
1035 // FIXME: the interceptor is not as fast as real memset. Consider lowering
1036 // llvm.memset right here into either a sequence of stores, or a call to
1037 // hwasan_tag_memory.
1038 if (ShadowSize)
1039 IRB.CreateMemSet(ShadowPtr, JustTag, ShadowSize, Align(1));
1040 if (Size != AlignedSize) {
1041 IRB.CreateStore(
1042 ConstantInt::get(Int8Ty, Size % Mapping.getObjectAlignment()),
1043 IRB.CreateConstGEP1_32(Int8Ty, ShadowPtr, ShadowSize));
1044 IRB.CreateStore(JustTag, IRB.CreateConstGEP1_32(
1045 Int8Ty, IRB.CreateBitCast(AI, Int8PtrTy),
1046 AlignedSize - 1));
1047 }
1048 }
1049 }
1050
1051 unsigned HWAddressSanitizer::retagMask(unsigned AllocaNo) {
1052 if (TargetTriple.getArch() == Triple::x86_64)
1053 return AllocaNo & TagMaskByte;
1054
1055 // A list of 8-bit numbers that have at most one run of non-zero bits.
1056 // x = x ^ (mask << 56) can be encoded as a single armv8 instruction for these
1057 // masks.
1058 // The list does not include the value 255, which is used for UAR.
1059 //
1060 // Because we are more likely to use earlier elements of this list than later
1061 // ones, it is sorted in increasing order of probability of collision with a
1062 // mask allocated (temporally) nearby. The program that generated this list
1063 // can be found at:
1064 // https://github.com/google/sanitizers/blob/master/hwaddress-sanitizer/sort_masks.py
1065 static unsigned FastMasks[] = {0, 128, 64, 192, 32, 96, 224, 112, 240,
1066 48, 16, 120, 248, 56, 24, 8, 124, 252,
1067 60, 28, 12, 4, 126, 254, 62, 30, 14,
1068 6, 2, 127, 63, 31, 15, 7, 3, 1};
1069 return FastMasks[AllocaNo % (sizeof(FastMasks) / sizeof(FastMasks[0]))];
1070 }
1071
1072 Value *HWAddressSanitizer::applyTagMask(IRBuilder<> &IRB, Value *OldTag) {
1073 if (TargetTriple.getArch() == Triple::x86_64) {
1074 Constant *TagMask = ConstantInt::get(IntptrTy, TagMaskByte);
1075 Value *NewTag = IRB.CreateAnd(OldTag, TagMask);
1076 return NewTag;
1077 }
1078 // aarch64 uses 8-bit tags, so no mask is needed.
1079 return OldTag;
1080 }
1081
1082 Value *HWAddressSanitizer::getNextTagWithCall(IRBuilder<> &IRB) {
1083 return IRB.CreateZExt(IRB.CreateCall(HwasanGenerateTagFunc), IntptrTy);
1084 }
1085
1086 Value *HWAddressSanitizer::getStackBaseTag(IRBuilder<> &IRB) {
1087 if (ClGenerateTagsWithCalls)
1088 return getNextTagWithCall(IRB);
1089 if (StackBaseTag)
1090 return StackBaseTag;
1091 // FIXME: use addressofreturnaddress (but implement it in aarch64 backend
1092 // first).
1093 Module *M = IRB.GetInsertBlock()->getParent()->getParent();
1094 auto GetStackPointerFn = Intrinsic::getDeclaration(
1095 M, Intrinsic::frameaddress,
1096 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace()));
1097 Value *StackPointer = IRB.CreateCall(
1098 GetStackPointerFn, {Constant::getNullValue(IRB.getInt32Ty())});
1099
1100 // Extract some entropy from the stack pointer for the tags.
1101 // Take bits 20..28 (ASLR entropy) and xor with bits 0..8 (these differ
1102 // between functions).
1103 Value *StackPointerLong = IRB.CreatePointerCast(StackPointer, IntptrTy);
1104 Value *StackTag =
1105 applyTagMask(IRB, IRB.CreateXor(StackPointerLong,
1106 IRB.CreateLShr(StackPointerLong, 20)));
1107 StackTag->setName("hwasan.stack.base.tag");
1108 return StackTag;
1109 }
1110
1111 Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag,
1112 AllocaInst *AI, unsigned AllocaNo) {
1113 if (ClGenerateTagsWithCalls)
1114 return getNextTagWithCall(IRB);
1115 return IRB.CreateXor(StackTag,
1116 ConstantInt::get(IntptrTy, retagMask(AllocaNo)));
1117 }
1118
1119 Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) {
1120 if (ClUARRetagToZero)
1121 return ConstantInt::get(IntptrTy, 0);
1122 if (ClGenerateTagsWithCalls)
1123 return getNextTagWithCall(IRB);
1124 return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, TagMaskByte));
1125 }
1126
1127 // Add a tag to an address.
1128 Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty,
1129 Value *PtrLong, Value *Tag) {
1130 assert(!UsePageAliases);
1131 Value *TaggedPtrLong;
1132 if (CompileKernel) {
1133 // Kernel addresses have 0xFF in the most significant byte.
1134 Value *ShiftedTag =
1135 IRB.CreateOr(IRB.CreateShl(Tag, PointerTagShift),
1136 ConstantInt::get(IntptrTy, (1ULL << PointerTagShift) - 1));
1137 TaggedPtrLong = IRB.CreateAnd(PtrLong, ShiftedTag);
1138 } else {
1139 // Userspace can simply do OR (tag << PointerTagShift);
1140 Value *ShiftedTag = IRB.CreateShl(Tag, PointerTagShift);
1141 TaggedPtrLong = IRB.CreateOr(PtrLong, ShiftedTag);
1142 }
1143 return IRB.CreateIntToPtr(TaggedPtrLong, Ty);
1144 }
1145
1146 // Remove tag from an address.
1147 Value *HWAddressSanitizer::untagPointer(IRBuilder<> &IRB, Value *PtrLong) {
1148 assert(!UsePageAliases);
1149 Value *UntaggedPtrLong;
1150 if (CompileKernel) {
1151 // Kernel addresses have 0xFF in the most significant byte.
1152 UntaggedPtrLong =
1153 IRB.CreateOr(PtrLong, ConstantInt::get(PtrLong->getType(),
1154 0xFFULL << PointerTagShift));
1155 } else {
1156 // Userspace addresses have 0x00.
1157 UntaggedPtrLong =
1158 IRB.CreateAnd(PtrLong, ConstantInt::get(PtrLong->getType(),
1159 ~(0xFFULL << PointerTagShift)));
1160 }
1161 return UntaggedPtrLong;
1162 }
1163
1164 Value *HWAddressSanitizer::getHwasanThreadSlotPtr(IRBuilder<> &IRB, Type *Ty) {
1165 Module *M = IRB.GetInsertBlock()->getParent()->getParent();
1166 if (TargetTriple.isAArch64() && TargetTriple.isAndroid()) {
1167 // Android provides a fixed TLS slot for sanitizers. See TLS_SLOT_SANITIZER
1168 // in Bionic's libc/private/bionic_tls.h.
1169 Function *ThreadPointerFunc =
1170 Intrinsic::getDeclaration(M, Intrinsic::thread_pointer);
1171 Value *SlotPtr = IRB.CreatePointerCast(
1172 IRB.CreateConstGEP1_32(IRB.getInt8Ty(),
1173 IRB.CreateCall(ThreadPointerFunc), 0x30),
1174 Ty->getPointerTo(0));
1175 return SlotPtr;
1176 }
1177 if (ThreadPtrGlobal)
1178 return ThreadPtrGlobal;
1179
1180 return nullptr;
1181 }
1182
1183 void HWAddressSanitizer::emitPrologue(IRBuilder<> &IRB, bool WithFrameRecord) {
1184 if (!Mapping.InTls)
1185 ShadowBase = getShadowNonTls(IRB);
1186 else if (!WithFrameRecord && TargetTriple.isAndroid())
1187 ShadowBase = getDynamicShadowIfunc(IRB);
1188
1189 if (!WithFrameRecord && ShadowBase)
1190 return;
1191
1192 Value *SlotPtr = getHwasanThreadSlotPtr(IRB, IntptrTy);
1193 assert(SlotPtr);
1194
1195 Value *ThreadLong = IRB.CreateLoad(IntptrTy, SlotPtr);
1196 // Extract the address field from ThreadLong. Unnecessary on AArch64 with TBI.
1197 Value *ThreadLongMaybeUntagged =
1198 TargetTriple.isAArch64() ? ThreadLong : untagPointer(IRB, ThreadLong);
1199
1200 if (WithFrameRecord) {
1201 Function *F = IRB.GetInsertBlock()->getParent();
1202 StackBaseTag = IRB.CreateAShr(ThreadLong, 3);
1203
1204 // Prepare ring buffer data.
1205 Value *PC;
1206 if (TargetTriple.getArch() == Triple::aarch64)
1207 PC = readRegister(IRB, "pc");
1208 else
1209 PC = IRB.CreatePtrToInt(F, IntptrTy);
1210 Module *M = F->getParent();
1211 auto GetStackPointerFn = Intrinsic::getDeclaration(
1212 M, Intrinsic::frameaddress,
1213 IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace()));
1214 Value *SP = IRB.CreatePtrToInt(
1215 IRB.CreateCall(GetStackPointerFn,
1216 {Constant::getNullValue(IRB.getInt32Ty())}),
1217 IntptrTy);
1218 // Mix SP and PC.
1219 // Assumptions:
1220 // PC is 0x0000PPPPPPPPPPPP (48 bits are meaningful, others are zero)
1221 // SP is 0xsssssssssssSSSS0 (4 lower bits are zero)
1222 // We only really need ~20 lower non-zero bits (SSSS), so we mix like this:
1223 // 0xSSSSPPPPPPPPPPPP
1224 SP = IRB.CreateShl(SP, 44);
1225
1226 // Store data to ring buffer.
1227 Value *RecordPtr =
1228 IRB.CreateIntToPtr(ThreadLongMaybeUntagged, IntptrTy->getPointerTo(0));
1229 IRB.CreateStore(IRB.CreateOr(PC, SP), RecordPtr);
1230
1231 // Update the ring buffer. Top byte of ThreadLong defines the size of the
1232 // buffer in pages, it must be a power of two, and the start of the buffer
1233 // must be aligned by twice that much. Therefore wrap around of the ring
1234 // buffer is simply Addr &= ~((ThreadLong >> 56) << 12).
1235 // The use of AShr instead of LShr is due to
1236 // https://bugs.llvm.org/show_bug.cgi?id=39030
1237 // Runtime library makes sure not to use the highest bit.
1238 Value *WrapMask = IRB.CreateXor(
1239 IRB.CreateShl(IRB.CreateAShr(ThreadLong, 56), 12, "", true, true),
1240 ConstantInt::get(IntptrTy, (uint64_t)-1));
1241 Value *ThreadLongNew = IRB.CreateAnd(
1242 IRB.CreateAdd(ThreadLong, ConstantInt::get(IntptrTy, 8)), WrapMask);
1243 IRB.CreateStore(ThreadLongNew, SlotPtr);
1244 }
1245
1246 if (!ShadowBase) {
1247 // Get shadow base address by aligning RecordPtr up.
1248 // Note: this is not correct if the pointer is already aligned.
1249 // Runtime library will make sure this never happens.
1250 ShadowBase = IRB.CreateAdd(
1251 IRB.CreateOr(
1252 ThreadLongMaybeUntagged,
1253 ConstantInt::get(IntptrTy, (1ULL << kShadowBaseAlignment) - 1)),
1254 ConstantInt::get(IntptrTy, 1), "hwasan.shadow");
1255 ShadowBase = IRB.CreateIntToPtr(ShadowBase, Int8PtrTy);
1256 }
1257 }
1258
1259 Value *HWAddressSanitizer::readRegister(IRBuilder<> &IRB, StringRef Name) {
1260 Module *M = IRB.GetInsertBlock()->getParent()->getParent();
1261 Function *ReadRegister =
1262 Intrinsic::getDeclaration(M, Intrinsic::read_register, IntptrTy);
1263 MDNode *MD = MDNode::get(*C, {MDString::get(*C, Name)});
1264 Value *Args[] = {MetadataAsValue::get(*C, MD)};
1265 return IRB.CreateCall(ReadRegister, Args);
1266 }
1267
1268 bool HWAddressSanitizer::instrumentLandingPads(
1269 SmallVectorImpl<Instruction *> &LandingPadVec) {
1270 for (auto *LP : LandingPadVec) {
1271 IRBuilder<> IRB(LP->getNextNode());
1272 IRB.CreateCall(
1273 HWAsanHandleVfork,
1274 {readRegister(IRB, (TargetTriple.getArch() == Triple::x86_64) ? "rsp"
1275 : "sp")});
1276 }
1277 return true;
1278 }
1279
1280 bool HWAddressSanitizer::instrumentStack(
1281 MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument,
1282 SmallVector<Instruction *, 4> &UnrecognizedLifetimes,
1283 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap,
1284 SmallVectorImpl<Instruction *> &RetVec, Value *StackTag,
1285 llvm::function_ref<const DominatorTree &()> GetDT,
1286 llvm::function_ref<const PostDominatorTree &()> GetPDT) {
1287 // Ideally, we want to calculate tagged stack base pointer, and rewrite all
1288 // alloca addresses using that. Unfortunately, offsets are not known yet
1289 // (unless we use ASan-style mega-alloca). Instead we keep the base tag in a
1290 // temp, shift-OR it into each alloca address and xor with the retag mask.
1291 // This generates one extra instruction per alloca use.
1292 unsigned int I = 0;
1293
1294 for (auto &KV : AllocasToInstrument) {
1295 auto N = I++;
1296 auto *AI = KV.first;
1297 AllocaInfo &Info = KV.second;
1298 IRBuilder<> IRB(AI->getNextNode());
1299
1300 // Replace uses of the alloca with tagged address.
1301 Value *Tag = getAllocaTag(IRB, StackTag, AI, N);
1302 Value *AILong = IRB.CreatePointerCast(AI, IntptrTy);
1303 Value *Replacement = tagPointer(IRB, AI->getType(), AILong, Tag);
1304 std::string Name =
1305 AI->hasName() ? AI->getName().str() : "alloca." + itostr(N);
1306 Replacement->setName(Name + ".hwasan");
1307
1308 AI->replaceUsesWithIf(Replacement,
1309 [AILong](Use &U) { return U.getUser() != AILong; });
1310
1311 for (auto *DDI : AllocaDbgMap.lookup(AI)) {
1312 // Prepend "tag_offset, N" to the dwarf expression.
1313 // Tag offset logically applies to the alloca pointer, and it makes sense
1314 // to put it at the beginning of the expression.
1315 SmallVector<uint64_t, 8> NewOps = {dwarf::DW_OP_LLVM_tag_offset,
1316 retagMask(N)};
1317 for (size_t LocNo = 0; LocNo < DDI->getNumVariableLocationOps(); ++LocNo)
1318 if (DDI->getVariableLocationOp(LocNo) == AI)
1319 DDI->setExpression(DIExpression::appendOpsToArg(DDI->getExpression(),
1320 NewOps, LocNo));
1321 }
1322
1323 size_t Size = getAllocaSizeInBytes(*AI);
1324 size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
1325 bool StandardLifetime = UnrecognizedLifetimes.empty() &&
1326 Info.LifetimeStart.size() == 1 &&
1327 Info.LifetimeEnd.size() == 1;
1328 if (DetectUseAfterScope && StandardLifetime) {
1329 IntrinsicInst *Start = Info.LifetimeStart[0];
1330 IntrinsicInst *End = Info.LifetimeEnd[0];
1331 IRB.SetInsertPoint(Start->getNextNode());
1332 auto TagEnd = [&](Instruction *Node) {
1333 IRB.SetInsertPoint(Node);
1334 Value *UARTag = getUARTag(IRB, StackTag);
1335 tagAlloca(IRB, AI, UARTag, AlignedSize);
1336 };
1337 tagAlloca(IRB, AI, Tag, Size);
1338 if (!forAllReachableExits(GetDT(), GetPDT(), Start, End, RetVec, TagEnd))
1339 End->eraseFromParent();
1340 } else {
1341 tagAlloca(IRB, AI, Tag, Size);
1342 for (auto *RI : RetVec) {
1343 IRB.SetInsertPoint(RI);
1344 Value *UARTag = getUARTag(IRB, StackTag);
1345 tagAlloca(IRB, AI, UARTag, AlignedSize);
1346 }
1347 if (!StandardLifetime) {
1348 for (auto &II : Info.LifetimeStart)
1349 II->eraseFromParent();
1350 for (auto &II : Info.LifetimeEnd)
1351 II->eraseFromParent();
1352 }
1353 }
1354 }
1355 for (auto &I : UnrecognizedLifetimes)
1356 I->eraseFromParent();
1357 return true;
1358 }
1359
1360 bool HWAddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
1361 return (AI.getAllocatedType()->isSized() &&
1362 // FIXME: instrument dynamic allocas, too
1363 AI.isStaticAlloca() &&
1364 // alloca() may be called with 0 size, ignore it.
1365 getAllocaSizeInBytes(AI) > 0 &&
1366 // We are only interested in allocas not promotable to registers.
1367 // Promotable allocas are common under -O0.
1368 !isAllocaPromotable(&AI) &&
1369 // inalloca allocas are not treated as static, and we don't want
1370 // dynamic alloca instrumentation for them as well.
1371 !AI.isUsedWithInAlloca() &&
1372 // swifterror allocas are register promoted by ISel
1373 !AI.isSwiftError()) &&
1374 // safe allocas are not interesting
1375 !(SSI && SSI->isSafe(AI));
1376 }
1377
1378 DenseMap<AllocaInst *, AllocaInst *> HWAddressSanitizer::padInterestingAllocas(
1379 const MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument) {
1380 DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap;
1381 for (auto &KV : AllocasToInstrument) {
1382 AllocaInst *AI = KV.first;
1383 uint64_t Size = getAllocaSizeInBytes(*AI);
1384 uint64_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
1385 AI->setAlignment(
1386 Align(std::max(AI->getAlignment(), Mapping.getObjectAlignment())));
1387 if (Size != AlignedSize) {
1388 Type *AllocatedType = AI->getAllocatedType();
1389 if (AI->isArrayAllocation()) {
1390 uint64_t ArraySize =
1391 cast<ConstantInt>(AI->getArraySize())->getZExtValue();
1392 AllocatedType = ArrayType::get(AllocatedType, ArraySize);
1393 }
1394 Type *TypeWithPadding = StructType::get(
1395 AllocatedType, ArrayType::get(Int8Ty, AlignedSize - Size));
1396 auto *NewAI = new AllocaInst(
1397 TypeWithPadding, AI->getType()->getAddressSpace(), nullptr, "", AI);
1398 NewAI->takeName(AI);
1399 NewAI->setAlignment(AI->getAlign());
1400 NewAI->setUsedWithInAlloca(AI->isUsedWithInAlloca());
1401 NewAI->setSwiftError(AI->isSwiftError());
1402 NewAI->copyMetadata(*AI);
1403 auto *Bitcast = new BitCastInst(NewAI, AI->getType(), "", AI);
1404 AI->replaceAllUsesWith(Bitcast);
1405 AllocaToPaddedAllocaMap[AI] = NewAI;
1406 }
1407 }
1408 return AllocaToPaddedAllocaMap;
1409 }
1410
1411 bool HWAddressSanitizer::sanitizeFunction(
1412 Function &F, llvm::function_ref<const DominatorTree &()> GetDT,
1413 llvm::function_ref<const PostDominatorTree &()> GetPDT) {
1414 if (&F == HwasanCtorFunction)
1415 return false;
1416
1417 if (!F.hasFnAttribute(Attribute::SanitizeHWAddress))
1418 return false;
1419
1420 LLVM_DEBUG(dbgs() << "Function: " << F.getName() << "\n");
1421
1422 SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument;
1423 SmallVector<MemIntrinsic *, 16> IntrinToInstrument;
1424 MapVector<AllocaInst *, AllocaInfo> AllocasToInstrument;
1425 SmallVector<Instruction *, 8> RetVec;
1426 SmallVector<Instruction *, 8> LandingPadVec;
1427 SmallVector<Instruction *, 4> UnrecognizedLifetimes;
1428 DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> AllocaDbgMap;
1429 for (auto &BB : F) {
1430 for (auto &Inst : BB) {
1431 if (InstrumentStack) {
1432 if (AllocaInst *AI = dyn_cast<AllocaInst>(&Inst)) {
1433 if (isInterestingAlloca(*AI))
1434 AllocasToInstrument.insert({AI, {}});
1435 continue;
1436 }
1437 auto *II = dyn_cast<IntrinsicInst>(&Inst);
1438 if (II && (II->getIntrinsicID() == Intrinsic::lifetime_start ||
1439 II->getIntrinsicID() == Intrinsic::lifetime_end)) {
1440 AllocaInst *AI = findAllocaForValue(II->getArgOperand(1));
1441 if (!AI) {
1442 UnrecognizedLifetimes.push_back(&Inst);
1443 continue;
1444 }
1445 if (!isInterestingAlloca(*AI))
1446 continue;
1447 if (II->getIntrinsicID() == Intrinsic::lifetime_start)
1448 AllocasToInstrument[AI].LifetimeStart.push_back(II);
1449 else
1450 AllocasToInstrument[AI].LifetimeEnd.push_back(II);
1451 continue;
1452 }
1453 }
1454
1455 if (isa<ReturnInst>(Inst) || isa<ResumeInst>(Inst) ||
1456 isa<CleanupReturnInst>(Inst))
1457 RetVec.push_back(&Inst);
1458
1459 if (auto *DVI = dyn_cast<DbgVariableIntrinsic>(&Inst)) {
1460 for (Value *V : DVI->location_ops()) {
1461 if (auto *Alloca = dyn_cast_or_null<AllocaInst>(V))
1462 if (!AllocaDbgMap.count(Alloca) ||
1463 AllocaDbgMap[Alloca].back() != DVI)
1464 AllocaDbgMap[Alloca].push_back(DVI);
1465 }
1466 }
1467
1468 if (InstrumentLandingPads && isa<LandingPadInst>(Inst))
1469 LandingPadVec.push_back(&Inst);
1470
1471 getInterestingMemoryOperands(&Inst, OperandsToInstrument);
1472
1473 if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(&Inst))
1474 IntrinToInstrument.push_back(MI);
1475 }
1476 }
1477
1478 initializeCallbacks(*F.getParent());
1479
1480 bool Changed = false;
1481
1482 if (!LandingPadVec.empty())
1483 Changed |= instrumentLandingPads(LandingPadVec);
1484
1485 if (AllocasToInstrument.empty() && F.hasPersonalityFn() &&
1486 F.getPersonalityFn()->getName() == kHwasanPersonalityThunkName) {
1487 // __hwasan_personality_thunk is a no-op for functions without an
1488 // instrumented stack, so we can drop it.
1489 F.setPersonalityFn(nullptr);
1490 Changed = true;
1491 }
1492
1493 if (AllocasToInstrument.empty() && OperandsToInstrument.empty() &&
1494 IntrinToInstrument.empty())
1495 return Changed;
1496
1497 assert(!ShadowBase);
1498
1499 Instruction *InsertPt = &*F.getEntryBlock().begin();
1500 IRBuilder<> EntryIRB(InsertPt);
1501 emitPrologue(EntryIRB,
1502 /*WithFrameRecord*/ ClRecordStackHistory &&
1503 Mapping.WithFrameRecord && !AllocasToInstrument.empty());
1504
1505 if (!AllocasToInstrument.empty()) {
1506 Value *StackTag =
1507 ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB);
1508 instrumentStack(AllocasToInstrument, UnrecognizedLifetimes, AllocaDbgMap,
1509 RetVec, StackTag, GetDT, GetPDT);
1510 }
1511 // Pad and align each of the allocas that we instrumented to stop small
1512 // uninteresting allocas from hiding in instrumented alloca's padding and so
1513 // that we have enough space to store real tags for short granules.
1514 DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap =
1515 padInterestingAllocas(AllocasToInstrument);
1516
1517 if (!AllocaToPaddedAllocaMap.empty()) {
1518 for (auto &BB : F) {
1519 for (auto &Inst : BB) {
1520 if (auto *DVI = dyn_cast<DbgVariableIntrinsic>(&Inst)) {
1521 SmallDenseSet<Value *> LocationOps(DVI->location_ops().begin(),
1522 DVI->location_ops().end());
1523 for (Value *V : LocationOps) {
1524 if (auto *AI = dyn_cast_or_null<AllocaInst>(V)) {
1525 if (auto *NewAI = AllocaToPaddedAllocaMap.lookup(AI))
1526 DVI->replaceVariableLocationOp(V, NewAI);
1527 }
1528 }
1529 }
1530 }
1531 }
1532 for (auto &P : AllocaToPaddedAllocaMap)
1533 P.first->eraseFromParent();
1534 }
1535
1536 // If we split the entry block, move any allocas that were originally in the
1537 // entry block back into the entry block so that they aren't treated as
1538 // dynamic allocas.
1539 if (EntryIRB.GetInsertBlock() != &F.getEntryBlock()) {
1540 InsertPt = &*F.getEntryBlock().begin();
1541 for (auto II = EntryIRB.GetInsertBlock()->begin(),
1542 IE = EntryIRB.GetInsertBlock()->end();
1543 II != IE;) {
1544 Instruction *I = &*II++;
1545 if (auto *AI = dyn_cast<AllocaInst>(I))
1546 if (isa<ConstantInt>(AI->getArraySize()))
1547 I->moveBefore(InsertPt);
1548 }
1549 }
1550
1551 for (auto &Operand : OperandsToInstrument)
1552 instrumentMemAccess(Operand);
1553
1554 if (ClInstrumentMemIntrinsics && !IntrinToInstrument.empty()) {
1555 for (auto Inst : IntrinToInstrument)
1556 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst));
1557 }
1558
1559 ShadowBase = nullptr;
1560 StackBaseTag = nullptr;
1561
1562 return true;
1563 }
1564
1565 void HWAddressSanitizer::instrumentGlobal(GlobalVariable *GV, uint8_t Tag) {
1566 assert(!UsePageAliases);
1567 Constant *Initializer = GV->getInitializer();
1568 uint64_t SizeInBytes =
1569 M.getDataLayout().getTypeAllocSize(Initializer->getType());
1570 uint64_t NewSize = alignTo(SizeInBytes, Mapping.getObjectAlignment());
1571 if (SizeInBytes != NewSize) {
1572 // Pad the initializer out to the next multiple of 16 bytes and add the
1573 // required short granule tag.
1574 std::vector<uint8_t> Init(NewSize - SizeInBytes, 0);
1575 Init.back() = Tag;
1576 Constant *Padding = ConstantDataArray::get(*C, Init);
1577 Initializer = ConstantStruct::getAnon({Initializer, Padding});
1578 }
1579
1580 auto *NewGV = new GlobalVariable(M, Initializer->getType(), GV->isConstant(),
1581 GlobalValue::ExternalLinkage, Initializer,
1582 GV->getName() + ".hwasan");
1583 NewGV->copyAttributesFrom(GV);
1584 NewGV->setLinkage(GlobalValue::PrivateLinkage);
1585 NewGV->copyMetadata(GV, 0);
1586 NewGV->setAlignment(
1587 MaybeAlign(std::max(GV->getAlignment(), Mapping.getObjectAlignment())));
1588
1589 // It is invalid to ICF two globals that have different tags. In the case
1590 // where the size of the global is a multiple of the tag granularity the
1591 // contents of the globals may be the same but the tags (i.e. symbol values)
1592 // may be different, and the symbols are not considered during ICF. In the
1593 // case where the size is not a multiple of the granularity, the short granule
1594 // tags would discriminate two globals with different tags, but there would
1595 // otherwise be nothing stopping such a global from being incorrectly ICF'd
1596 // with an uninstrumented (i.e. tag 0) global that happened to have the short
1597 // granule tag in the last byte.
1598 NewGV->setUnnamedAddr(GlobalValue::UnnamedAddr::None);
1599
1600 // Descriptor format (assuming little-endian):
1601 // bytes 0-3: relative address of global
1602 // bytes 4-6: size of global (16MB ought to be enough for anyone, but in case
1603 // it isn't, we create multiple descriptors)
1604 // byte 7: tag
1605 auto *DescriptorTy = StructType::get(Int32Ty, Int32Ty);
1606 const uint64_t MaxDescriptorSize = 0xfffff0;
1607 for (uint64_t DescriptorPos = 0; DescriptorPos < SizeInBytes;
1608 DescriptorPos += MaxDescriptorSize) {
1609 auto *Descriptor =
1610 new GlobalVariable(M, DescriptorTy, true, GlobalValue::PrivateLinkage,
1611 nullptr, GV->getName() + ".hwasan.descriptor");
1612 auto *GVRelPtr = ConstantExpr::getTrunc(
1613 ConstantExpr::getAdd(
1614 ConstantExpr::getSub(
1615 ConstantExpr::getPtrToInt(NewGV, Int64Ty),
1616 ConstantExpr::getPtrToInt(Descriptor, Int64Ty)),
1617 ConstantInt::get(Int64Ty, DescriptorPos)),
1618 Int32Ty);
1619 uint32_t Size = std::min(SizeInBytes - DescriptorPos, MaxDescriptorSize);
1620 auto *SizeAndTag = ConstantInt::get(Int32Ty, Size | (uint32_t(Tag) << 24));
1621 Descriptor->setComdat(NewGV->getComdat());
1622 Descriptor->setInitializer(ConstantStruct::getAnon({GVRelPtr, SizeAndTag}));
1623 Descriptor->setSection("hwasan_globals");
1624 Descriptor->setMetadata(LLVMContext::MD_associated,
1625 MDNode::get(*C, ValueAsMetadata::get(NewGV)));
1626 appendToCompilerUsed(M, Descriptor);
1627 }
1628
1629 Constant *Aliasee = ConstantExpr::getIntToPtr(
1630 ConstantExpr::getAdd(
1631 ConstantExpr::getPtrToInt(NewGV, Int64Ty),
1632 ConstantInt::get(Int64Ty, uint64_t(Tag) << PointerTagShift)),
1633 GV->getType());
1634 auto *Alias = GlobalAlias::create(GV->getValueType(), GV->getAddressSpace(),
1635 GV->getLinkage(), "", Aliasee, &M);
1636 Alias->setVisibility(GV->getVisibility());
1637 Alias->takeName(GV);
1638 GV->replaceAllUsesWith(Alias);
1639 GV->eraseFromParent();
1640 }
1641
1642 static DenseSet<GlobalVariable *> getExcludedGlobals(Module &M) {
1643 NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals");
1644 if (!Globals)
1645 return DenseSet<GlobalVariable *>();
1646 DenseSet<GlobalVariable *> Excluded(Globals->getNumOperands());
1647 for (auto MDN : Globals->operands()) {
1648 // Metadata node contains the global and the fields of "Entry".
1649 assert(MDN->getNumOperands() == 5);
1650 auto *V = mdconst::extract_or_null<Constant>(MDN->getOperand(0));
1651 // The optimizer may optimize away a global entirely.
1652 if (!V)
1653 continue;
1654 auto *StrippedV = V->stripPointerCasts();
1655 auto *GV = dyn_cast<GlobalVariable>(StrippedV);
1656 if (!GV)
1657 continue;
1658 ConstantInt *IsExcluded = mdconst::extract<ConstantInt>(MDN->getOperand(4));
1659 if (IsExcluded->isOne())
1660 Excluded.insert(GV);
1661 }
1662 return Excluded;
1663 }
1664
1665 void HWAddressSanitizer::instrumentGlobals() {
1666 std::vector<GlobalVariable *> Globals;
1667 auto ExcludedGlobals = getExcludedGlobals(M);
1668 for (GlobalVariable &GV : M.globals()) {
1669 if (ExcludedGlobals.count(&GV))
1670 continue;
1671
1672 if (GV.isDeclarationForLinker() || GV.getName().startswith("llvm.") ||
1673 GV.isThreadLocal())
1674 continue;
1675
1676 // Common symbols can't have aliases point to them, so they can't be tagged.
1677 if (GV.hasCommonLinkage())
1678 continue;
1679
1680 // Globals with custom sections may be used in __start_/__stop_ enumeration,
1681 // which would be broken both by adding tags and potentially by the extra
1682 // padding/alignment that we insert.
1683 if (GV.hasSection())
1684 continue;
1685
1686 Globals.push_back(&GV);
1687 }
1688
1689 MD5 Hasher;
1690 Hasher.update(M.getSourceFileName());
1691 MD5::MD5Result Hash;
1692 Hasher.final(Hash);
1693 uint8_t Tag = Hash[0] & TagMaskByte;
1694
1695 for (GlobalVariable *GV : Globals) {
1696 // Skip tag 0 in order to avoid collisions with untagged memory.
1697 if (Tag == 0)
1698 Tag = 1;
1699 instrumentGlobal(GV, Tag++);
1700 }
1701 }
1702
1703 void HWAddressSanitizer::instrumentPersonalityFunctions() {
1704 // We need to untag stack frames as we unwind past them. That is the job of
1705 // the personality function wrapper, which either wraps an existing
1706 // personality function or acts as a personality function on its own. Each
1707 // function that has a personality function or that can be unwound past has
1708 // its personality function changed to a thunk that calls the personality
1709 // function wrapper in the runtime.
1710 MapVector<Constant *, std::vector<Function *>> PersonalityFns;
1711 for (Function &F : M) {
1712 if (F.isDeclaration() || !F.hasFnAttribute(Attribute::SanitizeHWAddress))
1713 continue;
1714
1715 if (F.hasPersonalityFn()) {
1716 PersonalityFns[F.getPersonalityFn()->stripPointerCasts()].push_back(&F);
1717 } else if (!F.hasFnAttribute(Attribute::NoUnwind)) {
1718 PersonalityFns[nullptr].push_back(&F);
1719 }
1720 }
1721
1722 if (PersonalityFns.empty())
1723 return;
1724
1725 FunctionCallee HwasanPersonalityWrapper = M.getOrInsertFunction(
1726 "__hwasan_personality_wrapper", Int32Ty, Int32Ty, Int32Ty, Int64Ty,
1727 Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy, Int8PtrTy);
1728 FunctionCallee UnwindGetGR = M.getOrInsertFunction("_Unwind_GetGR", VoidTy);
1729 FunctionCallee UnwindGetCFA = M.getOrInsertFunction("_Unwind_GetCFA", VoidTy);
1730
1731 for (auto &P : PersonalityFns) {
1732 std::string ThunkName = kHwasanPersonalityThunkName;
1733 if (P.first)
1734 ThunkName += ("." + P.first->getName()).str();
1735 FunctionType *ThunkFnTy = FunctionType::get(
1736 Int32Ty, {Int32Ty, Int32Ty, Int64Ty, Int8PtrTy, Int8PtrTy}, false);
1737 bool IsLocal = P.first && (!isa<GlobalValue>(P.first) ||
1738 cast<GlobalValue>(P.first)->hasLocalLinkage());
1739 auto *ThunkFn = Function::Create(ThunkFnTy,
1740 IsLocal ? GlobalValue::InternalLinkage
1741 : GlobalValue::LinkOnceODRLinkage,
1742 ThunkName, &M);
1743 if (!IsLocal) {
1744 ThunkFn->setVisibility(GlobalValue::HiddenVisibility);
1745 ThunkFn->setComdat(M.getOrInsertComdat(ThunkName));
1746 }
1747
1748 auto *BB = BasicBlock::Create(*C, "entry", ThunkFn);
1749 IRBuilder<> IRB(BB);
1750 CallInst *WrapperCall = IRB.CreateCall(
1751 HwasanPersonalityWrapper,
1752 {ThunkFn->getArg(0), ThunkFn->getArg(1), ThunkFn->getArg(2),
1753 ThunkFn->getArg(3), ThunkFn->getArg(4),
1754 P.first ? IRB.CreateBitCast(P.first, Int8PtrTy)
1755 : Constant::getNullValue(Int8PtrTy),
1756 IRB.CreateBitCast(UnwindGetGR.getCallee(), Int8PtrTy),
1757 IRB.CreateBitCast(UnwindGetCFA.getCallee(), Int8PtrTy)});
1758 WrapperCall->setTailCall();
1759 IRB.CreateRet(WrapperCall);
1760
1761 for (Function *F : P.second)
1762 F->setPersonalityFn(ThunkFn);
1763 }
1764 }
1765
1766 void HWAddressSanitizer::ShadowMapping::init(Triple &TargetTriple,
1767 bool InstrumentWithCalls) {
1768 Scale = kDefaultShadowScale;
1769 if (TargetTriple.isOSFuchsia()) {
1770 // Fuchsia is always PIE, which means that the beginning of the address
1771 // space is always available.
1772 InGlobal = false;
1773 InTls = false;
1774 Offset = 0;
1775 WithFrameRecord = true;
1776 } else if (ClMappingOffset.getNumOccurrences() > 0) {
1777 InGlobal = false;
1778 InTls = false;
1779 Offset = ClMappingOffset;
1780 WithFrameRecord = false;
1781 } else if (ClEnableKhwasan || InstrumentWithCalls) {
1782 InGlobal = false;
1783 InTls = false;
1784 Offset = 0;
1785 WithFrameRecord = false;
1786 } else if (ClWithIfunc) {
1787 InGlobal = true;
1788 InTls = false;
1789 Offset = kDynamicShadowSentinel;
1790 WithFrameRecord = false;
1791 } else if (ClWithTls) {
1792 InGlobal = false;
1793 InTls = true;
1794 Offset = kDynamicShadowSentinel;
1795 WithFrameRecord = true;
1796 } else {
1797 InGlobal = false;
1798 InTls = false;
1799 Offset = kDynamicShadowSentinel;
1800 WithFrameRecord = false;
1801 }
1802 }
LLVM monorepo