search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[ORC] Add std::tuple support to SimplePackedSerialization.
[llvm-project.git] / llvm / lib / Transforms / Instrumentation / MemorySanitizer.cpp
blob9b4cc9c46f451e23240f195bfe8c9c70a3e9aa03
1 //===- MemorySanitizer.cpp - detector of uninitialized reads --------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 /// \file
10 /// This file is a part of MemorySanitizer, a detector of uninitialized
11 /// reads.
12 ///
13 /// The algorithm of the tool is similar to Memcheck
14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every
15 /// byte of the application memory, poison the shadow of the malloc-ed
16 /// or alloca-ed memory, load the shadow bits on every memory read,
17 /// propagate the shadow bits through some of the arithmetic
18 /// instruction (including MOV), store the shadow bits on every memory
19 /// write, report a bug on some other instructions (e.g. JMP) if the
20 /// associated shadow is poisoned.
21 ///
22 /// But there are differences too. The first and the major one:
23 /// compiler instrumentation instead of binary instrumentation. This
24 /// gives us much better register allocation, possible compiler
25 /// optimizations and a fast start-up. But this brings the major issue
26 /// as well: msan needs to see all program events, including system
27 /// calls and reads/writes in system libraries, so we either need to
28 /// compile *everything* with msan or use a binary translation
29 /// component (e.g. DynamoRIO) to instrument pre-built libraries.
30 /// Another difference from Memcheck is that we use 8 shadow bits per
31 /// byte of application memory and use a direct shadow mapping. This
32 /// greatly simplifies the instrumentation code and avoids races on
33 /// shadow updates (Memcheck is single-threaded so races are not a
34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
35 /// path storage that uses 8 bits per byte).
36 ///
37 /// The default value of shadow is 0, which means "clean" (not poisoned).
38 ///
39 /// Every module initializer should call __msan_init to ensure that the
40 /// shadow memory is ready. On error, __msan_warning is called. Since
41 /// parameters and return values may be passed via registers, we have a
42 /// specialized thread-local shadow for return values
43 /// (__msan_retval_tls) and parameters (__msan_param_tls).
44 ///
45 /// Origin tracking.
46 ///
47 /// MemorySanitizer can track origins (allocation points) of all uninitialized
48 /// values. This behavior is controlled with a flag (msan-track-origins) and is
49 /// disabled by default.
50 ///
51 /// Origins are 4-byte values created and interpreted by the runtime library.
52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
53 /// of application memory. Propagation of origins is basically a bunch of
54 /// "select" instructions that pick the origin of a dirty argument, if an
55 /// instruction has one.
56 ///
57 /// Every 4 aligned, consecutive bytes of application memory have one origin
58 /// value associated with them. If these bytes contain uninitialized data
59 /// coming from 2 different allocations, the last store wins. Because of this,
60 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in
61 /// practice.
62 ///
63 /// Origins are meaningless for fully initialized values, so MemorySanitizer
64 /// avoids storing origin to memory when a fully initialized value is stored.
65 /// This way it avoids needless overwriting origin of the 4-byte region on
66 /// a short (i.e. 1 byte) clean store, and it is also good for performance.
67 ///
68 /// Atomic handling.
69 ///
70 /// Ideally, every atomic store of application value should update the
71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
72 /// of two disjoint locations can not be done without severe slowdown.
73 ///
74 /// Therefore, we implement an approximation that may err on the safe side.
75 /// In this implementation, every atomically accessed location in the program
76 /// may only change from (partially) uninitialized to fully initialized, but
77 /// not the other way around. We load the shadow _after_ the application load,
78 /// and we store the shadow _before_ the app store. Also, we always store clean
79 /// shadow (if the application store is atomic). This way, if the store-load
80 /// pair constitutes a happens-before arc, shadow store and load are correctly
81 /// ordered such that the load will get either the value that was stored, or
82 /// some later value (which is always clean).
83 ///
84 /// This does not work very well with Compare-And-Swap (CAS) and
85 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW
86 /// must store the new shadow before the app operation, and load the shadow
87 /// after the app operation. Computers don't work this way. Current
88 /// implementation ignores the load aspect of CAS/RMW, always returning a clean
89 /// value. It implements the store part as a simple atomic store by storing a
90 /// clean shadow.
91 ///
92 /// Instrumenting inline assembly.
93 ///
94 /// For inline assembly code LLVM has little idea about which memory locations
95 /// become initialized depending on the arguments. It can be possible to figure
96 /// out which arguments are meant to point to inputs and outputs, but the
97 /// actual semantics can be only visible at runtime. In the Linux kernel it's
98 /// also possible that the arguments only indicate the offset for a base taken
99 /// from a segment register, so it's dangerous to treat any asm() arguments as
100 /// pointers. We take a conservative approach generating calls to
101 /// __msan_instrument_asm_store(ptr, size)
102 /// , which defer the memory unpoisoning to the runtime library.
103 /// The latter can perform more complex address checks to figure out whether
104 /// it's safe to touch the shadow memory.
105 /// Like with atomic operations, we call __msan_instrument_asm_store() before
106 /// the assembly call, so that changes to the shadow memory will be seen by
107 /// other threads together with main memory initialization.
108 ///
109 /// KernelMemorySanitizer (KMSAN) implementation.
110 ///
111 /// The major differences between KMSAN and MSan instrumentation are:
112 /// - KMSAN always tracks the origins and implies msan-keep-going=true;
113 /// - KMSAN allocates shadow and origin memory for each page separately, so
114 /// there are no explicit accesses to shadow and origin in the
115 /// instrumentation.
116 /// Shadow and origin values for a particular X-byte memory location
117 /// (X=1,2,4,8) are accessed through pointers obtained via the
118 /// __msan_metadata_ptr_for_load_X(ptr)
119 /// __msan_metadata_ptr_for_store_X(ptr)
120 /// functions. The corresponding functions check that the X-byte accesses
121 /// are possible and returns the pointers to shadow and origin memory.
122 /// Arbitrary sized accesses are handled with:
123 /// __msan_metadata_ptr_for_load_n(ptr, size)
124 /// __msan_metadata_ptr_for_store_n(ptr, size);
125 /// - TLS variables are stored in a single per-task struct. A call to a
126 /// function __msan_get_context_state() returning a pointer to that struct
127 /// is inserted into every instrumented function before the entry block;
128 /// - __msan_warning() takes a 32-bit origin parameter;
129 /// - local variables are poisoned with __msan_poison_alloca() upon function
130 /// entry and unpoisoned with __msan_unpoison_alloca() before leaving the
131 /// function;
132 /// - the pass doesn't declare any global variables or add global constructors
133 /// to the translation unit.
134 ///
135 /// Also, KMSAN currently ignores uninitialized memory passed into inline asm
136 /// calls, making sure we're on the safe side wrt. possible false positives.
137 ///
138 /// KernelMemorySanitizer only supports X86_64 at the moment.
139 ///
140 //
141 // FIXME: This sanitizer does not yet handle scalable vectors
142 //
143 //===----------------------------------------------------------------------===//
144
145 #include "llvm/Transforms/Instrumentation/MemorySanitizer.h"
146 #include "llvm/ADT/APInt.h"
147 #include "llvm/ADT/ArrayRef.h"
148 #include "llvm/ADT/DepthFirstIterator.h"
149 #include "llvm/ADT/SmallSet.h"
150 #include "llvm/ADT/SmallString.h"
151 #include "llvm/ADT/SmallVector.h"
152 #include "llvm/ADT/StringExtras.h"
153 #include "llvm/ADT/StringRef.h"
154 #include "llvm/ADT/Triple.h"
155 #include "llvm/Analysis/TargetLibraryInfo.h"
156 #include "llvm/Analysis/ValueTracking.h"
157 #include "llvm/IR/Argument.h"
158 #include "llvm/IR/Attributes.h"
159 #include "llvm/IR/BasicBlock.h"
160 #include "llvm/IR/CallingConv.h"
161 #include "llvm/IR/Constant.h"
162 #include "llvm/IR/Constants.h"
163 #include "llvm/IR/DataLayout.h"
164 #include "llvm/IR/DerivedTypes.h"
165 #include "llvm/IR/Function.h"
166 #include "llvm/IR/GlobalValue.h"
167 #include "llvm/IR/GlobalVariable.h"
168 #include "llvm/IR/IRBuilder.h"
169 #include "llvm/IR/InlineAsm.h"
170 #include "llvm/IR/InstVisitor.h"
171 #include "llvm/IR/InstrTypes.h"
172 #include "llvm/IR/Instruction.h"
173 #include "llvm/IR/Instructions.h"
174 #include "llvm/IR/IntrinsicInst.h"
175 #include "llvm/IR/Intrinsics.h"
176 #include "llvm/IR/IntrinsicsX86.h"
177 #include "llvm/IR/LLVMContext.h"
178 #include "llvm/IR/MDBuilder.h"
179 #include "llvm/IR/Module.h"
180 #include "llvm/IR/Type.h"
181 #include "llvm/IR/Value.h"
182 #include "llvm/IR/ValueMap.h"
183 #include "llvm/InitializePasses.h"
184 #include "llvm/Pass.h"
185 #include "llvm/Support/AtomicOrdering.h"
186 #include "llvm/Support/Casting.h"
187 #include "llvm/Support/CommandLine.h"
188 #include "llvm/Support/Compiler.h"
189 #include "llvm/Support/Debug.h"
190 #include "llvm/Support/ErrorHandling.h"
191 #include "llvm/Support/MathExtras.h"
192 #include "llvm/Support/raw_ostream.h"
193 #include "llvm/Transforms/Instrumentation.h"
194 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
195 #include "llvm/Transforms/Utils/Local.h"
196 #include "llvm/Transforms/Utils/ModuleUtils.h"
197 #include <algorithm>
198 #include <cassert>
199 #include <cstddef>
200 #include <cstdint>
201 #include <memory>
202 #include <string>
203 #include <tuple>
204
205 using namespace llvm;
206
207 #define DEBUG_TYPE "msan"
208
209 static const unsigned kOriginSize = 4;
210 static const Align kMinOriginAlignment = Align(4);
211 static const Align kShadowTLSAlignment = Align(8);
212
213 // These constants must be kept in sync with the ones in msan.h.
214 static const unsigned kParamTLSSize = 800;
215 static const unsigned kRetvalTLSSize = 800;
216
217 // Accesses sizes are powers of two: 1, 2, 4, 8.
218 static const size_t kNumberOfAccessSizes = 4;
219
220 /// Track origins of uninitialized values.
221 ///
222 /// Adds a section to MemorySanitizer report that points to the allocation
223 /// (stack or heap) the uninitialized bits came from originally.
224 static cl::opt<int> ClTrackOrigins("msan-track-origins",
225 cl::desc("Track origins (allocation sites) of poisoned memory"),
226 cl::Hidden, cl::init(0));
227
228 static cl::opt<bool> ClKeepGoing("msan-keep-going",
229 cl::desc("keep going after reporting a UMR"),
230 cl::Hidden, cl::init(false));
231
232 static cl::opt<bool> ClPoisonStack("msan-poison-stack",
233 cl::desc("poison uninitialized stack variables"),
234 cl::Hidden, cl::init(true));
235
236 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call",
237 cl::desc("poison uninitialized stack variables with a call"),
238 cl::Hidden, cl::init(false));
239
240 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern",
241 cl::desc("poison uninitialized stack variables with the given pattern"),
242 cl::Hidden, cl::init(0xff));
243
244 static cl::opt<bool> ClPoisonUndef("msan-poison-undef",
245 cl::desc("poison undef temps"),
246 cl::Hidden, cl::init(true));
247
248 static cl::opt<bool> ClHandleICmp("msan-handle-icmp",
249 cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
250 cl::Hidden, cl::init(true));
251
252 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact",
253 cl::desc("exact handling of relational integer ICmp"),
254 cl::Hidden, cl::init(false));
255
256 static cl::opt<bool> ClHandleLifetimeIntrinsics(
257 "msan-handle-lifetime-intrinsics",
258 cl::desc(
259 "when possible, poison scoped variables at the beginning of the scope "
260 "(slower, but more precise)"),
261 cl::Hidden, cl::init(true));
262
263 // When compiling the Linux kernel, we sometimes see false positives related to
264 // MSan being unable to understand that inline assembly calls may initialize
265 // local variables.
266 // This flag makes the compiler conservatively unpoison every memory location
267 // passed into an assembly call. Note that this may cause false positives.
268 // Because it's impossible to figure out the array sizes, we can only unpoison
269 // the first sizeof(type) bytes for each type* pointer.
270 // The instrumentation is only enabled in KMSAN builds, and only if
271 // -msan-handle-asm-conservative is on. This is done because we may want to
272 // quickly disable assembly instrumentation when it breaks.
273 static cl::opt<bool> ClHandleAsmConservative(
274 "msan-handle-asm-conservative",
275 cl::desc("conservative handling of inline assembly"), cl::Hidden,
276 cl::init(true));
277
278 // This flag controls whether we check the shadow of the address
279 // operand of load or store. Such bugs are very rare, since load from
280 // a garbage address typically results in SEGV, but still happen
281 // (e.g. only lower bits of address are garbage, or the access happens
282 // early at program startup where malloc-ed memory is more likely to
283 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown.
284 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address",
285 cl::desc("report accesses through a pointer which has poisoned shadow"),
286 cl::Hidden, cl::init(true));
287
288 static cl::opt<bool> ClEagerChecks(
289 "msan-eager-checks",
290 cl::desc("check arguments and return values at function call boundaries"),
291 cl::Hidden, cl::init(false));
292
293 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions",
294 cl::desc("print out instructions with default strict semantics"),
295 cl::Hidden, cl::init(false));
296
297 static cl::opt<int> ClInstrumentationWithCallThreshold(
298 "msan-instrumentation-with-call-threshold",
299 cl::desc(
300 "If the function being instrumented requires more than "
301 "this number of checks and origin stores, use callbacks instead of "
302 "inline checks (-1 means never use callbacks)."),
303 cl::Hidden, cl::init(3500));
304
305 static cl::opt<bool>
306 ClEnableKmsan("msan-kernel",
307 cl::desc("Enable KernelMemorySanitizer instrumentation"),
308 cl::Hidden, cl::init(false));
309
310 // This is an experiment to enable handling of cases where shadow is a non-zero
311 // compile-time constant. For some unexplainable reason they were silently
312 // ignored in the instrumentation.
313 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
314 cl::desc("Insert checks for constant shadow values"),
315 cl::Hidden, cl::init(false));
316
317 // This is off by default because of a bug in gold:
318 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002
319 static cl::opt<bool> ClWithComdat("msan-with-comdat",
320 cl::desc("Place MSan constructors in comdat sections"),
321 cl::Hidden, cl::init(false));
322
323 // These options allow to specify custom memory map parameters
324 // See MemoryMapParams for details.
325 static cl::opt<uint64_t> ClAndMask("msan-and-mask",
326 cl::desc("Define custom MSan AndMask"),
327 cl::Hidden, cl::init(0));
328
329 static cl::opt<uint64_t> ClXorMask("msan-xor-mask",
330 cl::desc("Define custom MSan XorMask"),
331 cl::Hidden, cl::init(0));
332
333 static cl::opt<uint64_t> ClShadowBase("msan-shadow-base",
334 cl::desc("Define custom MSan ShadowBase"),
335 cl::Hidden, cl::init(0));
336
337 static cl::opt<uint64_t> ClOriginBase("msan-origin-base",
338 cl::desc("Define custom MSan OriginBase"),
339 cl::Hidden, cl::init(0));
340
341 const char kMsanModuleCtorName[] = "msan.module_ctor";
342 const char kMsanInitName[] = "__msan_init";
343
344 namespace {
345
346 // Memory map parameters used in application-to-shadow address calculation.
347 // Offset = (Addr & ~AndMask) ^ XorMask
348 // Shadow = ShadowBase + Offset
349 // Origin = OriginBase + Offset
350 struct MemoryMapParams {
351 uint64_t AndMask;
352 uint64_t XorMask;
353 uint64_t ShadowBase;
354 uint64_t OriginBase;
355 };
356
357 struct PlatformMemoryMapParams {
358 const MemoryMapParams *bits32;
359 const MemoryMapParams *bits64;
360 };
361
362 } // end anonymous namespace
363
364 // i386 Linux
365 static const MemoryMapParams Linux_I386_MemoryMapParams = {
366 0x000080000000, // AndMask
367 0, // XorMask (not used)
368 0, // ShadowBase (not used)
369 0x000040000000, // OriginBase
370 };
371
372 // x86_64 Linux
373 static const MemoryMapParams Linux_X86_64_MemoryMapParams = {
374 #ifdef MSAN_LINUX_X86_64_OLD_MAPPING
375 0x400000000000, // AndMask
376 0, // XorMask (not used)
377 0, // ShadowBase (not used)
378 0x200000000000, // OriginBase
379 #else
380 0, // AndMask (not used)
381 0x500000000000, // XorMask
382 0, // ShadowBase (not used)
383 0x100000000000, // OriginBase
384 #endif
385 };
386
387 // mips64 Linux
388 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = {
389 0, // AndMask (not used)
390 0x008000000000, // XorMask
391 0, // ShadowBase (not used)
392 0x002000000000, // OriginBase
393 };
394
395 // ppc64 Linux
396 static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = {
397 0xE00000000000, // AndMask
398 0x100000000000, // XorMask
399 0x080000000000, // ShadowBase
400 0x1C0000000000, // OriginBase
401 };
402
403 // s390x Linux
404 static const MemoryMapParams Linux_S390X_MemoryMapParams = {
405 0xC00000000000, // AndMask
406 0, // XorMask (not used)
407 0x080000000000, // ShadowBase
408 0x1C0000000000, // OriginBase
409 };
410
411 // aarch64 Linux
412 static const MemoryMapParams Linux_AArch64_MemoryMapParams = {
413 0, // AndMask (not used)
414 0x06000000000, // XorMask
415 0, // ShadowBase (not used)
416 0x01000000000, // OriginBase
417 };
418
419 // i386 FreeBSD
420 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = {
421 0x000180000000, // AndMask
422 0x000040000000, // XorMask
423 0x000020000000, // ShadowBase
424 0x000700000000, // OriginBase
425 };
426
427 // x86_64 FreeBSD
428 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = {
429 0xc00000000000, // AndMask
430 0x200000000000, // XorMask
431 0x100000000000, // ShadowBase
432 0x380000000000, // OriginBase
433 };
434
435 // x86_64 NetBSD
436 static const MemoryMapParams NetBSD_X86_64_MemoryMapParams = {
437 0, // AndMask
438 0x500000000000, // XorMask
439 0, // ShadowBase
440 0x100000000000, // OriginBase
441 };
442
443 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = {
444 &Linux_I386_MemoryMapParams,
445 &Linux_X86_64_MemoryMapParams,
446 };
447
448 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = {
449 nullptr,
450 &Linux_MIPS64_MemoryMapParams,
451 };
452
453 static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = {
454 nullptr,
455 &Linux_PowerPC64_MemoryMapParams,
456 };
457
458 static const PlatformMemoryMapParams Linux_S390_MemoryMapParams = {
459 nullptr,
460 &Linux_S390X_MemoryMapParams,
461 };
462
463 static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = {
464 nullptr,
465 &Linux_AArch64_MemoryMapParams,
466 };
467
468 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = {
469 &FreeBSD_I386_MemoryMapParams,
470 &FreeBSD_X86_64_MemoryMapParams,
471 };
472
473 static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams = {
474 nullptr,
475 &NetBSD_X86_64_MemoryMapParams,
476 };
477
478 namespace {
479
480 /// Instrument functions of a module to detect uninitialized reads.
481 ///
482 /// Instantiating MemorySanitizer inserts the msan runtime library API function
483 /// declarations into the module if they don't exist already. Instantiating
484 /// ensures the __msan_init function is in the list of global constructors for
485 /// the module.
486 class MemorySanitizer {
487 public:
488 MemorySanitizer(Module &M, MemorySanitizerOptions Options)
489 : CompileKernel(Options.Kernel), TrackOrigins(Options.TrackOrigins),
490 Recover(Options.Recover) {
491 initializeModule(M);
492 }
493
494 // MSan cannot be moved or copied because of MapParams.
495 MemorySanitizer(MemorySanitizer &&) = delete;
496 MemorySanitizer &operator=(MemorySanitizer &&) = delete;
497 MemorySanitizer(const MemorySanitizer &) = delete;
498 MemorySanitizer &operator=(const MemorySanitizer &) = delete;
499
500 bool sanitizeFunction(Function &F, TargetLibraryInfo &TLI);
501
502 private:
503 friend struct MemorySanitizerVisitor;
504 friend struct VarArgAMD64Helper;
505 friend struct VarArgMIPS64Helper;
506 friend struct VarArgAArch64Helper;
507 friend struct VarArgPowerPC64Helper;
508 friend struct VarArgSystemZHelper;
509
510 void initializeModule(Module &M);
511 void initializeCallbacks(Module &M);
512 void createKernelApi(Module &M);
513 void createUserspaceApi(Module &M);
514
515 /// True if we're compiling the Linux kernel.
516 bool CompileKernel;
517 /// Track origins (allocation points) of uninitialized values.
518 int TrackOrigins;
519 bool Recover;
520
521 LLVMContext *C;
522 Type *IntptrTy;
523 Type *OriginTy;
524
525 // XxxTLS variables represent the per-thread state in MSan and per-task state
526 // in KMSAN.
527 // For the userspace these point to thread-local globals. In the kernel land
528 // they point to the members of a per-task struct obtained via a call to
529 // __msan_get_context_state().
530
531 /// Thread-local shadow storage for function parameters.
532 Value *ParamTLS;
533
534 /// Thread-local origin storage for function parameters.
535 Value *ParamOriginTLS;
536
537 /// Thread-local shadow storage for function return value.
538 Value *RetvalTLS;
539
540 /// Thread-local origin storage for function return value.
541 Value *RetvalOriginTLS;
542
543 /// Thread-local shadow storage for in-register va_arg function
544 /// parameters (x86_64-specific).
545 Value *VAArgTLS;
546
547 /// Thread-local shadow storage for in-register va_arg function
548 /// parameters (x86_64-specific).
549 Value *VAArgOriginTLS;
550
551 /// Thread-local shadow storage for va_arg overflow area
552 /// (x86_64-specific).
553 Value *VAArgOverflowSizeTLS;
554
555 /// Are the instrumentation callbacks set up?
556 bool CallbacksInitialized = false;
557
558 /// The run-time callback to print a warning.
559 FunctionCallee WarningFn;
560
561 // These arrays are indexed by log2(AccessSize).
562 FunctionCallee MaybeWarningFn[kNumberOfAccessSizes];
563 FunctionCallee MaybeStoreOriginFn[kNumberOfAccessSizes];
564
565 /// Run-time helper that generates a new origin value for a stack
566 /// allocation.
567 FunctionCallee MsanSetAllocaOrigin4Fn;
568
569 /// Run-time helper that poisons stack on function entry.
570 FunctionCallee MsanPoisonStackFn;
571
572 /// Run-time helper that records a store (or any event) of an
573 /// uninitialized value and returns an updated origin id encoding this info.
574 FunctionCallee MsanChainOriginFn;
575
576 /// Run-time helper that paints an origin over a region.
577 FunctionCallee MsanSetOriginFn;
578
579 /// MSan runtime replacements for memmove, memcpy and memset.
580 FunctionCallee MemmoveFn, MemcpyFn, MemsetFn;
581
582 /// KMSAN callback for task-local function argument shadow.
583 StructType *MsanContextStateTy;
584 FunctionCallee MsanGetContextStateFn;
585
586 /// Functions for poisoning/unpoisoning local variables
587 FunctionCallee MsanPoisonAllocaFn, MsanUnpoisonAllocaFn;
588
589 /// Each of the MsanMetadataPtrXxx functions returns a pair of shadow/origin
590 /// pointers.
591 FunctionCallee MsanMetadataPtrForLoadN, MsanMetadataPtrForStoreN;
592 FunctionCallee MsanMetadataPtrForLoad_1_8[4];
593 FunctionCallee MsanMetadataPtrForStore_1_8[4];
594 FunctionCallee MsanInstrumentAsmStoreFn;
595
596 /// Helper to choose between different MsanMetadataPtrXxx().
597 FunctionCallee getKmsanShadowOriginAccessFn(bool isStore, int size);
598
599 /// Memory map parameters used in application-to-shadow calculation.
600 const MemoryMapParams *MapParams;
601
602 /// Custom memory map parameters used when -msan-shadow-base or
603 // -msan-origin-base is provided.
604 MemoryMapParams CustomMapParams;
605
606 MDNode *ColdCallWeights;
607
608 /// Branch weights for origin store.
609 MDNode *OriginStoreWeights;
610 };
611
612 void insertModuleCtor(Module &M) {
613 getOrCreateSanitizerCtorAndInitFunctions(
614 M, kMsanModuleCtorName, kMsanInitName,
615 /*InitArgTypes=*/{},
616 /*InitArgs=*/{},
617 // This callback is invoked when the functions are created the first
618 // time. Hook them into the global ctors list in that case:
619 [&](Function *Ctor, FunctionCallee) {
620 if (!ClWithComdat) {
621 appendToGlobalCtors(M, Ctor, 0);
622 return;
623 }
624 Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName);
625 Ctor->setComdat(MsanCtorComdat);
626 appendToGlobalCtors(M, Ctor, 0, Ctor);
627 });
628 }
629
630 /// A legacy function pass for msan instrumentation.
631 ///
632 /// Instruments functions to detect uninitialized reads.
633 struct MemorySanitizerLegacyPass : public FunctionPass {
634 // Pass identification, replacement for typeid.
635 static char ID;
636
637 MemorySanitizerLegacyPass(MemorySanitizerOptions Options = {})
638 : FunctionPass(ID), Options(Options) {
639 initializeMemorySanitizerLegacyPassPass(*PassRegistry::getPassRegistry());
640 }
641 StringRef getPassName() const override { return "MemorySanitizerLegacyPass"; }
642
643 void getAnalysisUsage(AnalysisUsage &AU) const override {
644 AU.addRequired<TargetLibraryInfoWrapperPass>();
645 }
646
647 bool runOnFunction(Function &F) override {
648 return MSan->sanitizeFunction(
649 F, getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(F));
650 }
651 bool doInitialization(Module &M) override;
652
653 Optional<MemorySanitizer> MSan;
654 MemorySanitizerOptions Options;
655 };
656
657 template <class T> T getOptOrDefault(const cl::opt<T> &Opt, T Default) {
658 return (Opt.getNumOccurrences() > 0) ? Opt : Default;
659 }
660
661 } // end anonymous namespace
662
663 MemorySanitizerOptions::MemorySanitizerOptions(int TO, bool R, bool K)
664 : Kernel(getOptOrDefault(ClEnableKmsan, K)),
665 TrackOrigins(getOptOrDefault(ClTrackOrigins, Kernel ? 2 : TO)),
666 Recover(getOptOrDefault(ClKeepGoing, Kernel || R)) {}
667
668 PreservedAnalyses MemorySanitizerPass::run(Function &F,
669 FunctionAnalysisManager &FAM) {
670 MemorySanitizer Msan(*F.getParent(), Options);
671 if (Msan.sanitizeFunction(F, FAM.getResult<TargetLibraryAnalysis>(F)))
672 return PreservedAnalyses::none();
673 return PreservedAnalyses::all();
674 }
675
676 PreservedAnalyses MemorySanitizerPass::run(Module &M,
677 ModuleAnalysisManager &AM) {
678 if (Options.Kernel)
679 return PreservedAnalyses::all();
680 insertModuleCtor(M);
681 return PreservedAnalyses::none();
682 }
683
684 char MemorySanitizerLegacyPass::ID = 0;
685
686 INITIALIZE_PASS_BEGIN(MemorySanitizerLegacyPass, "msan",
687 "MemorySanitizer: detects uninitialized reads.", false,
688 false)
689 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
690 INITIALIZE_PASS_END(MemorySanitizerLegacyPass, "msan",
691 "MemorySanitizer: detects uninitialized reads.", false,
692 false)
693
694 FunctionPass *
695 llvm::createMemorySanitizerLegacyPassPass(MemorySanitizerOptions Options) {
696 return new MemorySanitizerLegacyPass(Options);
697 }
698
699 /// Create a non-const global initialized with the given string.
700 ///
701 /// Creates a writable global for Str so that we can pass it to the
702 /// run-time lib. Runtime uses first 4 bytes of the string to store the
703 /// frame ID, so the string needs to be mutable.
704 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M,
705 StringRef Str) {
706 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
707 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false,
708 GlobalValue::PrivateLinkage, StrConst, "");
709 }
710
711 /// Create KMSAN API callbacks.
712 void MemorySanitizer::createKernelApi(Module &M) {
713 IRBuilder<> IRB(*C);
714
715 // These will be initialized in insertKmsanPrologue().
716 RetvalTLS = nullptr;
717 RetvalOriginTLS = nullptr;
718 ParamTLS = nullptr;
719 ParamOriginTLS = nullptr;
720 VAArgTLS = nullptr;
721 VAArgOriginTLS = nullptr;
722 VAArgOverflowSizeTLS = nullptr;
723
724 WarningFn = M.getOrInsertFunction("__msan_warning", IRB.getVoidTy(),
725 IRB.getInt32Ty());
726 // Requests the per-task context state (kmsan_context_state*) from the
727 // runtime library.
728 MsanContextStateTy = StructType::get(
729 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
730 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8),
731 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
732 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), /* va_arg_origin */
733 IRB.getInt64Ty(), ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy,
734 OriginTy);
735 MsanGetContextStateFn = M.getOrInsertFunction(
736 "__msan_get_context_state", PointerType::get(MsanContextStateTy, 0));
737
738 Type *RetTy = StructType::get(PointerType::get(IRB.getInt8Ty(), 0),
739 PointerType::get(IRB.getInt32Ty(), 0));
740
741 for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) {
742 std::string name_load =
743 "__msan_metadata_ptr_for_load_" + std::to_string(size);
744 std::string name_store =
745 "__msan_metadata_ptr_for_store_" + std::to_string(size);
746 MsanMetadataPtrForLoad_1_8[ind] = M.getOrInsertFunction(
747 name_load, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
748 MsanMetadataPtrForStore_1_8[ind] = M.getOrInsertFunction(
749 name_store, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
750 }
751
752 MsanMetadataPtrForLoadN = M.getOrInsertFunction(
753 "__msan_metadata_ptr_for_load_n", RetTy,
754 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
755 MsanMetadataPtrForStoreN = M.getOrInsertFunction(
756 "__msan_metadata_ptr_for_store_n", RetTy,
757 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
758
759 // Functions for poisoning and unpoisoning memory.
760 MsanPoisonAllocaFn =
761 M.getOrInsertFunction("__msan_poison_alloca", IRB.getVoidTy(),
762 IRB.getInt8PtrTy(), IntptrTy, IRB.getInt8PtrTy());
763 MsanUnpoisonAllocaFn = M.getOrInsertFunction(
764 "__msan_unpoison_alloca", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy);
765 }
766
767 static Constant *getOrInsertGlobal(Module &M, StringRef Name, Type *Ty) {
768 return M.getOrInsertGlobal(Name, Ty, [&] {
769 return new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
770 nullptr, Name, nullptr,
771 GlobalVariable::InitialExecTLSModel);
772 });
773 }
774
775 /// Insert declarations for userspace-specific functions and globals.
776 void MemorySanitizer::createUserspaceApi(Module &M) {
777 IRBuilder<> IRB(*C);
778
779 // Create the callback.
780 // FIXME: this function should have "Cold" calling conv,
781 // which is not yet implemented.
782 StringRef WarningFnName = Recover ? "__msan_warning_with_origin"
783 : "__msan_warning_with_origin_noreturn";
784 WarningFn =
785 M.getOrInsertFunction(WarningFnName, IRB.getVoidTy(), IRB.getInt32Ty());
786
787 // Create the global TLS variables.
788 RetvalTLS =
789 getOrInsertGlobal(M, "__msan_retval_tls",
790 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8));
791
792 RetvalOriginTLS = getOrInsertGlobal(M, "__msan_retval_origin_tls", OriginTy);
793
794 ParamTLS =
795 getOrInsertGlobal(M, "__msan_param_tls",
796 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
797
798 ParamOriginTLS =
799 getOrInsertGlobal(M, "__msan_param_origin_tls",
800 ArrayType::get(OriginTy, kParamTLSSize / 4));
801
802 VAArgTLS =
803 getOrInsertGlobal(M, "__msan_va_arg_tls",
804 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
805
806 VAArgOriginTLS =
807 getOrInsertGlobal(M, "__msan_va_arg_origin_tls",
808 ArrayType::get(OriginTy, kParamTLSSize / 4));
809
810 VAArgOverflowSizeTLS =
811 getOrInsertGlobal(M, "__msan_va_arg_overflow_size_tls", IRB.getInt64Ty());
812
813 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
814 AccessSizeIndex++) {
815 unsigned AccessSize = 1 << AccessSizeIndex;
816 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize);
817 SmallVector<std::pair<unsigned, Attribute>, 2> MaybeWarningFnAttrs;
818 MaybeWarningFnAttrs.push_back(std::make_pair(
819 AttributeList::FirstArgIndex, Attribute::get(*C, Attribute::ZExt)));
820 MaybeWarningFnAttrs.push_back(std::make_pair(
821 AttributeList::FirstArgIndex + 1, Attribute::get(*C, Attribute::ZExt)));
822 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction(
823 FunctionName, AttributeList::get(*C, MaybeWarningFnAttrs),
824 IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), IRB.getInt32Ty());
825
826 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize);
827 SmallVector<std::pair<unsigned, Attribute>, 2> MaybeStoreOriginFnAttrs;
828 MaybeStoreOriginFnAttrs.push_back(std::make_pair(
829 AttributeList::FirstArgIndex, Attribute::get(*C, Attribute::ZExt)));
830 MaybeStoreOriginFnAttrs.push_back(std::make_pair(
831 AttributeList::FirstArgIndex + 2, Attribute::get(*C, Attribute::ZExt)));
832 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction(
833 FunctionName, AttributeList::get(*C, MaybeStoreOriginFnAttrs),
834 IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), IRB.getInt8PtrTy(),
835 IRB.getInt32Ty());
836 }
837
838 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction(
839 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy,
840 IRB.getInt8PtrTy(), IntptrTy);
841 MsanPoisonStackFn =
842 M.getOrInsertFunction("__msan_poison_stack", IRB.getVoidTy(),
843 IRB.getInt8PtrTy(), IntptrTy);
844 }
845
846 /// Insert extern declaration of runtime-provided functions and globals.
847 void MemorySanitizer::initializeCallbacks(Module &M) {
848 // Only do this once.
849 if (CallbacksInitialized)
850 return;
851
852 IRBuilder<> IRB(*C);
853 // Initialize callbacks that are common for kernel and userspace
854 // instrumentation.
855 MsanChainOriginFn = M.getOrInsertFunction(
856 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty());
857 MsanSetOriginFn =
858 M.getOrInsertFunction("__msan_set_origin", IRB.getVoidTy(),
859 IRB.getInt8PtrTy(), IntptrTy, IRB.getInt32Ty());
860 MemmoveFn = M.getOrInsertFunction(
861 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
862 IRB.getInt8PtrTy(), IntptrTy);
863 MemcpyFn = M.getOrInsertFunction(
864 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
865 IntptrTy);
866 MemsetFn = M.getOrInsertFunction(
867 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(),
868 IntptrTy);
869
870 MsanInstrumentAsmStoreFn =
871 M.getOrInsertFunction("__msan_instrument_asm_store", IRB.getVoidTy(),
872 PointerType::get(IRB.getInt8Ty(), 0), IntptrTy);
873
874 if (CompileKernel) {
875 createKernelApi(M);
876 } else {
877 createUserspaceApi(M);
878 }
879 CallbacksInitialized = true;
880 }
881
882 FunctionCallee MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore,
883 int size) {
884 FunctionCallee *Fns =
885 isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8;
886 switch (size) {
887 case 1:
888 return Fns[0];
889 case 2:
890 return Fns[1];
891 case 4:
892 return Fns[2];
893 case 8:
894 return Fns[3];
895 default:
896 return nullptr;
897 }
898 }
899
900 /// Module-level initialization.
901 ///
902 /// inserts a call to __msan_init to the module's constructor list.
903 void MemorySanitizer::initializeModule(Module &M) {
904 auto &DL = M.getDataLayout();
905
906 bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0;
907 bool OriginPassed = ClOriginBase.getNumOccurrences() > 0;
908 // Check the overrides first
909 if (ShadowPassed || OriginPassed) {
910 CustomMapParams.AndMask = ClAndMask;
911 CustomMapParams.XorMask = ClXorMask;
912 CustomMapParams.ShadowBase = ClShadowBase;
913 CustomMapParams.OriginBase = ClOriginBase;
914 MapParams = &CustomMapParams;
915 } else {
916 Triple TargetTriple(M.getTargetTriple());
917 switch (TargetTriple.getOS()) {
918 case Triple::FreeBSD:
919 switch (TargetTriple.getArch()) {
920 case Triple::x86_64:
921 MapParams = FreeBSD_X86_MemoryMapParams.bits64;
922 break;
923 case Triple::x86:
924 MapParams = FreeBSD_X86_MemoryMapParams.bits32;
925 break;
926 default:
927 report_fatal_error("unsupported architecture");
928 }
929 break;
930 case Triple::NetBSD:
931 switch (TargetTriple.getArch()) {
932 case Triple::x86_64:
933 MapParams = NetBSD_X86_MemoryMapParams.bits64;
934 break;
935 default:
936 report_fatal_error("unsupported architecture");
937 }
938 break;
939 case Triple::Linux:
940 switch (TargetTriple.getArch()) {
941 case Triple::x86_64:
942 MapParams = Linux_X86_MemoryMapParams.bits64;
943 break;
944 case Triple::x86:
945 MapParams = Linux_X86_MemoryMapParams.bits32;
946 break;
947 case Triple::mips64:
948 case Triple::mips64el:
949 MapParams = Linux_MIPS_MemoryMapParams.bits64;
950 break;
951 case Triple::ppc64:
952 case Triple::ppc64le:
953 MapParams = Linux_PowerPC_MemoryMapParams.bits64;
954 break;
955 case Triple::systemz:
956 MapParams = Linux_S390_MemoryMapParams.bits64;
957 break;
958 case Triple::aarch64:
959 case Triple::aarch64_be:
960 MapParams = Linux_ARM_MemoryMapParams.bits64;
961 break;
962 default:
963 report_fatal_error("unsupported architecture");
964 }
965 break;
966 default:
967 report_fatal_error("unsupported operating system");
968 }
969 }
970
971 C = &(M.getContext());
972 IRBuilder<> IRB(*C);
973 IntptrTy = IRB.getIntPtrTy(DL);
974 OriginTy = IRB.getInt32Ty();
975
976 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000);
977 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000);
978
979 if (!CompileKernel) {
980 if (TrackOrigins)
981 M.getOrInsertGlobal("__msan_track_origins", IRB.getInt32Ty(), [&] {
982 return new GlobalVariable(
983 M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
984 IRB.getInt32(TrackOrigins), "__msan_track_origins");
985 });
986
987 if (Recover)
988 M.getOrInsertGlobal("__msan_keep_going", IRB.getInt32Ty(), [&] {
989 return new GlobalVariable(M, IRB.getInt32Ty(), true,
990 GlobalValue::WeakODRLinkage,
991 IRB.getInt32(Recover), "__msan_keep_going");
992 });
993 }
994 }
995
996 bool MemorySanitizerLegacyPass::doInitialization(Module &M) {
997 if (!Options.Kernel)
998 insertModuleCtor(M);
999 MSan.emplace(M, Options);
1000 return true;
1001 }
1002
1003 namespace {
1004
1005 /// A helper class that handles instrumentation of VarArg
1006 /// functions on a particular platform.
1007 ///
1008 /// Implementations are expected to insert the instrumentation
1009 /// necessary to propagate argument shadow through VarArg function
1010 /// calls. Visit* methods are called during an InstVisitor pass over
1011 /// the function, and should avoid creating new basic blocks. A new
1012 /// instance of this class is created for each instrumented function.
1013 struct VarArgHelper {
1014 virtual ~VarArgHelper() = default;
1015
1016 /// Visit a CallBase.
1017 virtual void visitCallBase(CallBase &CB, IRBuilder<> &IRB) = 0;
1018
1019 /// Visit a va_start call.
1020 virtual void visitVAStartInst(VAStartInst &I) = 0;
1021
1022 /// Visit a va_copy call.
1023 virtual void visitVACopyInst(VACopyInst &I) = 0;
1024
1025 /// Finalize function instrumentation.
1026 ///
1027 /// This method is called after visiting all interesting (see above)
1028 /// instructions in a function.
1029 virtual void finalizeInstrumentation() = 0;
1030 };
1031
1032 struct MemorySanitizerVisitor;
1033
1034 } // end anonymous namespace
1035
1036 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
1037 MemorySanitizerVisitor &Visitor);
1038
1039 static unsigned TypeSizeToSizeIndex(unsigned TypeSize) {
1040 if (TypeSize <= 8) return 0;
1041 return Log2_32_Ceil((TypeSize + 7) / 8);
1042 }
1043
1044 namespace {
1045
1046 /// This class does all the work for a given function. Store and Load
1047 /// instructions store and load corresponding shadow and origin
1048 /// values. Most instructions propagate shadow from arguments to their
1049 /// return values. Certain instructions (most importantly, BranchInst)
1050 /// test their argument shadow and print reports (with a runtime call) if it's
1051 /// non-zero.
1052 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
1053 Function &F;
1054 MemorySanitizer &MS;
1055 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes;
1056 ValueMap<Value*, Value*> ShadowMap, OriginMap;
1057 std::unique_ptr<VarArgHelper> VAHelper;
1058 const TargetLibraryInfo *TLI;
1059 Instruction *FnPrologueEnd;
1060
1061 // The following flags disable parts of MSan instrumentation based on
1062 // exclusion list contents and command-line options.
1063 bool InsertChecks;
1064 bool PropagateShadow;
1065 bool PoisonStack;
1066 bool PoisonUndef;
1067
1068 struct ShadowOriginAndInsertPoint {
1069 Value *Shadow;
1070 Value *Origin;
1071 Instruction *OrigIns;
1072
1073 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I)
1074 : Shadow(S), Origin(O), OrigIns(I) {}
1075 };
1076 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList;
1077 bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics;
1078 SmallSet<AllocaInst *, 16> AllocaSet;
1079 SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList;
1080 SmallVector<StoreInst *, 16> StoreList;
1081
1082 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
1083 const TargetLibraryInfo &TLI)
1084 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) {
1085 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory);
1086 InsertChecks = SanitizeFunction;
1087 PropagateShadow = SanitizeFunction;
1088 PoisonStack = SanitizeFunction && ClPoisonStack;
1089 PoisonUndef = SanitizeFunction && ClPoisonUndef;
1090
1091 // In the presence of unreachable blocks, we may see Phi nodes with
1092 // incoming nodes from such blocks. Since InstVisitor skips unreachable
1093 // blocks, such nodes will not have any shadow value associated with them.
1094 // It's easier to remove unreachable blocks than deal with missing shadow.
1095 removeUnreachableBlocks(F);
1096
1097 MS.initializeCallbacks(*F.getParent());
1098 FnPrologueEnd = IRBuilder<>(F.getEntryBlock().getFirstNonPHI())
1099 .CreateIntrinsic(Intrinsic::donothing, {}, {});
1100
1101 if (MS.CompileKernel) {
1102 IRBuilder<> IRB(FnPrologueEnd);
1103 insertKmsanPrologue(IRB);
1104 }
1105
1106 LLVM_DEBUG(if (!InsertChecks) dbgs()
1107 << "MemorySanitizer is not inserting checks into '"
1108 << F.getName() << "'\n");
1109 }
1110
1111 bool isInPrologue(Instruction &I) {
1112 return I.getParent() == FnPrologueEnd->getParent() &&
1113 (&I == FnPrologueEnd || I.comesBefore(FnPrologueEnd));
1114 }
1115
1116 Value *updateOrigin(Value *V, IRBuilder<> &IRB) {
1117 if (MS.TrackOrigins <= 1) return V;
1118 return IRB.CreateCall(MS.MsanChainOriginFn, V);
1119 }
1120
1121 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) {
1122 const DataLayout &DL = F.getParent()->getDataLayout();
1123 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1124 if (IntptrSize == kOriginSize) return Origin;
1125 assert(IntptrSize == kOriginSize * 2);
1126 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false);
1127 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8));
1128 }
1129
1130 /// Fill memory range with the given origin value.
1131 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr,
1132 unsigned Size, Align Alignment) {
1133 const DataLayout &DL = F.getParent()->getDataLayout();
1134 const Align IntptrAlignment = DL.getABITypeAlign(MS.IntptrTy);
1135 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1136 assert(IntptrAlignment >= kMinOriginAlignment);
1137 assert(IntptrSize >= kOriginSize);
1138
1139 unsigned Ofs = 0;
1140 Align CurrentAlignment = Alignment;
1141 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) {
1142 Value *IntptrOrigin = originToIntptr(IRB, Origin);
1143 Value *IntptrOriginPtr =
1144 IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0));
1145 for (unsigned i = 0; i < Size / IntptrSize; ++i) {
1146 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i)
1147 : IntptrOriginPtr;
1148 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment);
1149 Ofs += IntptrSize / kOriginSize;
1150 CurrentAlignment = IntptrAlignment;
1151 }
1152 }
1153
1154 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) {
1155 Value *GEP =
1156 i ? IRB.CreateConstGEP1_32(MS.OriginTy, OriginPtr, i) : OriginPtr;
1157 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment);
1158 CurrentAlignment = kMinOriginAlignment;
1159 }
1160 }
1161
1162 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
1163 Value *OriginPtr, Align Alignment, bool AsCall) {
1164 const DataLayout &DL = F.getParent()->getDataLayout();
1165 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1166 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
1167 Value *ConvertedShadow = convertShadowToScalar(Shadow, IRB);
1168 if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1169 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue())
1170 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
1171 OriginAlignment);
1172 return;
1173 }
1174
1175 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1176 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1177 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1178 FunctionCallee Fn = MS.MaybeStoreOriginFn[SizeIndex];
1179 Value *ConvertedShadow2 =
1180 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1181 CallBase *CB = IRB.CreateCall(
1182 Fn, {ConvertedShadow2,
1183 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), Origin});
1184 CB->addParamAttr(0, Attribute::ZExt);
1185 CB->addParamAttr(2, Attribute::ZExt);
1186 } else {
1187 Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1188 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1189 Cmp, &*IRB.GetInsertPoint(), false, MS.OriginStoreWeights);
1190 IRBuilder<> IRBNew(CheckTerm);
1191 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), OriginPtr, StoreSize,
1192 OriginAlignment);
1193 }
1194 }
1195
1196 void materializeStores(bool InstrumentWithCalls) {
1197 for (StoreInst *SI : StoreList) {
1198 IRBuilder<> IRB(SI);
1199 Value *Val = SI->getValueOperand();
1200 Value *Addr = SI->getPointerOperand();
1201 Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val);
1202 Value *ShadowPtr, *OriginPtr;
1203 Type *ShadowTy = Shadow->getType();
1204 const Align Alignment = assumeAligned(SI->getAlignment());
1205 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1206 std::tie(ShadowPtr, OriginPtr) =
1207 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true);
1208
1209 StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment);
1210 LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n");
1211 (void)NewSI;
1212
1213 if (SI->isAtomic())
1214 SI->setOrdering(addReleaseOrdering(SI->getOrdering()));
1215
1216 if (MS.TrackOrigins && !SI->isAtomic())
1217 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr,
1218 OriginAlignment, InstrumentWithCalls);
1219 }
1220 }
1221
1222 /// Helper function to insert a warning at IRB's current insert point.
1223 void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
1224 if (!Origin)
1225 Origin = (Value *)IRB.getInt32(0);
1226 assert(Origin->getType()->isIntegerTy());
1227 IRB.CreateCall(MS.WarningFn, Origin)->setCannotMerge();
1228 // FIXME: Insert UnreachableInst if !MS.Recover?
1229 // This may invalidate some of the following checks and needs to be done
1230 // at the very end.
1231 }
1232
1233 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
1234 bool AsCall) {
1235 IRBuilder<> IRB(OrigIns);
1236 LLVM_DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n");
1237 Value *ConvertedShadow = convertShadowToScalar(Shadow, IRB);
1238 LLVM_DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n");
1239
1240 if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1241 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) {
1242 insertWarningFn(IRB, Origin);
1243 }
1244 return;
1245 }
1246
1247 const DataLayout &DL = OrigIns->getModule()->getDataLayout();
1248
1249 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1250 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1251 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1252 FunctionCallee Fn = MS.MaybeWarningFn[SizeIndex];
1253 Value *ConvertedShadow2 =
1254 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1255 CallBase *CB = IRB.CreateCall(
1256 Fn, {ConvertedShadow2,
1257 MS.TrackOrigins && Origin ? Origin : (Value *)IRB.getInt32(0)});
1258 CB->addParamAttr(0, Attribute::ZExt);
1259 CB->addParamAttr(1, Attribute::ZExt);
1260 } else {
1261 Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1262 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1263 Cmp, OrigIns,
1264 /* Unreachable */ !MS.Recover, MS.ColdCallWeights);
1265
1266 IRB.SetInsertPoint(CheckTerm);
1267 insertWarningFn(IRB, Origin);
1268 LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n");
1269 }
1270 }
1271
1272 void materializeChecks(bool InstrumentWithCalls) {
1273 for (const auto &ShadowData : InstrumentationList) {
1274 Instruction *OrigIns = ShadowData.OrigIns;
1275 Value *Shadow = ShadowData.Shadow;
1276 Value *Origin = ShadowData.Origin;
1277 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
1278 }
1279 LLVM_DEBUG(dbgs() << "DONE:\n" << F);
1280 }
1281
1282 // Returns the last instruction in the new prologue
1283 void insertKmsanPrologue(IRBuilder<> &IRB) {
1284 Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {});
1285 Constant *Zero = IRB.getInt32(0);
1286 MS.ParamTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1287 {Zero, IRB.getInt32(0)}, "param_shadow");
1288 MS.RetvalTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1289 {Zero, IRB.getInt32(1)}, "retval_shadow");
1290 MS.VAArgTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1291 {Zero, IRB.getInt32(2)}, "va_arg_shadow");
1292 MS.VAArgOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1293 {Zero, IRB.getInt32(3)}, "va_arg_origin");
1294 MS.VAArgOverflowSizeTLS =
1295 IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1296 {Zero, IRB.getInt32(4)}, "va_arg_overflow_size");
1297 MS.ParamOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1298 {Zero, IRB.getInt32(5)}, "param_origin");
1299 MS.RetvalOriginTLS =
1300 IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1301 {Zero, IRB.getInt32(6)}, "retval_origin");
1302 }
1303
1304 /// Add MemorySanitizer instrumentation to a function.
1305 bool runOnFunction() {
1306 // Iterate all BBs in depth-first order and create shadow instructions
1307 // for all instructions (where applicable).
1308 // For PHI nodes we create dummy shadow PHIs which will be finalized later.
1309 for (BasicBlock *BB : depth_first(FnPrologueEnd->getParent()))
1310 visit(*BB);
1311
1312 // Finalize PHI nodes.
1313 for (PHINode *PN : ShadowPHINodes) {
1314 PHINode *PNS = cast<PHINode>(getShadow(PN));
1315 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr;
1316 size_t NumValues = PN->getNumIncomingValues();
1317 for (size_t v = 0; v < NumValues; v++) {
1318 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v));
1319 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v));
1320 }
1321 }
1322
1323 VAHelper->finalizeInstrumentation();
1324
1325 // Poison llvm.lifetime.start intrinsics, if we haven't fallen back to
1326 // instrumenting only allocas.
1327 if (InstrumentLifetimeStart) {
1328 for (auto Item : LifetimeStartList) {
1329 instrumentAlloca(*Item.second, Item.first);
1330 AllocaSet.erase(Item.second);
1331 }
1332 }
1333 // Poison the allocas for which we didn't instrument the corresponding
1334 // lifetime intrinsics.
1335 for (AllocaInst *AI : AllocaSet)
1336 instrumentAlloca(*AI);
1337
1338 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 &&
1339 InstrumentationList.size() + StoreList.size() >
1340 (unsigned)ClInstrumentationWithCallThreshold;
1341
1342 // Insert shadow value checks.
1343 materializeChecks(InstrumentWithCalls);
1344
1345 // Delayed instrumentation of StoreInst.
1346 // This may not add new address checks.
1347 materializeStores(InstrumentWithCalls);
1348
1349 return true;
1350 }
1351
1352 /// Compute the shadow type that corresponds to a given Value.
1353 Type *getShadowTy(Value *V) {
1354 return getShadowTy(V->getType());
1355 }
1356
1357 /// Compute the shadow type that corresponds to a given Type.
1358 Type *getShadowTy(Type *OrigTy) {
1359 if (!OrigTy->isSized()) {
1360 return nullptr;
1361 }
1362 // For integer type, shadow is the same as the original type.
1363 // This may return weird-sized types like i1.
1364 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy))
1365 return IT;
1366 const DataLayout &DL = F.getParent()->getDataLayout();
1367 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) {
1368 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType());
1369 return FixedVectorType::get(IntegerType::get(*MS.C, EltSize),
1370 cast<FixedVectorType>(VT)->getNumElements());
1371 }
1372 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) {
1373 return ArrayType::get(getShadowTy(AT->getElementType()),
1374 AT->getNumElements());
1375 }
1376 if (StructType *ST = dyn_cast<StructType>(OrigTy)) {
1377 SmallVector<Type*, 4> Elements;
1378 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1379 Elements.push_back(getShadowTy(ST->getElementType(i)));
1380 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked());
1381 LLVM_DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n");
1382 return Res;
1383 }
1384 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy);
1385 return IntegerType::get(*MS.C, TypeSize);
1386 }
1387
1388 /// Flatten a vector type.
1389 Type *getShadowTyNoVec(Type *ty) {
1390 if (VectorType *vt = dyn_cast<VectorType>(ty))
1391 return IntegerType::get(*MS.C,
1392 vt->getPrimitiveSizeInBits().getFixedSize());
1393 return ty;
1394 }
1395
1396 /// Extract combined shadow of struct elements as a bool
1397 Value *collapseStructShadow(StructType *Struct, Value *Shadow,
1398 IRBuilder<> &IRB) {
1399 Value *FalseVal = IRB.getIntN(/* width */ 1, /* value */ 0);
1400 Value *Aggregator = FalseVal;
1401
1402 for (unsigned Idx = 0; Idx < Struct->getNumElements(); Idx++) {
1403 // Combine by ORing together each element's bool shadow
1404 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1405 Value *ShadowInner = convertShadowToScalar(ShadowItem, IRB);
1406 Value *ShadowBool = convertToBool(ShadowInner, IRB);
1407
1408 if (Aggregator != FalseVal)
1409 Aggregator = IRB.CreateOr(Aggregator, ShadowBool);
1410 else
1411 Aggregator = ShadowBool;
1412 }
1413
1414 return Aggregator;
1415 }
1416
1417 // Extract combined shadow of array elements
1418 Value *collapseArrayShadow(ArrayType *Array, Value *Shadow,
1419 IRBuilder<> &IRB) {
1420 if (!Array->getNumElements())
1421 return IRB.getIntN(/* width */ 1, /* value */ 0);
1422
1423 Value *FirstItem = IRB.CreateExtractValue(Shadow, 0);
1424 Value *Aggregator = convertShadowToScalar(FirstItem, IRB);
1425
1426 for (unsigned Idx = 1; Idx < Array->getNumElements(); Idx++) {
1427 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1428 Value *ShadowInner = convertShadowToScalar(ShadowItem, IRB);
1429 Aggregator = IRB.CreateOr(Aggregator, ShadowInner);
1430 }
1431 return Aggregator;
1432 }
1433
1434 /// Convert a shadow value to it's flattened variant. The resulting
1435 /// shadow may not necessarily have the same bit width as the input
1436 /// value, but it will always be comparable to zero.
1437 Value *convertShadowToScalar(Value *V, IRBuilder<> &IRB) {
1438 if (StructType *Struct = dyn_cast<StructType>(V->getType()))
1439 return collapseStructShadow(Struct, V, IRB);
1440 if (ArrayType *Array = dyn_cast<ArrayType>(V->getType()))
1441 return collapseArrayShadow(Array, V, IRB);
1442 Type *Ty = V->getType();
1443 Type *NoVecTy = getShadowTyNoVec(Ty);
1444 if (Ty == NoVecTy) return V;
1445 return IRB.CreateBitCast(V, NoVecTy);
1446 }
1447
1448 // Convert a scalar value to an i1 by comparing with 0
1449 Value *convertToBool(Value *V, IRBuilder<> &IRB, const Twine &name = "") {
1450 Type *VTy = V->getType();
1451 assert(VTy->isIntegerTy());
1452 if (VTy->getIntegerBitWidth() == 1)
1453 // Just converting a bool to a bool, so do nothing.
1454 return V;
1455 return IRB.CreateICmpNE(V, ConstantInt::get(VTy, 0), name);
1456 }
1457
1458 /// Compute the integer shadow offset that corresponds to a given
1459 /// application address.
1460 ///
1461 /// Offset = (Addr & ~AndMask) ^ XorMask
1462 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) {
1463 Value *OffsetLong = IRB.CreatePointerCast(Addr, MS.IntptrTy);
1464
1465 uint64_t AndMask = MS.MapParams->AndMask;
1466 if (AndMask)
1467 OffsetLong =
1468 IRB.CreateAnd(OffsetLong, ConstantInt::get(MS.IntptrTy, ~AndMask));
1469
1470 uint64_t XorMask = MS.MapParams->XorMask;
1471 if (XorMask)
1472 OffsetLong =
1473 IRB.CreateXor(OffsetLong, ConstantInt::get(MS.IntptrTy, XorMask));
1474 return OffsetLong;
1475 }
1476
1477 /// Compute the shadow and origin addresses corresponding to a given
1478 /// application address.
1479 ///
1480 /// Shadow = ShadowBase + Offset
1481 /// Origin = (OriginBase + Offset) & ~3ULL
1482 std::pair<Value *, Value *>
1483 getShadowOriginPtrUserspace(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy,
1484 MaybeAlign Alignment) {
1485 Value *ShadowOffset = getShadowPtrOffset(Addr, IRB);
1486 Value *ShadowLong = ShadowOffset;
1487 uint64_t ShadowBase = MS.MapParams->ShadowBase;
1488 if (ShadowBase != 0) {
1489 ShadowLong =
1490 IRB.CreateAdd(ShadowLong,
1491 ConstantInt::get(MS.IntptrTy, ShadowBase));
1492 }
1493 Value *ShadowPtr =
1494 IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0));
1495 Value *OriginPtr = nullptr;
1496 if (MS.TrackOrigins) {
1497 Value *OriginLong = ShadowOffset;
1498 uint64_t OriginBase = MS.MapParams->OriginBase;
1499 if (OriginBase != 0)
1500 OriginLong = IRB.CreateAdd(OriginLong,
1501 ConstantInt::get(MS.IntptrTy, OriginBase));
1502 if (!Alignment || *Alignment < kMinOriginAlignment) {
1503 uint64_t Mask = kMinOriginAlignment.value() - 1;
1504 OriginLong =
1505 IRB.CreateAnd(OriginLong, ConstantInt::get(MS.IntptrTy, ~Mask));
1506 }
1507 OriginPtr =
1508 IRB.CreateIntToPtr(OriginLong, PointerType::get(MS.OriginTy, 0));
1509 }
1510 return std::make_pair(ShadowPtr, OriginPtr);
1511 }
1512
1513 std::pair<Value *, Value *> getShadowOriginPtrKernel(Value *Addr,
1514 IRBuilder<> &IRB,
1515 Type *ShadowTy,
1516 bool isStore) {
1517 Value *ShadowOriginPtrs;
1518 const DataLayout &DL = F.getParent()->getDataLayout();
1519 int Size = DL.getTypeStoreSize(ShadowTy);
1520
1521 FunctionCallee Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size);
1522 Value *AddrCast =
1523 IRB.CreatePointerCast(Addr, PointerType::get(IRB.getInt8Ty(), 0));
1524 if (Getter) {
1525 ShadowOriginPtrs = IRB.CreateCall(Getter, AddrCast);
1526 } else {
1527 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
1528 ShadowOriginPtrs = IRB.CreateCall(isStore ? MS.MsanMetadataPtrForStoreN
1529 : MS.MsanMetadataPtrForLoadN,
1530 {AddrCast, SizeVal});
1531 }
1532 Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0);
1533 ShadowPtr = IRB.CreatePointerCast(ShadowPtr, PointerType::get(ShadowTy, 0));
1534 Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1);
1535
1536 return std::make_pair(ShadowPtr, OriginPtr);
1537 }
1538
1539 std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB,
1540 Type *ShadowTy,
1541 MaybeAlign Alignment,
1542 bool isStore) {
1543 if (MS.CompileKernel)
1544 return getShadowOriginPtrKernel(Addr, IRB, ShadowTy, isStore);
1545 return getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment);
1546 }
1547
1548 /// Compute the shadow address for a given function argument.
1549 ///
1550 /// Shadow = ParamTLS+ArgOffset.
1551 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB,
1552 int ArgOffset) {
1553 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy);
1554 if (ArgOffset)
1555 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1556 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0),
1557 "_msarg");
1558 }
1559
1560 /// Compute the origin address for a given function argument.
1561 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB,
1562 int ArgOffset) {
1563 if (!MS.TrackOrigins)
1564 return nullptr;
1565 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy);
1566 if (ArgOffset)
1567 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1568 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
1569 "_msarg_o");
1570 }
1571
1572 /// Compute the shadow address for a retval.
1573 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) {
1574 return IRB.CreatePointerCast(MS.RetvalTLS,
1575 PointerType::get(getShadowTy(A), 0),
1576 "_msret");
1577 }
1578
1579 /// Compute the origin address for a retval.
1580 Value *getOriginPtrForRetval(IRBuilder<> &IRB) {
1581 // We keep a single origin for the entire retval. Might be too optimistic.
1582 return MS.RetvalOriginTLS;
1583 }
1584
1585 /// Set SV to be the shadow value for V.
1586 void setShadow(Value *V, Value *SV) {
1587 assert(!ShadowMap.count(V) && "Values may only have one shadow");
1588 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V);
1589 }
1590
1591 /// Set Origin to be the origin value for V.
1592 void setOrigin(Value *V, Value *Origin) {
1593 if (!MS.TrackOrigins) return;
1594 assert(!OriginMap.count(V) && "Values may only have one origin");
1595 LLVM_DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n");
1596 OriginMap[V] = Origin;
1597 }
1598
1599 Constant *getCleanShadow(Type *OrigTy) {
1600 Type *ShadowTy = getShadowTy(OrigTy);
1601 if (!ShadowTy)
1602 return nullptr;
1603 return Constant::getNullValue(ShadowTy);
1604 }
1605
1606 /// Create a clean shadow value for a given value.
1607 ///
1608 /// Clean shadow (all zeroes) means all bits of the value are defined
1609 /// (initialized).
1610 Constant *getCleanShadow(Value *V) {
1611 return getCleanShadow(V->getType());
1612 }
1613
1614 /// Create a dirty shadow of a given shadow type.
1615 Constant *getPoisonedShadow(Type *ShadowTy) {
1616 assert(ShadowTy);
1617 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy))
1618 return Constant::getAllOnesValue(ShadowTy);
1619 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) {
1620 SmallVector<Constant *, 4> Vals(AT->getNumElements(),
1621 getPoisonedShadow(AT->getElementType()));
1622 return ConstantArray::get(AT, Vals);
1623 }
1624 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) {
1625 SmallVector<Constant *, 4> Vals;
1626 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1627 Vals.push_back(getPoisonedShadow(ST->getElementType(i)));
1628 return ConstantStruct::get(ST, Vals);
1629 }
1630 llvm_unreachable("Unexpected shadow type");
1631 }
1632
1633 /// Create a dirty shadow for a given value.
1634 Constant *getPoisonedShadow(Value *V) {
1635 Type *ShadowTy = getShadowTy(V);
1636 if (!ShadowTy)
1637 return nullptr;
1638 return getPoisonedShadow(ShadowTy);
1639 }
1640
1641 /// Create a clean (zero) origin.
1642 Value *getCleanOrigin() {
1643 return Constant::getNullValue(MS.OriginTy);
1644 }
1645
1646 /// Get the shadow value for a given Value.
1647 ///
1648 /// This function either returns the value set earlier with setShadow,
1649 /// or extracts if from ParamTLS (for function arguments).
1650 Value *getShadow(Value *V) {
1651 if (!PropagateShadow) return getCleanShadow(V);
1652 if (Instruction *I = dyn_cast<Instruction>(V)) {
1653 if (I->getMetadata("nosanitize"))
1654 return getCleanShadow(V);
1655 // For instructions the shadow is already stored in the map.
1656 Value *Shadow = ShadowMap[V];
1657 if (!Shadow) {
1658 LLVM_DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1659 (void)I;
1660 assert(Shadow && "No shadow for a value");
1661 }
1662 return Shadow;
1663 }
1664 if (UndefValue *U = dyn_cast<UndefValue>(V)) {
1665 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V);
1666 LLVM_DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n");
1667 (void)U;
1668 return AllOnes;
1669 }
1670 if (Argument *A = dyn_cast<Argument>(V)) {
1671 // For arguments we compute the shadow on demand and store it in the map.
1672 Value **ShadowPtr = &ShadowMap[V];
1673 if (*ShadowPtr)
1674 return *ShadowPtr;
1675 Function *F = A->getParent();
1676 IRBuilder<> EntryIRB(FnPrologueEnd);
1677 unsigned ArgOffset = 0;
1678 const DataLayout &DL = F->getParent()->getDataLayout();
1679 for (auto &FArg : F->args()) {
1680 if (!FArg.getType()->isSized()) {
1681 LLVM_DEBUG(dbgs() << "Arg is not sized\n");
1682 continue;
1683 }
1684
1685 bool FArgByVal = FArg.hasByValAttr();
1686 bool FArgNoUndef = FArg.hasAttribute(Attribute::NoUndef);
1687 bool FArgEagerCheck = ClEagerChecks && !FArgByVal && FArgNoUndef;
1688 unsigned Size =
1689 FArg.hasByValAttr()
1690 ? DL.getTypeAllocSize(FArg.getParamByValType())
1691 : DL.getTypeAllocSize(FArg.getType());
1692
1693 if (A == &FArg) {
1694 bool Overflow = ArgOffset + Size > kParamTLSSize;
1695 if (FArgEagerCheck) {
1696 *ShadowPtr = getCleanShadow(V);
1697 setOrigin(A, getCleanOrigin());
1698 continue;
1699 } else if (FArgByVal) {
1700 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset);
1701 // ByVal pointer itself has clean shadow. We copy the actual
1702 // argument shadow to the underlying memory.
1703 // Figure out maximal valid memcpy alignment.
1704 const Align ArgAlign = DL.getValueOrABITypeAlignment(
1705 MaybeAlign(FArg.getParamAlignment()), FArg.getParamByValType());
1706 Value *CpShadowPtr =
1707 getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign,
1708 /*isStore*/ true)
1709 .first;
1710 // TODO(glider): need to copy origins.
1711 if (Overflow) {
1712 // ParamTLS overflow.
1713 EntryIRB.CreateMemSet(
1714 CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()),
1715 Size, ArgAlign);
1716 } else {
1717 const Align CopyAlign = std::min(ArgAlign, kShadowTLSAlignment);
1718 Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base,
1719 CopyAlign, Size);
1720 LLVM_DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n");
1721 (void)Cpy;
1722 }
1723 *ShadowPtr = getCleanShadow(V);
1724 } else {
1725 // Shadow over TLS
1726 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset);
1727 if (Overflow) {
1728 // ParamTLS overflow.
1729 *ShadowPtr = getCleanShadow(V);
1730 } else {
1731 *ShadowPtr = EntryIRB.CreateAlignedLoad(getShadowTy(&FArg), Base,
1732 kShadowTLSAlignment);
1733 }
1734 }
1735 LLVM_DEBUG(dbgs()
1736 << " ARG: " << FArg << " ==> " << **ShadowPtr << "\n");
1737 if (MS.TrackOrigins && !Overflow) {
1738 Value *OriginPtr =
1739 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset);
1740 setOrigin(A, EntryIRB.CreateLoad(MS.OriginTy, OriginPtr));
1741 } else {
1742 setOrigin(A, getCleanOrigin());
1743 }
1744
1745 break;
1746 }
1747
1748 if (!FArgEagerCheck)
1749 ArgOffset += alignTo(Size, kShadowTLSAlignment);
1750 }
1751 assert(*ShadowPtr && "Could not find shadow for an argument");
1752 return *ShadowPtr;
1753 }
1754 // For everything else the shadow is zero.
1755 return getCleanShadow(V);
1756 }
1757
1758 /// Get the shadow for i-th argument of the instruction I.
1759 Value *getShadow(Instruction *I, int i) {
1760 return getShadow(I->getOperand(i));
1761 }
1762
1763 /// Get the origin for a value.
1764 Value *getOrigin(Value *V) {
1765 if (!MS.TrackOrigins) return nullptr;
1766 if (!PropagateShadow) return getCleanOrigin();
1767 if (isa<Constant>(V)) return getCleanOrigin();
1768 assert((isa<Instruction>(V) || isa<Argument>(V)) &&
1769 "Unexpected value type in getOrigin()");
1770 if (Instruction *I = dyn_cast<Instruction>(V)) {
1771 if (I->getMetadata("nosanitize"))
1772 return getCleanOrigin();
1773 }
1774 Value *Origin = OriginMap[V];
1775 assert(Origin && "Missing origin");
1776 return Origin;
1777 }
1778
1779 /// Get the origin for i-th argument of the instruction I.
1780 Value *getOrigin(Instruction *I, int i) {
1781 return getOrigin(I->getOperand(i));
1782 }
1783
1784 /// Remember the place where a shadow check should be inserted.
1785 ///
1786 /// This location will be later instrumented with a check that will print a
1787 /// UMR warning in runtime if the shadow value is not 0.
1788 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
1789 assert(Shadow);
1790 if (!InsertChecks) return;
1791 #ifndef NDEBUG
1792 Type *ShadowTy = Shadow->getType();
1793 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy) ||
1794 isa<StructType>(ShadowTy) || isa<ArrayType>(ShadowTy)) &&
1795 "Can only insert checks for integer, vector, and aggregate shadow "
1796 "types");
1797 #endif
1798 InstrumentationList.push_back(
1799 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
1800 }
1801
1802 /// Remember the place where a shadow check should be inserted.
1803 ///
1804 /// This location will be later instrumented with a check that will print a
1805 /// UMR warning in runtime if the value is not fully defined.
1806 void insertShadowCheck(Value *Val, Instruction *OrigIns) {
1807 assert(Val);
1808 Value *Shadow, *Origin;
1809 if (ClCheckConstantShadow) {
1810 Shadow = getShadow(Val);
1811 if (!Shadow) return;
1812 Origin = getOrigin(Val);
1813 } else {
1814 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
1815 if (!Shadow) return;
1816 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val));
1817 }
1818 insertShadowCheck(Shadow, Origin, OrigIns);
1819 }
1820
1821 AtomicOrdering addReleaseOrdering(AtomicOrdering a) {
1822 switch (a) {
1823 case AtomicOrdering::NotAtomic:
1824 return AtomicOrdering::NotAtomic;
1825 case AtomicOrdering::Unordered:
1826 case AtomicOrdering::Monotonic:
1827 case AtomicOrdering::Release:
1828 return AtomicOrdering::Release;
1829 case AtomicOrdering::Acquire:
1830 case AtomicOrdering::AcquireRelease:
1831 return AtomicOrdering::AcquireRelease;
1832 case AtomicOrdering::SequentiallyConsistent:
1833 return AtomicOrdering::SequentiallyConsistent;
1834 }
1835 llvm_unreachable("Unknown ordering");
1836 }
1837
1838 Value *makeAddReleaseOrderingTable(IRBuilder<> &IRB) {
1839 constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
1840 uint32_t OrderingTable[NumOrderings] = {};
1841
1842 OrderingTable[(int)AtomicOrderingCABI::relaxed] =
1843 OrderingTable[(int)AtomicOrderingCABI::release] =
1844 (int)AtomicOrderingCABI::release;
1845 OrderingTable[(int)AtomicOrderingCABI::consume] =
1846 OrderingTable[(int)AtomicOrderingCABI::acquire] =
1847 OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
1848 (int)AtomicOrderingCABI::acq_rel;
1849 OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
1850 (int)AtomicOrderingCABI::seq_cst;
1851
1852 return ConstantDataVector::get(IRB.getContext(),
1853 makeArrayRef(OrderingTable, NumOrderings));
1854 }
1855
1856 AtomicOrdering addAcquireOrdering(AtomicOrdering a) {
1857 switch (a) {
1858 case AtomicOrdering::NotAtomic:
1859 return AtomicOrdering::NotAtomic;
1860 case AtomicOrdering::Unordered:
1861 case AtomicOrdering::Monotonic:
1862 case AtomicOrdering::Acquire:
1863 return AtomicOrdering::Acquire;
1864 case AtomicOrdering::Release:
1865 case AtomicOrdering::AcquireRelease:
1866 return AtomicOrdering::AcquireRelease;
1867 case AtomicOrdering::SequentiallyConsistent:
1868 return AtomicOrdering::SequentiallyConsistent;
1869 }
1870 llvm_unreachable("Unknown ordering");
1871 }
1872
1873 Value *makeAddAcquireOrderingTable(IRBuilder<> &IRB) {
1874 constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
1875 uint32_t OrderingTable[NumOrderings] = {};
1876
1877 OrderingTable[(int)AtomicOrderingCABI::relaxed] =
1878 OrderingTable[(int)AtomicOrderingCABI::acquire] =
1879 OrderingTable[(int)AtomicOrderingCABI::consume] =
1880 (int)AtomicOrderingCABI::acquire;
1881 OrderingTable[(int)AtomicOrderingCABI::release] =
1882 OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
1883 (int)AtomicOrderingCABI::acq_rel;
1884 OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
1885 (int)AtomicOrderingCABI::seq_cst;
1886
1887 return ConstantDataVector::get(IRB.getContext(),
1888 makeArrayRef(OrderingTable, NumOrderings));
1889 }
1890
1891 // ------------------- Visitors.
1892 using InstVisitor<MemorySanitizerVisitor>::visit;
1893 void visit(Instruction &I) {
1894 if (I.getMetadata("nosanitize"))
1895 return;
1896 // Don't want to visit if we're in the prologue
1897 if (isInPrologue(I))
1898 return;
1899 InstVisitor<MemorySanitizerVisitor>::visit(I);
1900 }
1901
1902 /// Instrument LoadInst
1903 ///
1904 /// Loads the corresponding shadow and (optionally) origin.
1905 /// Optionally, checks that the load address is fully defined.
1906 void visitLoadInst(LoadInst &I) {
1907 assert(I.getType()->isSized() && "Load type must have size");
1908 assert(!I.getMetadata("nosanitize"));
1909 IRBuilder<> IRB(I.getNextNode());
1910 Type *ShadowTy = getShadowTy(&I);
1911 Value *Addr = I.getPointerOperand();
1912 Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
1913 const Align Alignment = assumeAligned(I.getAlignment());
1914 if (PropagateShadow) {
1915 std::tie(ShadowPtr, OriginPtr) =
1916 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
1917 setShadow(&I,
1918 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
1919 } else {
1920 setShadow(&I, getCleanShadow(&I));
1921 }
1922
1923 if (ClCheckAccessAddress)
1924 insertShadowCheck(I.getPointerOperand(), &I);
1925
1926 if (I.isAtomic())
1927 I.setOrdering(addAcquireOrdering(I.getOrdering()));
1928
1929 if (MS.TrackOrigins) {
1930 if (PropagateShadow) {
1931 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1932 setOrigin(
1933 &I, IRB.CreateAlignedLoad(MS.OriginTy, OriginPtr, OriginAlignment));
1934 } else {
1935 setOrigin(&I, getCleanOrigin());
1936 }
1937 }
1938 }
1939
1940 /// Instrument StoreInst
1941 ///
1942 /// Stores the corresponding shadow and (optionally) origin.
1943 /// Optionally, checks that the store address is fully defined.
1944 void visitStoreInst(StoreInst &I) {
1945 StoreList.push_back(&I);
1946 if (ClCheckAccessAddress)
1947 insertShadowCheck(I.getPointerOperand(), &I);
1948 }
1949
1950 void handleCASOrRMW(Instruction &I) {
1951 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I));
1952
1953 IRBuilder<> IRB(&I);
1954 Value *Addr = I.getOperand(0);
1955 Value *Val = I.getOperand(1);
1956 Value *ShadowPtr = getShadowOriginPtr(Addr, IRB, Val->getType(), Align(1),
1957 /*isStore*/ true)
1958 .first;
1959
1960 if (ClCheckAccessAddress)
1961 insertShadowCheck(Addr, &I);
1962
1963 // Only test the conditional argument of cmpxchg instruction.
1964 // The other argument can potentially be uninitialized, but we can not
1965 // detect this situation reliably without possible false positives.
1966 if (isa<AtomicCmpXchgInst>(I))
1967 insertShadowCheck(Val, &I);
1968
1969 IRB.CreateStore(getCleanShadow(Val), ShadowPtr);
1970
1971 setShadow(&I, getCleanShadow(&I));
1972 setOrigin(&I, getCleanOrigin());
1973 }
1974
1975 void visitAtomicRMWInst(AtomicRMWInst &I) {
1976 handleCASOrRMW(I);
1977 I.setOrdering(addReleaseOrdering(I.getOrdering()));
1978 }
1979
1980 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) {
1981 handleCASOrRMW(I);
1982 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering()));
1983 }
1984
1985 // Vector manipulation.
1986 void visitExtractElementInst(ExtractElementInst &I) {
1987 insertShadowCheck(I.getOperand(1), &I);
1988 IRBuilder<> IRB(&I);
1989 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1),
1990 "_msprop"));
1991 setOrigin(&I, getOrigin(&I, 0));
1992 }
1993
1994 void visitInsertElementInst(InsertElementInst &I) {
1995 insertShadowCheck(I.getOperand(2), &I);
1996 IRBuilder<> IRB(&I);
1997 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1),
1998 I.getOperand(2), "_msprop"));
1999 setOriginForNaryOp(I);
2000 }
2001
2002 void visitShuffleVectorInst(ShuffleVectorInst &I) {
2003 IRBuilder<> IRB(&I);
2004 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1),
2005 I.getShuffleMask(), "_msprop"));
2006 setOriginForNaryOp(I);
2007 }
2008
2009 // Casts.
2010 void visitSExtInst(SExtInst &I) {
2011 IRBuilder<> IRB(&I);
2012 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop"));
2013 setOrigin(&I, getOrigin(&I, 0));
2014 }
2015
2016 void visitZExtInst(ZExtInst &I) {
2017 IRBuilder<> IRB(&I);
2018 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop"));
2019 setOrigin(&I, getOrigin(&I, 0));
2020 }
2021
2022 void visitTruncInst(TruncInst &I) {
2023 IRBuilder<> IRB(&I);
2024 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop"));
2025 setOrigin(&I, getOrigin(&I, 0));
2026 }
2027
2028 void visitBitCastInst(BitCastInst &I) {
2029 // Special case: if this is the bitcast (there is exactly 1 allowed) between
2030 // a musttail call and a ret, don't instrument. New instructions are not
2031 // allowed after a musttail call.
2032 if (auto *CI = dyn_cast<CallInst>(I.getOperand(0)))
2033 if (CI->isMustTailCall())
2034 return;
2035 IRBuilder<> IRB(&I);
2036 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I)));
2037 setOrigin(&I, getOrigin(&I, 0));
2038 }
2039
2040 void visitPtrToIntInst(PtrToIntInst &I) {
2041 IRBuilder<> IRB(&I);
2042 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2043 "_msprop_ptrtoint"));
2044 setOrigin(&I, getOrigin(&I, 0));
2045 }
2046
2047 void visitIntToPtrInst(IntToPtrInst &I) {
2048 IRBuilder<> IRB(&I);
2049 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2050 "_msprop_inttoptr"));
2051 setOrigin(&I, getOrigin(&I, 0));
2052 }
2053
2054 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); }
2055 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); }
2056 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); }
2057 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); }
2058 void visitFPExtInst(CastInst& I) { handleShadowOr(I); }
2059 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); }
2060
2061 /// Propagate shadow for bitwise AND.
2062 ///
2063 /// This code is exact, i.e. if, for example, a bit in the left argument
2064 /// is defined and 0, then neither the value not definedness of the
2065 /// corresponding bit in B don't affect the resulting shadow.
2066 void visitAnd(BinaryOperator &I) {
2067 IRBuilder<> IRB(&I);
2068 // "And" of 0 and a poisoned value results in unpoisoned value.
2069 // 1&1 => 1; 0&1 => 0; p&1 => p;
2070 // 1&0 => 0; 0&0 => 0; p&0 => 0;
2071 // 1&p => p; 0&p => 0; p&p => p;
2072 // S = (S1 & S2) | (V1 & S2) | (S1 & V2)
2073 Value *S1 = getShadow(&I, 0);
2074 Value *S2 = getShadow(&I, 1);
2075 Value *V1 = I.getOperand(0);
2076 Value *V2 = I.getOperand(1);
2077 if (V1->getType() != S1->getType()) {
2078 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2079 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2080 }
2081 Value *S1S2 = IRB.CreateAnd(S1, S2);
2082 Value *V1S2 = IRB.CreateAnd(V1, S2);
2083 Value *S1V2 = IRB.CreateAnd(S1, V2);
2084 setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2085 setOriginForNaryOp(I);
2086 }
2087
2088 void visitOr(BinaryOperator &I) {
2089 IRBuilder<> IRB(&I);
2090 // "Or" of 1 and a poisoned value results in unpoisoned value.
2091 // 1|1 => 1; 0|1 => 1; p|1 => 1;
2092 // 1|0 => 1; 0|0 => 0; p|0 => p;
2093 // 1|p => 1; 0|p => p; p|p => p;
2094 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
2095 Value *S1 = getShadow(&I, 0);
2096 Value *S2 = getShadow(&I, 1);
2097 Value *V1 = IRB.CreateNot(I.getOperand(0));
2098 Value *V2 = IRB.CreateNot(I.getOperand(1));
2099 if (V1->getType() != S1->getType()) {
2100 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2101 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2102 }
2103 Value *S1S2 = IRB.CreateAnd(S1, S2);
2104 Value *V1S2 = IRB.CreateAnd(V1, S2);
2105 Value *S1V2 = IRB.CreateAnd(S1, V2);
2106 setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2107 setOriginForNaryOp(I);
2108 }
2109
2110 /// Default propagation of shadow and/or origin.
2111 ///
2112 /// This class implements the general case of shadow propagation, used in all
2113 /// cases where we don't know and/or don't care about what the operation
2114 /// actually does. It converts all input shadow values to a common type
2115 /// (extending or truncating as necessary), and bitwise OR's them.
2116 ///
2117 /// This is much cheaper than inserting checks (i.e. requiring inputs to be
2118 /// fully initialized), and less prone to false positives.
2119 ///
2120 /// This class also implements the general case of origin propagation. For a
2121 /// Nary operation, result origin is set to the origin of an argument that is
2122 /// not entirely initialized. If there is more than one such arguments, the
2123 /// rightmost of them is picked. It does not matter which one is picked if all
2124 /// arguments are initialized.
2125 template <bool CombineShadow>
2126 class Combiner {
2127 Value *Shadow = nullptr;
2128 Value *Origin = nullptr;
2129 IRBuilder<> &IRB;
2130 MemorySanitizerVisitor *MSV;
2131
2132 public:
2133 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB)
2134 : IRB(IRB), MSV(MSV) {}
2135
2136 /// Add a pair of shadow and origin values to the mix.
2137 Combiner &Add(Value *OpShadow, Value *OpOrigin) {
2138 if (CombineShadow) {
2139 assert(OpShadow);
2140 if (!Shadow)
2141 Shadow = OpShadow;
2142 else {
2143 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
2144 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
2145 }
2146 }
2147
2148 if (MSV->MS.TrackOrigins) {
2149 assert(OpOrigin);
2150 if (!Origin) {
2151 Origin = OpOrigin;
2152 } else {
2153 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin);
2154 // No point in adding something that might result in 0 origin value.
2155 if (!ConstOrigin || !ConstOrigin->isNullValue()) {
2156 Value *FlatShadow = MSV->convertShadowToScalar(OpShadow, IRB);
2157 Value *Cond =
2158 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow));
2159 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin);
2160 }
2161 }
2162 }
2163 return *this;
2164 }
2165
2166 /// Add an application value to the mix.
2167 Combiner &Add(Value *V) {
2168 Value *OpShadow = MSV->getShadow(V);
2169 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr;
2170 return Add(OpShadow, OpOrigin);
2171 }
2172
2173 /// Set the current combined values as the given instruction's shadow
2174 /// and origin.
2175 void Done(Instruction *I) {
2176 if (CombineShadow) {
2177 assert(Shadow);
2178 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
2179 MSV->setShadow(I, Shadow);
2180 }
2181 if (MSV->MS.TrackOrigins) {
2182 assert(Origin);
2183 MSV->setOrigin(I, Origin);
2184 }
2185 }
2186 };
2187
2188 using ShadowAndOriginCombiner = Combiner<true>;
2189 using OriginCombiner = Combiner<false>;
2190
2191 /// Propagate origin for arbitrary operation.
2192 void setOriginForNaryOp(Instruction &I) {
2193 if (!MS.TrackOrigins) return;
2194 IRBuilder<> IRB(&I);
2195 OriginCombiner OC(this, IRB);
2196 for (Use &Op : I.operands())
2197 OC.Add(Op.get());
2198 OC.Done(&I);
2199 }
2200
2201 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) {
2202 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) &&
2203 "Vector of pointers is not a valid shadow type");
2204 return Ty->isVectorTy() ? cast<FixedVectorType>(Ty)->getNumElements() *
2205 Ty->getScalarSizeInBits()
2206 : Ty->getPrimitiveSizeInBits();
2207 }
2208
2209 /// Cast between two shadow types, extending or truncating as
2210 /// necessary.
2211 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy,
2212 bool Signed = false) {
2213 Type *srcTy = V->getType();
2214 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy);
2215 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy);
2216 if (srcSizeInBits > 1 && dstSizeInBits == 1)
2217 return IRB.CreateICmpNE(V, getCleanShadow(V));
2218
2219 if (dstTy->isIntegerTy() && srcTy->isIntegerTy())
2220 return IRB.CreateIntCast(V, dstTy, Signed);
2221 if (dstTy->isVectorTy() && srcTy->isVectorTy() &&
2222 cast<FixedVectorType>(dstTy)->getNumElements() ==
2223 cast<FixedVectorType>(srcTy)->getNumElements())
2224 return IRB.CreateIntCast(V, dstTy, Signed);
2225 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits));
2226 Value *V2 =
2227 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed);
2228 return IRB.CreateBitCast(V2, dstTy);
2229 // TODO: handle struct types.
2230 }
2231
2232 /// Cast an application value to the type of its own shadow.
2233 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) {
2234 Type *ShadowTy = getShadowTy(V);
2235 if (V->getType() == ShadowTy)
2236 return V;
2237 if (V->getType()->isPtrOrPtrVectorTy())
2238 return IRB.CreatePtrToInt(V, ShadowTy);
2239 else
2240 return IRB.CreateBitCast(V, ShadowTy);
2241 }
2242
2243 /// Propagate shadow for arbitrary operation.
2244 void handleShadowOr(Instruction &I) {
2245 IRBuilder<> IRB(&I);
2246 ShadowAndOriginCombiner SC(this, IRB);
2247 for (Use &Op : I.operands())
2248 SC.Add(Op.get());
2249 SC.Done(&I);
2250 }
2251
2252 void visitFNeg(UnaryOperator &I) { handleShadowOr(I); }
2253
2254 // Handle multiplication by constant.
2255 //
2256 // Handle a special case of multiplication by constant that may have one or
2257 // more zeros in the lower bits. This makes corresponding number of lower bits
2258 // of the result zero as well. We model it by shifting the other operand
2259 // shadow left by the required number of bits. Effectively, we transform
2260 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B).
2261 // We use multiplication by 2**N instead of shift to cover the case of
2262 // multiplication by 0, which may occur in some elements of a vector operand.
2263 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg,
2264 Value *OtherArg) {
2265 Constant *ShadowMul;
2266 Type *Ty = ConstArg->getType();
2267 if (auto *VTy = dyn_cast<VectorType>(Ty)) {
2268 unsigned NumElements = cast<FixedVectorType>(VTy)->getNumElements();
2269 Type *EltTy = VTy->getElementType();
2270 SmallVector<Constant *, 16> Elements;
2271 for (unsigned Idx = 0; Idx < NumElements; ++Idx) {
2272 if (ConstantInt *Elt =
2273 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx))) {
2274 const APInt &V = Elt->getValue();
2275 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros();
2276 Elements.push_back(ConstantInt::get(EltTy, V2));
2277 } else {
2278 Elements.push_back(ConstantInt::get(EltTy, 1));
2279 }
2280 }
2281 ShadowMul = ConstantVector::get(Elements);
2282 } else {
2283 if (ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg)) {
2284 const APInt &V = Elt->getValue();
2285 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros();
2286 ShadowMul = ConstantInt::get(Ty, V2);
2287 } else {
2288 ShadowMul = ConstantInt::get(Ty, 1);
2289 }
2290 }
2291
2292 IRBuilder<> IRB(&I);
2293 setShadow(&I,
2294 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst"));
2295 setOrigin(&I, getOrigin(OtherArg));
2296 }
2297
2298 void visitMul(BinaryOperator &I) {
2299 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0));
2300 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1));
2301 if (constOp0 && !constOp1)
2302 handleMulByConstant(I, constOp0, I.getOperand(1));
2303 else if (constOp1 && !constOp0)
2304 handleMulByConstant(I, constOp1, I.getOperand(0));
2305 else
2306 handleShadowOr(I);
2307 }
2308
2309 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); }
2310 void visitFSub(BinaryOperator &I) { handleShadowOr(I); }
2311 void visitFMul(BinaryOperator &I) { handleShadowOr(I); }
2312 void visitAdd(BinaryOperator &I) { handleShadowOr(I); }
2313 void visitSub(BinaryOperator &I) { handleShadowOr(I); }
2314 void visitXor(BinaryOperator &I) { handleShadowOr(I); }
2315
2316 void handleIntegerDiv(Instruction &I) {
2317 IRBuilder<> IRB(&I);
2318 // Strict on the second argument.
2319 insertShadowCheck(I.getOperand(1), &I);
2320 setShadow(&I, getShadow(&I, 0));
2321 setOrigin(&I, getOrigin(&I, 0));
2322 }
2323
2324 void visitUDiv(BinaryOperator &I) { handleIntegerDiv(I); }
2325 void visitSDiv(BinaryOperator &I) { handleIntegerDiv(I); }
2326 void visitURem(BinaryOperator &I) { handleIntegerDiv(I); }
2327 void visitSRem(BinaryOperator &I) { handleIntegerDiv(I); }
2328
2329 // Floating point division is side-effect free. We can not require that the
2330 // divisor is fully initialized and must propagate shadow. See PR37523.
2331 void visitFDiv(BinaryOperator &I) { handleShadowOr(I); }
2332 void visitFRem(BinaryOperator &I) { handleShadowOr(I); }
2333
2334 /// Instrument == and != comparisons.
2335 ///
2336 /// Sometimes the comparison result is known even if some of the bits of the
2337 /// arguments are not.
2338 void handleEqualityComparison(ICmpInst &I) {
2339 IRBuilder<> IRB(&I);
2340 Value *A = I.getOperand(0);
2341 Value *B = I.getOperand(1);
2342 Value *Sa = getShadow(A);
2343 Value *Sb = getShadow(B);
2344
2345 // Get rid of pointers and vectors of pointers.
2346 // For ints (and vectors of ints), types of A and Sa match,
2347 // and this is a no-op.
2348 A = IRB.CreatePointerCast(A, Sa->getType());
2349 B = IRB.CreatePointerCast(B, Sb->getType());
2350
2351 // A == B <==> (C = A^B) == 0
2352 // A != B <==> (C = A^B) != 0
2353 // Sc = Sa | Sb
2354 Value *C = IRB.CreateXor(A, B);
2355 Value *Sc = IRB.CreateOr(Sa, Sb);
2356 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now)
2357 // Result is defined if one of the following is true
2358 // * there is a defined 1 bit in C
2359 // * C is fully defined
2360 // Si = !(C & ~Sc) && Sc
2361 Value *Zero = Constant::getNullValue(Sc->getType());
2362 Value *MinusOne = Constant::getAllOnesValue(Sc->getType());
2363 Value *Si =
2364 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero),
2365 IRB.CreateICmpEQ(
2366 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero));
2367 Si->setName("_msprop_icmp");
2368 setShadow(&I, Si);
2369 setOriginForNaryOp(I);
2370 }
2371
2372 /// Build the lowest possible value of V, taking into account V's
2373 /// uninitialized bits.
2374 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2375 bool isSigned) {
2376 if (isSigned) {
2377 // Split shadow into sign bit and other bits.
2378 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2379 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2380 // Maximise the undefined shadow bit, minimize other undefined bits.
2381 return
2382 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit);
2383 } else {
2384 // Minimize undefined bits.
2385 return IRB.CreateAnd(A, IRB.CreateNot(Sa));
2386 }
2387 }
2388
2389 /// Build the highest possible value of V, taking into account V's
2390 /// uninitialized bits.
2391 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2392 bool isSigned) {
2393 if (isSigned) {
2394 // Split shadow into sign bit and other bits.
2395 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2396 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2397 // Minimise the undefined shadow bit, maximise other undefined bits.
2398 return
2399 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits);
2400 } else {
2401 // Maximize undefined bits.
2402 return IRB.CreateOr(A, Sa);
2403 }
2404 }
2405
2406 /// Instrument relational comparisons.
2407 ///
2408 /// This function does exact shadow propagation for all relational
2409 /// comparisons of integers, pointers and vectors of those.
2410 /// FIXME: output seems suboptimal when one of the operands is a constant
2411 void handleRelationalComparisonExact(ICmpInst &I) {
2412 IRBuilder<> IRB(&I);
2413 Value *A = I.getOperand(0);
2414 Value *B = I.getOperand(1);
2415 Value *Sa = getShadow(A);
2416 Value *Sb = getShadow(B);
2417
2418 // Get rid of pointers and vectors of pointers.
2419 // For ints (and vectors of ints), types of A and Sa match,
2420 // and this is a no-op.
2421 A = IRB.CreatePointerCast(A, Sa->getType());
2422 B = IRB.CreatePointerCast(B, Sb->getType());
2423
2424 // Let [a0, a1] be the interval of possible values of A, taking into account
2425 // its undefined bits. Let [b0, b1] be the interval of possible values of B.
2426 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0).
2427 bool IsSigned = I.isSigned();
2428 Value *S1 = IRB.CreateICmp(I.getPredicate(),
2429 getLowestPossibleValue(IRB, A, Sa, IsSigned),
2430 getHighestPossibleValue(IRB, B, Sb, IsSigned));
2431 Value *S2 = IRB.CreateICmp(I.getPredicate(),
2432 getHighestPossibleValue(IRB, A, Sa, IsSigned),
2433 getLowestPossibleValue(IRB, B, Sb, IsSigned));
2434 Value *Si = IRB.CreateXor(S1, S2);
2435 setShadow(&I, Si);
2436 setOriginForNaryOp(I);
2437 }
2438
2439 /// Instrument signed relational comparisons.
2440 ///
2441 /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest
2442 /// bit of the shadow. Everything else is delegated to handleShadowOr().
2443 void handleSignedRelationalComparison(ICmpInst &I) {
2444 Constant *constOp;
2445 Value *op = nullptr;
2446 CmpInst::Predicate pre;
2447 if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) {
2448 op = I.getOperand(0);
2449 pre = I.getPredicate();
2450 } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) {
2451 op = I.getOperand(1);
2452 pre = I.getSwappedPredicate();
2453 } else {
2454 handleShadowOr(I);
2455 return;
2456 }
2457
2458 if ((constOp->isNullValue() &&
2459 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) ||
2460 (constOp->isAllOnesValue() &&
2461 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) {
2462 IRBuilder<> IRB(&I);
2463 Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
2464 "_msprop_icmp_s");
2465 setShadow(&I, Shadow);
2466 setOrigin(&I, getOrigin(op));
2467 } else {
2468 handleShadowOr(I);
2469 }
2470 }
2471
2472 void visitICmpInst(ICmpInst &I) {
2473 if (!ClHandleICmp) {
2474 handleShadowOr(I);
2475 return;
2476 }
2477 if (I.isEquality()) {
2478 handleEqualityComparison(I);
2479 return;
2480 }
2481
2482 assert(I.isRelational());
2483 if (ClHandleICmpExact) {
2484 handleRelationalComparisonExact(I);
2485 return;
2486 }
2487 if (I.isSigned()) {
2488 handleSignedRelationalComparison(I);
2489 return;
2490 }
2491
2492 assert(I.isUnsigned());
2493 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) {
2494 handleRelationalComparisonExact(I);
2495 return;
2496 }
2497
2498 handleShadowOr(I);
2499 }
2500
2501 void visitFCmpInst(FCmpInst &I) {
2502 handleShadowOr(I);
2503 }
2504
2505 void handleShift(BinaryOperator &I) {
2506 IRBuilder<> IRB(&I);
2507 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2508 // Otherwise perform the same shift on S1.
2509 Value *S1 = getShadow(&I, 0);
2510 Value *S2 = getShadow(&I, 1);
2511 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)),
2512 S2->getType());
2513 Value *V2 = I.getOperand(1);
2514 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2);
2515 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2516 setOriginForNaryOp(I);
2517 }
2518
2519 void visitShl(BinaryOperator &I) { handleShift(I); }
2520 void visitAShr(BinaryOperator &I) { handleShift(I); }
2521 void visitLShr(BinaryOperator &I) { handleShift(I); }
2522
2523 void handleFunnelShift(IntrinsicInst &I) {
2524 IRBuilder<> IRB(&I);
2525 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2526 // Otherwise perform the same shift on S0 and S1.
2527 Value *S0 = getShadow(&I, 0);
2528 Value *S1 = getShadow(&I, 1);
2529 Value *S2 = getShadow(&I, 2);
2530 Value *S2Conv =
2531 IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), S2->getType());
2532 Value *V2 = I.getOperand(2);
2533 Function *Intrin = Intrinsic::getDeclaration(
2534 I.getModule(), I.getIntrinsicID(), S2Conv->getType());
2535 Value *Shift = IRB.CreateCall(Intrin, {S0, S1, V2});
2536 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2537 setOriginForNaryOp(I);
2538 }
2539
2540 /// Instrument llvm.memmove
2541 ///
2542 /// At this point we don't know if llvm.memmove will be inlined or not.
2543 /// If we don't instrument it and it gets inlined,
2544 /// our interceptor will not kick in and we will lose the memmove.
2545 /// If we instrument the call here, but it does not get inlined,
2546 /// we will memove the shadow twice: which is bad in case
2547 /// of overlapping regions. So, we simply lower the intrinsic to a call.
2548 ///
2549 /// Similar situation exists for memcpy and memset.
2550 void visitMemMoveInst(MemMoveInst &I) {
2551 IRBuilder<> IRB(&I);
2552 IRB.CreateCall(
2553 MS.MemmoveFn,
2554 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2555 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()),
2556 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2557 I.eraseFromParent();
2558 }
2559
2560 // Similar to memmove: avoid copying shadow twice.
2561 // This is somewhat unfortunate as it may slowdown small constant memcpys.
2562 // FIXME: consider doing manual inline for small constant sizes and proper
2563 // alignment.
2564 void visitMemCpyInst(MemCpyInst &I) {
2565 IRBuilder<> IRB(&I);
2566 IRB.CreateCall(
2567 MS.MemcpyFn,
2568 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2569 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()),
2570 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2571 I.eraseFromParent();
2572 }
2573
2574 // Same as memcpy.
2575 void visitMemSetInst(MemSetInst &I) {
2576 IRBuilder<> IRB(&I);
2577 IRB.CreateCall(
2578 MS.MemsetFn,
2579 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2580 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false),
2581 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2582 I.eraseFromParent();
2583 }
2584
2585 void visitVAStartInst(VAStartInst &I) {
2586 VAHelper->visitVAStartInst(I);
2587 }
2588
2589 void visitVACopyInst(VACopyInst &I) {
2590 VAHelper->visitVACopyInst(I);
2591 }
2592
2593 /// Handle vector store-like intrinsics.
2594 ///
2595 /// Instrument intrinsics that look like a simple SIMD store: writes memory,
2596 /// has 1 pointer argument and 1 vector argument, returns void.
2597 bool handleVectorStoreIntrinsic(IntrinsicInst &I) {
2598 IRBuilder<> IRB(&I);
2599 Value* Addr = I.getArgOperand(0);
2600 Value *Shadow = getShadow(&I, 1);
2601 Value *ShadowPtr, *OriginPtr;
2602
2603 // We don't know the pointer alignment (could be unaligned SSE store!).
2604 // Have to assume to worst case.
2605 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
2606 Addr, IRB, Shadow->getType(), Align(1), /*isStore*/ true);
2607 IRB.CreateAlignedStore(Shadow, ShadowPtr, Align(1));
2608
2609 if (ClCheckAccessAddress)
2610 insertShadowCheck(Addr, &I);
2611
2612 // FIXME: factor out common code from materializeStores
2613 if (MS.TrackOrigins) IRB.CreateStore(getOrigin(&I, 1), OriginPtr);
2614 return true;
2615 }
2616
2617 /// Handle vector load-like intrinsics.
2618 ///
2619 /// Instrument intrinsics that look like a simple SIMD load: reads memory,
2620 /// has 1 pointer argument, returns a vector.
2621 bool handleVectorLoadIntrinsic(IntrinsicInst &I) {
2622 IRBuilder<> IRB(&I);
2623 Value *Addr = I.getArgOperand(0);
2624
2625 Type *ShadowTy = getShadowTy(&I);
2626 Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
2627 if (PropagateShadow) {
2628 // We don't know the pointer alignment (could be unaligned SSE load!).
2629 // Have to assume to worst case.
2630 const Align Alignment = Align(1);
2631 std::tie(ShadowPtr, OriginPtr) =
2632 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2633 setShadow(&I,
2634 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
2635 } else {
2636 setShadow(&I, getCleanShadow(&I));
2637 }
2638
2639 if (ClCheckAccessAddress)
2640 insertShadowCheck(Addr, &I);
2641
2642 if (MS.TrackOrigins) {
2643 if (PropagateShadow)
2644 setOrigin(&I, IRB.CreateLoad(MS.OriginTy, OriginPtr));
2645 else
2646 setOrigin(&I, getCleanOrigin());
2647 }
2648 return true;
2649 }
2650
2651 /// Handle (SIMD arithmetic)-like intrinsics.
2652 ///
2653 /// Instrument intrinsics with any number of arguments of the same type,
2654 /// equal to the return type. The type should be simple (no aggregates or
2655 /// pointers; vectors are fine).
2656 /// Caller guarantees that this intrinsic does not access memory.
2657 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) {
2658 Type *RetTy = I.getType();
2659 if (!(RetTy->isIntOrIntVectorTy() ||
2660 RetTy->isFPOrFPVectorTy() ||
2661 RetTy->isX86_MMXTy()))
2662 return false;
2663
2664 unsigned NumArgOperands = I.getNumArgOperands();
2665 for (unsigned i = 0; i < NumArgOperands; ++i) {
2666 Type *Ty = I.getArgOperand(i)->getType();
2667 if (Ty != RetTy)
2668 return false;
2669 }
2670
2671 IRBuilder<> IRB(&I);
2672 ShadowAndOriginCombiner SC(this, IRB);
2673 for (unsigned i = 0; i < NumArgOperands; ++i)
2674 SC.Add(I.getArgOperand(i));
2675 SC.Done(&I);
2676
2677 return true;
2678 }
2679
2680 /// Heuristically instrument unknown intrinsics.
2681 ///
2682 /// The main purpose of this code is to do something reasonable with all
2683 /// random intrinsics we might encounter, most importantly - SIMD intrinsics.
2684 /// We recognize several classes of intrinsics by their argument types and
2685 /// ModRefBehaviour and apply special instrumentation when we are reasonably
2686 /// sure that we know what the intrinsic does.
2687 ///
2688 /// We special-case intrinsics where this approach fails. See llvm.bswap
2689 /// handling as an example of that.
2690 bool handleUnknownIntrinsic(IntrinsicInst &I) {
2691 unsigned NumArgOperands = I.getNumArgOperands();
2692 if (NumArgOperands == 0)
2693 return false;
2694
2695 if (NumArgOperands == 2 &&
2696 I.getArgOperand(0)->getType()->isPointerTy() &&
2697 I.getArgOperand(1)->getType()->isVectorTy() &&
2698 I.getType()->isVoidTy() &&
2699 !I.onlyReadsMemory()) {
2700 // This looks like a vector store.
2701 return handleVectorStoreIntrinsic(I);
2702 }
2703
2704 if (NumArgOperands == 1 &&
2705 I.getArgOperand(0)->getType()->isPointerTy() &&
2706 I.getType()->isVectorTy() &&
2707 I.onlyReadsMemory()) {
2708 // This looks like a vector load.
2709 return handleVectorLoadIntrinsic(I);
2710 }
2711
2712 if (I.doesNotAccessMemory())
2713 if (maybeHandleSimpleNomemIntrinsic(I))
2714 return true;
2715
2716 // FIXME: detect and handle SSE maskstore/maskload
2717 return false;
2718 }
2719
2720 void handleInvariantGroup(IntrinsicInst &I) {
2721 setShadow(&I, getShadow(&I, 0));
2722 setOrigin(&I, getOrigin(&I, 0));
2723 }
2724
2725 void handleLifetimeStart(IntrinsicInst &I) {
2726 if (!PoisonStack)
2727 return;
2728 AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1));
2729 if (!AI)
2730 InstrumentLifetimeStart = false;
2731 LifetimeStartList.push_back(std::make_pair(&I, AI));
2732 }
2733
2734 void handleBswap(IntrinsicInst &I) {
2735 IRBuilder<> IRB(&I);
2736 Value *Op = I.getArgOperand(0);
2737 Type *OpType = Op->getType();
2738 Function *BswapFunc = Intrinsic::getDeclaration(
2739 F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1));
2740 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op)));
2741 setOrigin(&I, getOrigin(Op));
2742 }
2743
2744 // Instrument vector convert intrinsic.
2745 //
2746 // This function instruments intrinsics like cvtsi2ss:
2747 // %Out = int_xxx_cvtyyy(%ConvertOp)
2748 // or
2749 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp)
2750 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same
2751 // number \p Out elements, and (if has 2 arguments) copies the rest of the
2752 // elements from \p CopyOp.
2753 // In most cases conversion involves floating-point value which may trigger a
2754 // hardware exception when not fully initialized. For this reason we require
2755 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise.
2756 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
2757 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always
2758 // return a fully initialized value.
2759 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements,
2760 bool HasRoundingMode = false) {
2761 IRBuilder<> IRB(&I);
2762 Value *CopyOp, *ConvertOp;
2763
2764 assert((!HasRoundingMode ||
2765 isa<ConstantInt>(I.getArgOperand(I.getNumArgOperands() - 1))) &&
2766 "Invalid rounding mode");
2767
2768 switch (I.getNumArgOperands() - HasRoundingMode) {
2769 case 2:
2770 CopyOp = I.getArgOperand(0);
2771 ConvertOp = I.getArgOperand(1);
2772 break;
2773 case 1:
2774 ConvertOp = I.getArgOperand(0);
2775 CopyOp = nullptr;
2776 break;
2777 default:
2778 llvm_unreachable("Cvt intrinsic with unsupported number of arguments.");
2779 }
2780
2781 // The first *NumUsedElements* elements of ConvertOp are converted to the
2782 // same number of output elements. The rest of the output is copied from
2783 // CopyOp, or (if not available) filled with zeroes.
2784 // Combine shadow for elements of ConvertOp that are used in this operation,
2785 // and insert a check.
2786 // FIXME: consider propagating shadow of ConvertOp, at least in the case of
2787 // int->any conversion.
2788 Value *ConvertShadow = getShadow(ConvertOp);
2789 Value *AggShadow = nullptr;
2790 if (ConvertOp->getType()->isVectorTy()) {
2791 AggShadow = IRB.CreateExtractElement(
2792 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
2793 for (int i = 1; i < NumUsedElements; ++i) {
2794 Value *MoreShadow = IRB.CreateExtractElement(
2795 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i));
2796 AggShadow = IRB.CreateOr(AggShadow, MoreShadow);
2797 }
2798 } else {
2799 AggShadow = ConvertShadow;
2800 }
2801 assert(AggShadow->getType()->isIntegerTy());
2802 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I);
2803
2804 // Build result shadow by zero-filling parts of CopyOp shadow that come from
2805 // ConvertOp.
2806 if (CopyOp) {
2807 assert(CopyOp->getType() == I.getType());
2808 assert(CopyOp->getType()->isVectorTy());
2809 Value *ResultShadow = getShadow(CopyOp);
2810 Type *EltTy = cast<VectorType>(ResultShadow->getType())->getElementType();
2811 for (int i = 0; i < NumUsedElements; ++i) {
2812 ResultShadow = IRB.CreateInsertElement(
2813 ResultShadow, ConstantInt::getNullValue(EltTy),
2814 ConstantInt::get(IRB.getInt32Ty(), i));
2815 }
2816 setShadow(&I, ResultShadow);
2817 setOrigin(&I, getOrigin(CopyOp));
2818 } else {
2819 setShadow(&I, getCleanShadow(&I));
2820 setOrigin(&I, getCleanOrigin());
2821 }
2822 }
2823
2824 // Given a scalar or vector, extract lower 64 bits (or less), and return all
2825 // zeroes if it is zero, and all ones otherwise.
2826 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
2827 if (S->getType()->isVectorTy())
2828 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true);
2829 assert(S->getType()->getPrimitiveSizeInBits() <= 64);
2830 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
2831 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
2832 }
2833
2834 // Given a vector, extract its first element, and return all
2835 // zeroes if it is zero, and all ones otherwise.
2836 Value *LowerElementShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
2837 Value *S1 = IRB.CreateExtractElement(S, (uint64_t)0);
2838 Value *S2 = IRB.CreateICmpNE(S1, getCleanShadow(S1));
2839 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
2840 }
2841
2842 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) {
2843 Type *T = S->getType();
2844 assert(T->isVectorTy());
2845 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
2846 return IRB.CreateSExt(S2, T);
2847 }
2848
2849 // Instrument vector shift intrinsic.
2850 //
2851 // This function instruments intrinsics like int_x86_avx2_psll_w.
2852 // Intrinsic shifts %In by %ShiftSize bits.
2853 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift
2854 // size, and the rest is ignored. Behavior is defined even if shift size is
2855 // greater than register (or field) width.
2856 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) {
2857 assert(I.getNumArgOperands() == 2);
2858 IRBuilder<> IRB(&I);
2859 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2860 // Otherwise perform the same shift on S1.
2861 Value *S1 = getShadow(&I, 0);
2862 Value *S2 = getShadow(&I, 1);
2863 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2)
2864 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I));
2865 Value *V1 = I.getOperand(0);
2866 Value *V2 = I.getOperand(1);
2867 Value *Shift = IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(),
2868 {IRB.CreateBitCast(S1, V1->getType()), V2});
2869 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I));
2870 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2871 setOriginForNaryOp(I);
2872 }
2873
2874 // Get an X86_MMX-sized vector type.
2875 Type *getMMXVectorTy(unsigned EltSizeInBits) {
2876 const unsigned X86_MMXSizeInBits = 64;
2877 assert(EltSizeInBits != 0 && (X86_MMXSizeInBits % EltSizeInBits) == 0 &&
2878 "Illegal MMX vector element size");
2879 return FixedVectorType::get(IntegerType::get(*MS.C, EltSizeInBits),
2880 X86_MMXSizeInBits / EltSizeInBits);
2881 }
2882
2883 // Returns a signed counterpart for an (un)signed-saturate-and-pack
2884 // intrinsic.
2885 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) {
2886 switch (id) {
2887 case Intrinsic::x86_sse2_packsswb_128:
2888 case Intrinsic::x86_sse2_packuswb_128:
2889 return Intrinsic::x86_sse2_packsswb_128;
2890
2891 case Intrinsic::x86_sse2_packssdw_128:
2892 case Intrinsic::x86_sse41_packusdw:
2893 return Intrinsic::x86_sse2_packssdw_128;
2894
2895 case Intrinsic::x86_avx2_packsswb:
2896 case Intrinsic::x86_avx2_packuswb:
2897 return Intrinsic::x86_avx2_packsswb;
2898
2899 case Intrinsic::x86_avx2_packssdw:
2900 case Intrinsic::x86_avx2_packusdw:
2901 return Intrinsic::x86_avx2_packssdw;
2902
2903 case Intrinsic::x86_mmx_packsswb:
2904 case Intrinsic::x86_mmx_packuswb:
2905 return Intrinsic::x86_mmx_packsswb;
2906
2907 case Intrinsic::x86_mmx_packssdw:
2908 return Intrinsic::x86_mmx_packssdw;
2909 default:
2910 llvm_unreachable("unexpected intrinsic id");
2911 }
2912 }
2913
2914 // Instrument vector pack intrinsic.
2915 //
2916 // This function instruments intrinsics like x86_mmx_packsswb, that
2917 // packs elements of 2 input vectors into half as many bits with saturation.
2918 // Shadow is propagated with the signed variant of the same intrinsic applied
2919 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer).
2920 // EltSizeInBits is used only for x86mmx arguments.
2921 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) {
2922 assert(I.getNumArgOperands() == 2);
2923 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2924 IRBuilder<> IRB(&I);
2925 Value *S1 = getShadow(&I, 0);
2926 Value *S2 = getShadow(&I, 1);
2927 assert(isX86_MMX || S1->getType()->isVectorTy());
2928
2929 // SExt and ICmpNE below must apply to individual elements of input vectors.
2930 // In case of x86mmx arguments, cast them to appropriate vector types and
2931 // back.
2932 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType();
2933 if (isX86_MMX) {
2934 S1 = IRB.CreateBitCast(S1, T);
2935 S2 = IRB.CreateBitCast(S2, T);
2936 }
2937 Value *S1_ext = IRB.CreateSExt(
2938 IRB.CreateICmpNE(S1, Constant::getNullValue(T)), T);
2939 Value *S2_ext = IRB.CreateSExt(
2940 IRB.CreateICmpNE(S2, Constant::getNullValue(T)), T);
2941 if (isX86_MMX) {
2942 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C);
2943 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy);
2944 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy);
2945 }
2946
2947 Function *ShadowFn = Intrinsic::getDeclaration(
2948 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID()));
2949
2950 Value *S =
2951 IRB.CreateCall(ShadowFn, {S1_ext, S2_ext}, "_msprop_vector_pack");
2952 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I));
2953 setShadow(&I, S);
2954 setOriginForNaryOp(I);
2955 }
2956
2957 // Instrument sum-of-absolute-differences intrinsic.
2958 void handleVectorSadIntrinsic(IntrinsicInst &I) {
2959 const unsigned SignificantBitsPerResultElement = 16;
2960 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2961 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType();
2962 unsigned ZeroBitsPerResultElement =
2963 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement;
2964
2965 IRBuilder<> IRB(&I);
2966 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2967 S = IRB.CreateBitCast(S, ResTy);
2968 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
2969 ResTy);
2970 S = IRB.CreateLShr(S, ZeroBitsPerResultElement);
2971 S = IRB.CreateBitCast(S, getShadowTy(&I));
2972 setShadow(&I, S);
2973 setOriginForNaryOp(I);
2974 }
2975
2976 // Instrument multiply-add intrinsic.
2977 void handleVectorPmaddIntrinsic(IntrinsicInst &I,
2978 unsigned EltSizeInBits = 0) {
2979 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2980 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType();
2981 IRBuilder<> IRB(&I);
2982 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2983 S = IRB.CreateBitCast(S, ResTy);
2984 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
2985 ResTy);
2986 S = IRB.CreateBitCast(S, getShadowTy(&I));
2987 setShadow(&I, S);
2988 setOriginForNaryOp(I);
2989 }
2990
2991 // Instrument compare-packed intrinsic.
2992 // Basically, an or followed by sext(icmp ne 0) to end up with all-zeros or
2993 // all-ones shadow.
2994 void handleVectorComparePackedIntrinsic(IntrinsicInst &I) {
2995 IRBuilder<> IRB(&I);
2996 Type *ResTy = getShadowTy(&I);
2997 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2998 Value *S = IRB.CreateSExt(
2999 IRB.CreateICmpNE(S0, Constant::getNullValue(ResTy)), ResTy);
3000 setShadow(&I, S);
3001 setOriginForNaryOp(I);
3002 }
3003
3004 // Instrument compare-scalar intrinsic.
3005 // This handles both cmp* intrinsics which return the result in the first
3006 // element of a vector, and comi* which return the result as i32.
3007 void handleVectorCompareScalarIntrinsic(IntrinsicInst &I) {
3008 IRBuilder<> IRB(&I);
3009 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
3010 Value *S = LowerElementShadowExtend(IRB, S0, getShadowTy(&I));
3011 setShadow(&I, S);
3012 setOriginForNaryOp(I);
3013 }
3014
3015 // Instrument generic vector reduction intrinsics
3016 // by ORing together all their fields.
3017 void handleVectorReduceIntrinsic(IntrinsicInst &I) {
3018 IRBuilder<> IRB(&I);
3019 Value *S = IRB.CreateOrReduce(getShadow(&I, 0));
3020 setShadow(&I, S);
3021 setOrigin(&I, getOrigin(&I, 0));
3022 }
3023
3024 // Instrument vector.reduce.or intrinsic.
3025 // Valid (non-poisoned) set bits in the operand pull low the
3026 // corresponding shadow bits.
3027 void handleVectorReduceOrIntrinsic(IntrinsicInst &I) {
3028 IRBuilder<> IRB(&I);
3029 Value *OperandShadow = getShadow(&I, 0);
3030 Value *OperandUnsetBits = IRB.CreateNot(I.getOperand(0));
3031 Value *OperandUnsetOrPoison = IRB.CreateOr(OperandUnsetBits, OperandShadow);
3032 // Bit N is clean if any field's bit N is 1 and unpoison
3033 Value *OutShadowMask = IRB.CreateAndReduce(OperandUnsetOrPoison);
3034 // Otherwise, it is clean if every field's bit N is unpoison
3035 Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3036 Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3037
3038 setShadow(&I, S);
3039 setOrigin(&I, getOrigin(&I, 0));
3040 }
3041
3042 // Instrument vector.reduce.and intrinsic.
3043 // Valid (non-poisoned) unset bits in the operand pull down the
3044 // corresponding shadow bits.
3045 void handleVectorReduceAndIntrinsic(IntrinsicInst &I) {
3046 IRBuilder<> IRB(&I);
3047 Value *OperandShadow = getShadow(&I, 0);
3048 Value *OperandSetOrPoison = IRB.CreateOr(I.getOperand(0), OperandShadow);
3049 // Bit N is clean if any field's bit N is 0 and unpoison
3050 Value *OutShadowMask = IRB.CreateAndReduce(OperandSetOrPoison);
3051 // Otherwise, it is clean if every field's bit N is unpoison
3052 Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3053 Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3054
3055 setShadow(&I, S);
3056 setOrigin(&I, getOrigin(&I, 0));
3057 }
3058
3059 void handleStmxcsr(IntrinsicInst &I) {
3060 IRBuilder<> IRB(&I);
3061 Value* Addr = I.getArgOperand(0);
3062 Type *Ty = IRB.getInt32Ty();
3063 Value *ShadowPtr =
3064 getShadowOriginPtr(Addr, IRB, Ty, Align(1), /*isStore*/ true).first;
3065
3066 IRB.CreateStore(getCleanShadow(Ty),
3067 IRB.CreatePointerCast(ShadowPtr, Ty->getPointerTo()));
3068
3069 if (ClCheckAccessAddress)
3070 insertShadowCheck(Addr, &I);
3071 }
3072
3073 void handleLdmxcsr(IntrinsicInst &I) {
3074 if (!InsertChecks) return;
3075
3076 IRBuilder<> IRB(&I);
3077 Value *Addr = I.getArgOperand(0);
3078 Type *Ty = IRB.getInt32Ty();
3079 const Align Alignment = Align(1);
3080 Value *ShadowPtr, *OriginPtr;
3081 std::tie(ShadowPtr, OriginPtr) =
3082 getShadowOriginPtr(Addr, IRB, Ty, Alignment, /*isStore*/ false);
3083
3084 if (ClCheckAccessAddress)
3085 insertShadowCheck(Addr, &I);
3086
3087 Value *Shadow = IRB.CreateAlignedLoad(Ty, ShadowPtr, Alignment, "_ldmxcsr");
3088 Value *Origin = MS.TrackOrigins ? IRB.CreateLoad(MS.OriginTy, OriginPtr)
3089 : getCleanOrigin();
3090 insertShadowCheck(Shadow, Origin, &I);
3091 }
3092
3093 void handleMaskedStore(IntrinsicInst &I) {
3094 IRBuilder<> IRB(&I);
3095 Value *V = I.getArgOperand(0);
3096 Value *Addr = I.getArgOperand(1);
3097 const Align Alignment(
3098 cast<ConstantInt>(I.getArgOperand(2))->getZExtValue());
3099 Value *Mask = I.getArgOperand(3);
3100 Value *Shadow = getShadow(V);
3101
3102 Value *ShadowPtr;
3103 Value *OriginPtr;
3104 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
3105 Addr, IRB, Shadow->getType(), Alignment, /*isStore*/ true);
3106
3107 if (ClCheckAccessAddress) {
3108 insertShadowCheck(Addr, &I);
3109 // Uninitialized mask is kind of like uninitialized address, but not as
3110 // scary.
3111 insertShadowCheck(Mask, &I);
3112 }
3113
3114 IRB.CreateMaskedStore(Shadow, ShadowPtr, Alignment, Mask);
3115
3116 if (MS.TrackOrigins) {
3117 auto &DL = F.getParent()->getDataLayout();
3118 paintOrigin(IRB, getOrigin(V), OriginPtr,
3119 DL.getTypeStoreSize(Shadow->getType()),
3120 std::max(Alignment, kMinOriginAlignment));
3121 }
3122 }
3123
3124 bool handleMaskedLoad(IntrinsicInst &I) {
3125 IRBuilder<> IRB(&I);
3126 Value *Addr = I.getArgOperand(0);
3127 const Align Alignment(
3128 cast<ConstantInt>(I.getArgOperand(1))->getZExtValue());
3129 Value *Mask = I.getArgOperand(2);
3130 Value *PassThru = I.getArgOperand(3);
3131
3132 Type *ShadowTy = getShadowTy(&I);
3133 Value *ShadowPtr, *OriginPtr;
3134 if (PropagateShadow) {
3135 std::tie(ShadowPtr, OriginPtr) =
3136 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
3137 setShadow(&I, IRB.CreateMaskedLoad(ShadowTy, ShadowPtr, Alignment, Mask,
3138 getShadow(PassThru), "_msmaskedld"));
3139 } else {
3140 setShadow(&I, getCleanShadow(&I));
3141 }
3142
3143 if (ClCheckAccessAddress) {
3144 insertShadowCheck(Addr, &I);
3145 insertShadowCheck(Mask, &I);
3146 }
3147
3148 if (MS.TrackOrigins) {
3149 if (PropagateShadow) {
3150 // Choose between PassThru's and the loaded value's origins.
3151 Value *MaskedPassThruShadow = IRB.CreateAnd(
3152 getShadow(PassThru), IRB.CreateSExt(IRB.CreateNeg(Mask), ShadowTy));
3153
3154 Value *Acc = IRB.CreateExtractElement(
3155 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
3156 for (int i = 1, N = cast<FixedVectorType>(PassThru->getType())
3157 ->getNumElements();
3158 i < N; ++i) {
3159 Value *More = IRB.CreateExtractElement(
3160 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), i));
3161 Acc = IRB.CreateOr(Acc, More);
3162 }
3163
3164 Value *Origin = IRB.CreateSelect(
3165 IRB.CreateICmpNE(Acc, Constant::getNullValue(Acc->getType())),
3166 getOrigin(PassThru), IRB.CreateLoad(MS.OriginTy, OriginPtr));
3167
3168 setOrigin(&I, Origin);
3169 } else {
3170 setOrigin(&I, getCleanOrigin());
3171 }
3172 }
3173 return true;
3174 }
3175
3176 // Instrument BMI / BMI2 intrinsics.
3177 // All of these intrinsics are Z = I(X, Y)
3178 // where the types of all operands and the result match, and are either i32 or i64.
3179 // The following instrumentation happens to work for all of them:
3180 // Sz = I(Sx, Y) | (sext (Sy != 0))
3181 void handleBmiIntrinsic(IntrinsicInst &I) {
3182 IRBuilder<> IRB(&I);
3183 Type *ShadowTy = getShadowTy(&I);
3184
3185 // If any bit of the mask operand is poisoned, then the whole thing is.
3186 Value *SMask = getShadow(&I, 1);
3187 SMask = IRB.CreateSExt(IRB.CreateICmpNE(SMask, getCleanShadow(ShadowTy)),
3188 ShadowTy);
3189 // Apply the same intrinsic to the shadow of the first operand.
3190 Value *S = IRB.CreateCall(I.getCalledFunction(),
3191 {getShadow(&I, 0), I.getOperand(1)});
3192 S = IRB.CreateOr(SMask, S);
3193 setShadow(&I, S);
3194 setOriginForNaryOp(I);
3195 }
3196
3197 SmallVector<int, 8> getPclmulMask(unsigned Width, bool OddElements) {
3198 SmallVector<int, 8> Mask;
3199 for (unsigned X = OddElements ? 1 : 0; X < Width; X += 2) {
3200 Mask.append(2, X);
3201 }
3202 return Mask;
3203 }
3204
3205 // Instrument pclmul intrinsics.
3206 // These intrinsics operate either on odd or on even elements of the input
3207 // vectors, depending on the constant in the 3rd argument, ignoring the rest.
3208 // Replace the unused elements with copies of the used ones, ex:
3209 // (0, 1, 2, 3) -> (0, 0, 2, 2) (even case)
3210 // or
3211 // (0, 1, 2, 3) -> (1, 1, 3, 3) (odd case)
3212 // and then apply the usual shadow combining logic.
3213 void handlePclmulIntrinsic(IntrinsicInst &I) {
3214 IRBuilder<> IRB(&I);
3215 unsigned Width =
3216 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3217 assert(isa<ConstantInt>(I.getArgOperand(2)) &&
3218 "pclmul 3rd operand must be a constant");
3219 unsigned Imm = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
3220 Value *Shuf0 = IRB.CreateShuffleVector(getShadow(&I, 0),
3221 getPclmulMask(Width, Imm & 0x01));
3222 Value *Shuf1 = IRB.CreateShuffleVector(getShadow(&I, 1),
3223 getPclmulMask(Width, Imm & 0x10));
3224 ShadowAndOriginCombiner SOC(this, IRB);
3225 SOC.Add(Shuf0, getOrigin(&I, 0));
3226 SOC.Add(Shuf1, getOrigin(&I, 1));
3227 SOC.Done(&I);
3228 }
3229
3230 // Instrument _mm_*_sd intrinsics
3231 void handleUnarySdIntrinsic(IntrinsicInst &I) {
3232 IRBuilder<> IRB(&I);
3233 Value *First = getShadow(&I, 0);
3234 Value *Second = getShadow(&I, 1);
3235 // High word of first operand, low word of second
3236 Value *Shadow =
3237 IRB.CreateShuffleVector(First, Second, llvm::makeArrayRef<int>({2, 1}));
3238
3239 setShadow(&I, Shadow);
3240 setOriginForNaryOp(I);
3241 }
3242
3243 void handleBinarySdIntrinsic(IntrinsicInst &I) {
3244 IRBuilder<> IRB(&I);
3245 Value *First = getShadow(&I, 0);
3246 Value *Second = getShadow(&I, 1);
3247 Value *OrShadow = IRB.CreateOr(First, Second);
3248 // High word of first operand, low word of both OR'd together
3249 Value *Shadow = IRB.CreateShuffleVector(First, OrShadow,
3250 llvm::makeArrayRef<int>({2, 1}));
3251
3252 setShadow(&I, Shadow);
3253 setOriginForNaryOp(I);
3254 }
3255
3256 // Instrument abs intrinsic.
3257 // handleUnknownIntrinsic can't handle it because of the last
3258 // is_int_min_poison argument which does not match the result type.
3259 void handleAbsIntrinsic(IntrinsicInst &I) {
3260 assert(I.getType()->isIntOrIntVectorTy());
3261 assert(I.getArgOperand(0)->getType() == I.getType());
3262
3263 // FIXME: Handle is_int_min_poison.
3264 IRBuilder<> IRB(&I);
3265 setShadow(&I, getShadow(&I, 0));
3266 setOrigin(&I, getOrigin(&I, 0));
3267 }
3268
3269 void visitIntrinsicInst(IntrinsicInst &I) {
3270 switch (I.getIntrinsicID()) {
3271 case Intrinsic::abs:
3272 handleAbsIntrinsic(I);
3273 break;
3274 case Intrinsic::lifetime_start:
3275 handleLifetimeStart(I);
3276 break;
3277 case Intrinsic::launder_invariant_group:
3278 case Intrinsic::strip_invariant_group:
3279 handleInvariantGroup(I);
3280 break;
3281 case Intrinsic::bswap:
3282 handleBswap(I);
3283 break;
3284 case Intrinsic::masked_store:
3285 handleMaskedStore(I);
3286 break;
3287 case Intrinsic::masked_load:
3288 handleMaskedLoad(I);
3289 break;
3290 case Intrinsic::vector_reduce_and:
3291 handleVectorReduceAndIntrinsic(I);
3292 break;
3293 case Intrinsic::vector_reduce_or:
3294 handleVectorReduceOrIntrinsic(I);
3295 break;
3296 case Intrinsic::vector_reduce_add:
3297 case Intrinsic::vector_reduce_xor:
3298 case Intrinsic::vector_reduce_mul:
3299 handleVectorReduceIntrinsic(I);
3300 break;
3301 case Intrinsic::x86_sse_stmxcsr:
3302 handleStmxcsr(I);
3303 break;
3304 case Intrinsic::x86_sse_ldmxcsr:
3305 handleLdmxcsr(I);
3306 break;
3307 case Intrinsic::x86_avx512_vcvtsd2usi64:
3308 case Intrinsic::x86_avx512_vcvtsd2usi32:
3309 case Intrinsic::x86_avx512_vcvtss2usi64:
3310 case Intrinsic::x86_avx512_vcvtss2usi32:
3311 case Intrinsic::x86_avx512_cvttss2usi64:
3312 case Intrinsic::x86_avx512_cvttss2usi:
3313 case Intrinsic::x86_avx512_cvttsd2usi64:
3314 case Intrinsic::x86_avx512_cvttsd2usi:
3315 case Intrinsic::x86_avx512_cvtusi2ss:
3316 case Intrinsic::x86_avx512_cvtusi642sd:
3317 case Intrinsic::x86_avx512_cvtusi642ss:
3318 handleVectorConvertIntrinsic(I, 1, true);
3319 break;
3320 case Intrinsic::x86_sse2_cvtsd2si64:
3321 case Intrinsic::x86_sse2_cvtsd2si:
3322 case Intrinsic::x86_sse2_cvtsd2ss:
3323 case Intrinsic::x86_sse2_cvttsd2si64:
3324 case Intrinsic::x86_sse2_cvttsd2si:
3325 case Intrinsic::x86_sse_cvtss2si64:
3326 case Intrinsic::x86_sse_cvtss2si:
3327 case Intrinsic::x86_sse_cvttss2si64:
3328 case Intrinsic::x86_sse_cvttss2si:
3329 handleVectorConvertIntrinsic(I, 1);
3330 break;
3331 case Intrinsic::x86_sse_cvtps2pi:
3332 case Intrinsic::x86_sse_cvttps2pi:
3333 handleVectorConvertIntrinsic(I, 2);
3334 break;
3335
3336 case Intrinsic::x86_avx512_psll_w_512:
3337 case Intrinsic::x86_avx512_psll_d_512:
3338 case Intrinsic::x86_avx512_psll_q_512:
3339 case Intrinsic::x86_avx512_pslli_w_512:
3340 case Intrinsic::x86_avx512_pslli_d_512:
3341 case Intrinsic::x86_avx512_pslli_q_512:
3342 case Intrinsic::x86_avx512_psrl_w_512:
3343 case Intrinsic::x86_avx512_psrl_d_512:
3344 case Intrinsic::x86_avx512_psrl_q_512:
3345 case Intrinsic::x86_avx512_psra_w_512:
3346 case Intrinsic::x86_avx512_psra_d_512:
3347 case Intrinsic::x86_avx512_psra_q_512:
3348 case Intrinsic::x86_avx512_psrli_w_512:
3349 case Intrinsic::x86_avx512_psrli_d_512:
3350 case Intrinsic::x86_avx512_psrli_q_512:
3351 case Intrinsic::x86_avx512_psrai_w_512:
3352 case Intrinsic::x86_avx512_psrai_d_512:
3353 case Intrinsic::x86_avx512_psrai_q_512:
3354 case Intrinsic::x86_avx512_psra_q_256:
3355 case Intrinsic::x86_avx512_psra_q_128:
3356 case Intrinsic::x86_avx512_psrai_q_256:
3357 case Intrinsic::x86_avx512_psrai_q_128:
3358 case Intrinsic::x86_avx2_psll_w:
3359 case Intrinsic::x86_avx2_psll_d:
3360 case Intrinsic::x86_avx2_psll_q:
3361 case Intrinsic::x86_avx2_pslli_w:
3362 case Intrinsic::x86_avx2_pslli_d:
3363 case Intrinsic::x86_avx2_pslli_q:
3364 case Intrinsic::x86_avx2_psrl_w:
3365 case Intrinsic::x86_avx2_psrl_d:
3366 case Intrinsic::x86_avx2_psrl_q:
3367 case Intrinsic::x86_avx2_psra_w:
3368 case Intrinsic::x86_avx2_psra_d:
3369 case Intrinsic::x86_avx2_psrli_w:
3370 case Intrinsic::x86_avx2_psrli_d:
3371 case Intrinsic::x86_avx2_psrli_q:
3372 case Intrinsic::x86_avx2_psrai_w:
3373 case Intrinsic::x86_avx2_psrai_d:
3374 case Intrinsic::x86_sse2_psll_w:
3375 case Intrinsic::x86_sse2_psll_d:
3376 case Intrinsic::x86_sse2_psll_q:
3377 case Intrinsic::x86_sse2_pslli_w:
3378 case Intrinsic::x86_sse2_pslli_d:
3379 case Intrinsic::x86_sse2_pslli_q:
3380 case Intrinsic::x86_sse2_psrl_w:
3381 case Intrinsic::x86_sse2_psrl_d:
3382 case Intrinsic::x86_sse2_psrl_q:
3383 case Intrinsic::x86_sse2_psra_w:
3384 case Intrinsic::x86_sse2_psra_d:
3385 case Intrinsic::x86_sse2_psrli_w:
3386 case Intrinsic::x86_sse2_psrli_d:
3387 case Intrinsic::x86_sse2_psrli_q:
3388 case Intrinsic::x86_sse2_psrai_w:
3389 case Intrinsic::x86_sse2_psrai_d:
3390 case Intrinsic::x86_mmx_psll_w:
3391 case Intrinsic::x86_mmx_psll_d:
3392 case Intrinsic::x86_mmx_psll_q:
3393 case Intrinsic::x86_mmx_pslli_w:
3394 case Intrinsic::x86_mmx_pslli_d:
3395 case Intrinsic::x86_mmx_pslli_q:
3396 case Intrinsic::x86_mmx_psrl_w:
3397 case Intrinsic::x86_mmx_psrl_d:
3398 case Intrinsic::x86_mmx_psrl_q:
3399 case Intrinsic::x86_mmx_psra_w:
3400 case Intrinsic::x86_mmx_psra_d:
3401 case Intrinsic::x86_mmx_psrli_w:
3402 case Intrinsic::x86_mmx_psrli_d:
3403 case Intrinsic::x86_mmx_psrli_q:
3404 case Intrinsic::x86_mmx_psrai_w:
3405 case Intrinsic::x86_mmx_psrai_d:
3406 handleVectorShiftIntrinsic(I, /* Variable */ false);
3407 break;
3408 case Intrinsic::x86_avx2_psllv_d:
3409 case Intrinsic::x86_avx2_psllv_d_256:
3410 case Intrinsic::x86_avx512_psllv_d_512:
3411 case Intrinsic::x86_avx2_psllv_q:
3412 case Intrinsic::x86_avx2_psllv_q_256:
3413 case Intrinsic::x86_avx512_psllv_q_512:
3414 case Intrinsic::x86_avx2_psrlv_d:
3415 case Intrinsic::x86_avx2_psrlv_d_256:
3416 case Intrinsic::x86_avx512_psrlv_d_512:
3417 case Intrinsic::x86_avx2_psrlv_q:
3418 case Intrinsic::x86_avx2_psrlv_q_256:
3419 case Intrinsic::x86_avx512_psrlv_q_512:
3420 case Intrinsic::x86_avx2_psrav_d:
3421 case Intrinsic::x86_avx2_psrav_d_256:
3422 case Intrinsic::x86_avx512_psrav_d_512:
3423 case Intrinsic::x86_avx512_psrav_q_128:
3424 case Intrinsic::x86_avx512_psrav_q_256:
3425 case Intrinsic::x86_avx512_psrav_q_512:
3426 handleVectorShiftIntrinsic(I, /* Variable */ true);
3427 break;
3428
3429 case Intrinsic::x86_sse2_packsswb_128:
3430 case Intrinsic::x86_sse2_packssdw_128:
3431 case Intrinsic::x86_sse2_packuswb_128:
3432 case Intrinsic::x86_sse41_packusdw:
3433 case Intrinsic::x86_avx2_packsswb:
3434 case Intrinsic::x86_avx2_packssdw:
3435 case Intrinsic::x86_avx2_packuswb:
3436 case Intrinsic::x86_avx2_packusdw:
3437 handleVectorPackIntrinsic(I);
3438 break;
3439
3440 case Intrinsic::x86_mmx_packsswb:
3441 case Intrinsic::x86_mmx_packuswb:
3442 handleVectorPackIntrinsic(I, 16);
3443 break;
3444
3445 case Intrinsic::x86_mmx_packssdw:
3446 handleVectorPackIntrinsic(I, 32);
3447 break;
3448
3449 case Intrinsic::x86_mmx_psad_bw:
3450 case Intrinsic::x86_sse2_psad_bw:
3451 case Intrinsic::x86_avx2_psad_bw:
3452 handleVectorSadIntrinsic(I);
3453 break;
3454
3455 case Intrinsic::x86_sse2_pmadd_wd:
3456 case Intrinsic::x86_avx2_pmadd_wd:
3457 case Intrinsic::x86_ssse3_pmadd_ub_sw_128:
3458 case Intrinsic::x86_avx2_pmadd_ub_sw:
3459 handleVectorPmaddIntrinsic(I);
3460 break;
3461
3462 case Intrinsic::x86_ssse3_pmadd_ub_sw:
3463 handleVectorPmaddIntrinsic(I, 8);
3464 break;
3465
3466 case Intrinsic::x86_mmx_pmadd_wd:
3467 handleVectorPmaddIntrinsic(I, 16);
3468 break;
3469
3470 case Intrinsic::x86_sse_cmp_ss:
3471 case Intrinsic::x86_sse2_cmp_sd:
3472 case Intrinsic::x86_sse_comieq_ss:
3473 case Intrinsic::x86_sse_comilt_ss:
3474 case Intrinsic::x86_sse_comile_ss:
3475 case Intrinsic::x86_sse_comigt_ss:
3476 case Intrinsic::x86_sse_comige_ss:
3477 case Intrinsic::x86_sse_comineq_ss:
3478 case Intrinsic::x86_sse_ucomieq_ss:
3479 case Intrinsic::x86_sse_ucomilt_ss:
3480 case Intrinsic::x86_sse_ucomile_ss:
3481 case Intrinsic::x86_sse_ucomigt_ss:
3482 case Intrinsic::x86_sse_ucomige_ss:
3483 case Intrinsic::x86_sse_ucomineq_ss:
3484 case Intrinsic::x86_sse2_comieq_sd:
3485 case Intrinsic::x86_sse2_comilt_sd:
3486 case Intrinsic::x86_sse2_comile_sd:
3487 case Intrinsic::x86_sse2_comigt_sd:
3488 case Intrinsic::x86_sse2_comige_sd:
3489 case Intrinsic::x86_sse2_comineq_sd:
3490 case Intrinsic::x86_sse2_ucomieq_sd:
3491 case Intrinsic::x86_sse2_ucomilt_sd:
3492 case Intrinsic::x86_sse2_ucomile_sd:
3493 case Intrinsic::x86_sse2_ucomigt_sd:
3494 case Intrinsic::x86_sse2_ucomige_sd:
3495 case Intrinsic::x86_sse2_ucomineq_sd:
3496 handleVectorCompareScalarIntrinsic(I);
3497 break;
3498
3499 case Intrinsic::x86_sse_cmp_ps:
3500 case Intrinsic::x86_sse2_cmp_pd:
3501 // FIXME: For x86_avx_cmp_pd_256 and x86_avx_cmp_ps_256 this function
3502 // generates reasonably looking IR that fails in the backend with "Do not
3503 // know how to split the result of this operator!".
3504 handleVectorComparePackedIntrinsic(I);
3505 break;
3506
3507 case Intrinsic::x86_bmi_bextr_32:
3508 case Intrinsic::x86_bmi_bextr_64:
3509 case Intrinsic::x86_bmi_bzhi_32:
3510 case Intrinsic::x86_bmi_bzhi_64:
3511 case Intrinsic::x86_bmi_pdep_32:
3512 case Intrinsic::x86_bmi_pdep_64:
3513 case Intrinsic::x86_bmi_pext_32:
3514 case Intrinsic::x86_bmi_pext_64:
3515 handleBmiIntrinsic(I);
3516 break;
3517
3518 case Intrinsic::x86_pclmulqdq:
3519 case Intrinsic::x86_pclmulqdq_256:
3520 case Intrinsic::x86_pclmulqdq_512:
3521 handlePclmulIntrinsic(I);
3522 break;
3523
3524 case Intrinsic::x86_sse41_round_sd:
3525 handleUnarySdIntrinsic(I);
3526 break;
3527 case Intrinsic::x86_sse2_max_sd:
3528 case Intrinsic::x86_sse2_min_sd:
3529 handleBinarySdIntrinsic(I);
3530 break;
3531
3532 case Intrinsic::fshl:
3533 case Intrinsic::fshr:
3534 handleFunnelShift(I);
3535 break;
3536
3537 case Intrinsic::is_constant:
3538 // The result of llvm.is.constant() is always defined.
3539 setShadow(&I, getCleanShadow(&I));
3540 setOrigin(&I, getCleanOrigin());
3541 break;
3542
3543 default:
3544 if (!handleUnknownIntrinsic(I))
3545 visitInstruction(I);
3546 break;
3547 }
3548 }
3549
3550 void visitLibAtomicLoad(CallBase &CB) {
3551 // Since we use getNextNode here, we can't have CB terminate the BB.
3552 assert(isa<CallInst>(CB));
3553
3554 IRBuilder<> IRB(&CB);
3555 Value *Size = CB.getArgOperand(0);
3556 Value *SrcPtr = CB.getArgOperand(1);
3557 Value *DstPtr = CB.getArgOperand(2);
3558 Value *Ordering = CB.getArgOperand(3);
3559 // Convert the call to have at least Acquire ordering to make sure
3560 // the shadow operations aren't reordered before it.
3561 Value *NewOrdering =
3562 IRB.CreateExtractElement(makeAddAcquireOrderingTable(IRB), Ordering);
3563 CB.setArgOperand(3, NewOrdering);
3564
3565 IRBuilder<> NextIRB(CB.getNextNode());
3566 NextIRB.SetCurrentDebugLocation(CB.getDebugLoc());
3567
3568 Value *SrcShadowPtr, *SrcOriginPtr;
3569 std::tie(SrcShadowPtr, SrcOriginPtr) =
3570 getShadowOriginPtr(SrcPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
3571 /*isStore*/ false);
3572 Value *DstShadowPtr =
3573 getShadowOriginPtr(DstPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
3574 /*isStore*/ true)
3575 .first;
3576
3577 NextIRB.CreateMemCpy(DstShadowPtr, Align(1), SrcShadowPtr, Align(1), Size);
3578 if (MS.TrackOrigins) {
3579 Value *SrcOrigin = NextIRB.CreateAlignedLoad(MS.OriginTy, SrcOriginPtr,
3580 kMinOriginAlignment);
3581 Value *NewOrigin = updateOrigin(SrcOrigin, NextIRB);
3582 NextIRB.CreateCall(MS.MsanSetOriginFn, {DstPtr, Size, NewOrigin});
3583 }
3584 }
3585
3586 void visitLibAtomicStore(CallBase &CB) {
3587 IRBuilder<> IRB(&CB);
3588 Value *Size = CB.getArgOperand(0);
3589 Value *DstPtr = CB.getArgOperand(2);
3590 Value *Ordering = CB.getArgOperand(3);
3591 // Convert the call to have at least Release ordering to make sure
3592 // the shadow operations aren't reordered after it.
3593 Value *NewOrdering =
3594 IRB.CreateExtractElement(makeAddReleaseOrderingTable(IRB), Ordering);
3595 CB.setArgOperand(3, NewOrdering);
3596
3597 Value *DstShadowPtr =
3598 getShadowOriginPtr(DstPtr, IRB, IRB.getInt8Ty(), Align(1),
3599 /*isStore*/ true)
3600 .first;
3601
3602 // Atomic store always paints clean shadow/origin. See file header.
3603 IRB.CreateMemSet(DstShadowPtr, getCleanShadow(IRB.getInt8Ty()), Size,
3604 Align(1));
3605 }
3606
3607 void visitCallBase(CallBase &CB) {
3608 assert(!CB.getMetadata("nosanitize"));
3609 if (CB.isInlineAsm()) {
3610 // For inline asm (either a call to asm function, or callbr instruction),
3611 // do the usual thing: check argument shadow and mark all outputs as
3612 // clean. Note that any side effects of the inline asm that are not
3613 // immediately visible in its constraints are not handled.
3614 if (ClHandleAsmConservative && MS.CompileKernel)
3615 visitAsmInstruction(CB);
3616 else
3617 visitInstruction(CB);
3618 return;
3619 }
3620 LibFunc LF;
3621 if (TLI->getLibFunc(CB, LF)) {
3622 // libatomic.a functions need to have special handling because there isn't
3623 // a good way to intercept them or compile the library with
3624 // instrumentation.
3625 switch (LF) {
3626 case LibFunc_atomic_load:
3627 if (!isa<CallInst>(CB)) {
3628 llvm::errs() << "MSAN -- cannot instrument invoke of libatomic load."
3629 "Ignoring!\n";
3630 break;
3631 }
3632 visitLibAtomicLoad(CB);
3633 return;
3634 case LibFunc_atomic_store:
3635 visitLibAtomicStore(CB);
3636 return;
3637 default:
3638 break;
3639 }
3640 }
3641
3642 if (auto *Call = dyn_cast<CallInst>(&CB)) {
3643 assert(!isa<IntrinsicInst>(Call) && "intrinsics are handled elsewhere");
3644
3645 // We are going to insert code that relies on the fact that the callee
3646 // will become a non-readonly function after it is instrumented by us. To
3647 // prevent this code from being optimized out, mark that function
3648 // non-readonly in advance.
3649 AttrBuilder B;
3650 B.addAttribute(Attribute::ReadOnly)
3651 .addAttribute(Attribute::ReadNone)
3652 .addAttribute(Attribute::WriteOnly)
3653 .addAttribute(Attribute::ArgMemOnly)
3654 .addAttribute(Attribute::Speculatable);
3655
3656 Call->removeFnAttrs(B);
3657 if (Function *Func = Call->getCalledFunction()) {
3658 Func->removeFnAttrs(B);
3659 }
3660
3661 maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI);
3662 }
3663 IRBuilder<> IRB(&CB);
3664 bool MayCheckCall = ClEagerChecks;
3665 if (Function *Func = CB.getCalledFunction()) {
3666 // __sanitizer_unaligned_{load,store} functions may be called by users
3667 // and always expects shadows in the TLS. So don't check them.
3668 MayCheckCall &= !Func->getName().startswith("__sanitizer_unaligned_");
3669 }
3670
3671 unsigned ArgOffset = 0;
3672 LLVM_DEBUG(dbgs() << " CallSite: " << CB << "\n");
3673 for (auto ArgIt = CB.arg_begin(), End = CB.arg_end(); ArgIt != End;
3674 ++ArgIt) {
3675 Value *A = *ArgIt;
3676 unsigned i = ArgIt - CB.arg_begin();
3677 if (!A->getType()->isSized()) {
3678 LLVM_DEBUG(dbgs() << "Arg " << i << " is not sized: " << CB << "\n");
3679 continue;
3680 }
3681 unsigned Size = 0;
3682 Value *Store = nullptr;
3683 // Compute the Shadow for arg even if it is ByVal, because
3684 // in that case getShadow() will copy the actual arg shadow to
3685 // __msan_param_tls.
3686 Value *ArgShadow = getShadow(A);
3687 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset);
3688 LLVM_DEBUG(dbgs() << " Arg#" << i << ": " << *A
3689 << " Shadow: " << *ArgShadow << "\n");
3690 bool ArgIsInitialized = false;
3691 const DataLayout &DL = F.getParent()->getDataLayout();
3692
3693 bool ByVal = CB.paramHasAttr(i, Attribute::ByVal);
3694 bool NoUndef = CB.paramHasAttr(i, Attribute::NoUndef);
3695 bool EagerCheck = MayCheckCall && !ByVal && NoUndef;
3696
3697 if (EagerCheck) {
3698 insertShadowCheck(A, &CB);
3699 continue;
3700 }
3701 if (ByVal) {
3702 // ByVal requires some special handling as it's too big for a single
3703 // load
3704 assert(A->getType()->isPointerTy() &&
3705 "ByVal argument is not a pointer!");
3706 Size = DL.getTypeAllocSize(CB.getParamByValType(i));
3707 if (ArgOffset + Size > kParamTLSSize) break;
3708 const MaybeAlign ParamAlignment(CB.getParamAlign(i));
3709 MaybeAlign Alignment = llvm::None;
3710 if (ParamAlignment)
3711 Alignment = std::min(*ParamAlignment, kShadowTLSAlignment);
3712 Value *AShadowPtr =
3713 getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment,
3714 /*isStore*/ false)
3715 .first;
3716
3717 Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr,
3718 Alignment, Size);
3719 // TODO(glider): need to copy origins.
3720 } else {
3721 // Any other parameters mean we need bit-grained tracking of uninit data
3722 Size = DL.getTypeAllocSize(A->getType());
3723 if (ArgOffset + Size > kParamTLSSize) break;
3724 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase,
3725 kShadowTLSAlignment);
3726 Constant *Cst = dyn_cast<Constant>(ArgShadow);
3727 if (Cst && Cst->isNullValue()) ArgIsInitialized = true;
3728 }
3729 if (MS.TrackOrigins && !ArgIsInitialized)
3730 IRB.CreateStore(getOrigin(A),
3731 getOriginPtrForArgument(A, IRB, ArgOffset));
3732 (void)Store;
3733 assert(Size != 0 && Store != nullptr);
3734 LLVM_DEBUG(dbgs() << " Param:" << *Store << "\n");
3735 ArgOffset += alignTo(Size, kShadowTLSAlignment);
3736 }
3737 LLVM_DEBUG(dbgs() << " done with call args\n");
3738
3739 FunctionType *FT = CB.getFunctionType();
3740 if (FT->isVarArg()) {
3741 VAHelper->visitCallBase(CB, IRB);
3742 }
3743
3744 // Now, get the shadow for the RetVal.
3745 if (!CB.getType()->isSized())
3746 return;
3747 // Don't emit the epilogue for musttail call returns.
3748 if (isa<CallInst>(CB) && cast<CallInst>(CB).isMustTailCall())
3749 return;
3750
3751 if (MayCheckCall && CB.hasRetAttr(Attribute::NoUndef)) {
3752 setShadow(&CB, getCleanShadow(&CB));
3753 setOrigin(&CB, getCleanOrigin());
3754 return;
3755 }
3756
3757 IRBuilder<> IRBBefore(&CB);
3758 // Until we have full dynamic coverage, make sure the retval shadow is 0.
3759 Value *Base = getShadowPtrForRetval(&CB, IRBBefore);
3760 IRBBefore.CreateAlignedStore(getCleanShadow(&CB), Base,
3761 kShadowTLSAlignment);
3762 BasicBlock::iterator NextInsn;
3763 if (isa<CallInst>(CB)) {
3764 NextInsn = ++CB.getIterator();
3765 assert(NextInsn != CB.getParent()->end());
3766 } else {
3767 BasicBlock *NormalDest = cast<InvokeInst>(CB).getNormalDest();
3768 if (!NormalDest->getSinglePredecessor()) {
3769 // FIXME: this case is tricky, so we are just conservative here.
3770 // Perhaps we need to split the edge between this BB and NormalDest,
3771 // but a naive attempt to use SplitEdge leads to a crash.
3772 setShadow(&CB, getCleanShadow(&CB));
3773 setOrigin(&CB, getCleanOrigin());
3774 return;
3775 }
3776 // FIXME: NextInsn is likely in a basic block that has not been visited yet.
3777 // Anything inserted there will be instrumented by MSan later!
3778 NextInsn = NormalDest->getFirstInsertionPt();
3779 assert(NextInsn != NormalDest->end() &&
3780 "Could not find insertion point for retval shadow load");
3781 }
3782 IRBuilder<> IRBAfter(&*NextInsn);
3783 Value *RetvalShadow = IRBAfter.CreateAlignedLoad(
3784 getShadowTy(&CB), getShadowPtrForRetval(&CB, IRBAfter),
3785 kShadowTLSAlignment, "_msret");
3786 setShadow(&CB, RetvalShadow);
3787 if (MS.TrackOrigins)
3788 setOrigin(&CB, IRBAfter.CreateLoad(MS.OriginTy,
3789 getOriginPtrForRetval(IRBAfter)));
3790 }
3791
3792 bool isAMustTailRetVal(Value *RetVal) {
3793 if (auto *I = dyn_cast<BitCastInst>(RetVal)) {
3794 RetVal = I->getOperand(0);
3795 }
3796 if (auto *I = dyn_cast<CallInst>(RetVal)) {
3797 return I->isMustTailCall();
3798 }
3799 return false;
3800 }
3801
3802 void visitReturnInst(ReturnInst &I) {
3803 IRBuilder<> IRB(&I);
3804 Value *RetVal = I.getReturnValue();
3805 if (!RetVal) return;
3806 // Don't emit the epilogue for musttail call returns.
3807 if (isAMustTailRetVal(RetVal)) return;
3808 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB);
3809 bool HasNoUndef =
3810 F.hasRetAttribute(Attribute::NoUndef);
3811 bool StoreShadow = !(ClEagerChecks && HasNoUndef);
3812 // FIXME: Consider using SpecialCaseList to specify a list of functions that
3813 // must always return fully initialized values. For now, we hardcode "main".
3814 bool EagerCheck = (ClEagerChecks && HasNoUndef) || (F.getName() == "main");
3815
3816 Value *Shadow = getShadow(RetVal);
3817 bool StoreOrigin = true;
3818 if (EagerCheck) {
3819 insertShadowCheck(RetVal, &I);
3820 Shadow = getCleanShadow(RetVal);
3821 StoreOrigin = false;
3822 }
3823
3824 // The caller may still expect information passed over TLS if we pass our
3825 // check
3826 if (StoreShadow) {
3827 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
3828 if (MS.TrackOrigins && StoreOrigin)
3829 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB));
3830 }
3831 }
3832
3833 void visitPHINode(PHINode &I) {
3834 IRBuilder<> IRB(&I);
3835 if (!PropagateShadow) {
3836 setShadow(&I, getCleanShadow(&I));
3837 setOrigin(&I, getCleanOrigin());
3838 return;
3839 }
3840
3841 ShadowPHINodes.push_back(&I);
3842 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
3843 "_msphi_s"));
3844 if (MS.TrackOrigins)
3845 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(),
3846 "_msphi_o"));
3847 }
3848
3849 Value *getLocalVarDescription(AllocaInst &I) {
3850 SmallString<2048> StackDescriptionStorage;
3851 raw_svector_ostream StackDescription(StackDescriptionStorage);
3852 // We create a string with a description of the stack allocation and
3853 // pass it into __msan_set_alloca_origin.
3854 // It will be printed by the run-time if stack-originated UMR is found.
3855 // The first 4 bytes of the string are set to '----' and will be replaced
3856 // by __msan_va_arg_overflow_size_tls at the first call.
3857 StackDescription << "----" << I.getName() << "@" << F.getName();
3858 return createPrivateNonConstGlobalForString(*F.getParent(),
3859 StackDescription.str());
3860 }
3861
3862 void poisonAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
3863 if (PoisonStack && ClPoisonStackWithCall) {
3864 IRB.CreateCall(MS.MsanPoisonStackFn,
3865 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
3866 } else {
3867 Value *ShadowBase, *OriginBase;
3868 std::tie(ShadowBase, OriginBase) = getShadowOriginPtr(
3869 &I, IRB, IRB.getInt8Ty(), Align(1), /*isStore*/ true);
3870
3871 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
3872 IRB.CreateMemSet(ShadowBase, PoisonValue, Len,
3873 MaybeAlign(I.getAlignment()));
3874 }
3875
3876 if (PoisonStack && MS.TrackOrigins) {
3877 Value *Descr = getLocalVarDescription(I);
3878 IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn,
3879 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
3880 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()),
3881 IRB.CreatePointerCast(&F, MS.IntptrTy)});
3882 }
3883 }
3884
3885 void poisonAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
3886 Value *Descr = getLocalVarDescription(I);
3887 if (PoisonStack) {
3888 IRB.CreateCall(MS.MsanPoisonAllocaFn,
3889 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
3890 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy())});
3891 } else {
3892 IRB.CreateCall(MS.MsanUnpoisonAllocaFn,
3893 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
3894 }
3895 }
3896
3897 void instrumentAlloca(AllocaInst &I, Instruction *InsPoint = nullptr) {
3898 if (!InsPoint)
3899 InsPoint = &I;
3900 IRBuilder<> IRB(InsPoint->getNextNode());
3901 const DataLayout &DL = F.getParent()->getDataLayout();
3902 uint64_t TypeSize = DL.getTypeAllocSize(I.getAllocatedType());
3903 Value *Len = ConstantInt::get(MS.IntptrTy, TypeSize);
3904 if (I.isArrayAllocation())
3905 Len = IRB.CreateMul(Len, I.getArraySize());
3906
3907 if (MS.CompileKernel)
3908 poisonAllocaKmsan(I, IRB, Len);
3909 else
3910 poisonAllocaUserspace(I, IRB, Len);
3911 }
3912
3913 void visitAllocaInst(AllocaInst &I) {
3914 setShadow(&I, getCleanShadow(&I));
3915 setOrigin(&I, getCleanOrigin());
3916 // We'll get to this alloca later unless it's poisoned at the corresponding
3917 // llvm.lifetime.start.
3918 AllocaSet.insert(&I);
3919 }
3920
3921 void visitSelectInst(SelectInst& I) {
3922 IRBuilder<> IRB(&I);
3923 // a = select b, c, d
3924 Value *B = I.getCondition();
3925 Value *C = I.getTrueValue();
3926 Value *D = I.getFalseValue();
3927 Value *Sb = getShadow(B);
3928 Value *Sc = getShadow(C);
3929 Value *Sd = getShadow(D);
3930
3931 // Result shadow if condition shadow is 0.
3932 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd);
3933 Value *Sa1;
3934 if (I.getType()->isAggregateType()) {
3935 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do
3936 // an extra "select". This results in much more compact IR.
3937 // Sa = select Sb, poisoned, (select b, Sc, Sd)
3938 Sa1 = getPoisonedShadow(getShadowTy(I.getType()));
3939 } else {
3940 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ]
3941 // If Sb (condition is poisoned), look for bits in c and d that are equal
3942 // and both unpoisoned.
3943 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd.
3944
3945 // Cast arguments to shadow-compatible type.
3946 C = CreateAppToShadowCast(IRB, C);
3947 D = CreateAppToShadowCast(IRB, D);
3948
3949 // Result shadow if condition shadow is 1.
3950 Sa1 = IRB.CreateOr({IRB.CreateXor(C, D), Sc, Sd});
3951 }
3952 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select");
3953 setShadow(&I, Sa);
3954 if (MS.TrackOrigins) {
3955 // Origins are always i32, so any vector conditions must be flattened.
3956 // FIXME: consider tracking vector origins for app vectors?
3957 if (B->getType()->isVectorTy()) {
3958 Type *FlatTy = getShadowTyNoVec(B->getType());
3959 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy),
3960 ConstantInt::getNullValue(FlatTy));
3961 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy),
3962 ConstantInt::getNullValue(FlatTy));
3963 }
3964 // a = select b, c, d
3965 // Oa = Sb ? Ob : (b ? Oc : Od)
3966 setOrigin(
3967 &I, IRB.CreateSelect(Sb, getOrigin(I.getCondition()),
3968 IRB.CreateSelect(B, getOrigin(I.getTrueValue()),
3969 getOrigin(I.getFalseValue()))));
3970 }
3971 }
3972
3973 void visitLandingPadInst(LandingPadInst &I) {
3974 // Do nothing.
3975 // See https://github.com/google/sanitizers/issues/504
3976 setShadow(&I, getCleanShadow(&I));
3977 setOrigin(&I, getCleanOrigin());
3978 }
3979
3980 void visitCatchSwitchInst(CatchSwitchInst &I) {
3981 setShadow(&I, getCleanShadow(&I));
3982 setOrigin(&I, getCleanOrigin());
3983 }
3984
3985 void visitFuncletPadInst(FuncletPadInst &I) {
3986 setShadow(&I, getCleanShadow(&I));
3987 setOrigin(&I, getCleanOrigin());
3988 }
3989
3990 void visitGetElementPtrInst(GetElementPtrInst &I) {
3991 handleShadowOr(I);
3992 }
3993
3994 void visitExtractValueInst(ExtractValueInst &I) {
3995 IRBuilder<> IRB(&I);
3996 Value *Agg = I.getAggregateOperand();
3997 LLVM_DEBUG(dbgs() << "ExtractValue: " << I << "\n");
3998 Value *AggShadow = getShadow(Agg);
3999 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
4000 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices());
4001 LLVM_DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n");
4002 setShadow(&I, ResShadow);
4003 setOriginForNaryOp(I);
4004 }
4005
4006 void visitInsertValueInst(InsertValueInst &I) {
4007 IRBuilder<> IRB(&I);
4008 LLVM_DEBUG(dbgs() << "InsertValue: " << I << "\n");
4009 Value *AggShadow = getShadow(I.getAggregateOperand());
4010 Value *InsShadow = getShadow(I.getInsertedValueOperand());
4011 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
4012 LLVM_DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n");
4013 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices());
4014 LLVM_DEBUG(dbgs() << " Res: " << *Res << "\n");
4015 setShadow(&I, Res);
4016 setOriginForNaryOp(I);
4017 }
4018
4019 void dumpInst(Instruction &I) {
4020 if (CallInst *CI = dyn_cast<CallInst>(&I)) {
4021 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n";
4022 } else {
4023 errs() << "ZZZ " << I.getOpcodeName() << "\n";
4024 }
4025 errs() << "QQQ " << I << "\n";
4026 }
4027
4028 void visitResumeInst(ResumeInst &I) {
4029 LLVM_DEBUG(dbgs() << "Resume: " << I << "\n");
4030 // Nothing to do here.
4031 }
4032
4033 void visitCleanupReturnInst(CleanupReturnInst &CRI) {
4034 LLVM_DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n");
4035 // Nothing to do here.
4036 }
4037
4038 void visitCatchReturnInst(CatchReturnInst &CRI) {
4039 LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n");
4040 // Nothing to do here.
4041 }
4042
4043 void instrumentAsmArgument(Value *Operand, Instruction &I, IRBuilder<> &IRB,
4044 const DataLayout &DL, bool isOutput) {
4045 // For each assembly argument, we check its value for being initialized.
4046 // If the argument is a pointer, we assume it points to a single element
4047 // of the corresponding type (or to a 8-byte word, if the type is unsized).
4048 // Each such pointer is instrumented with a call to the runtime library.
4049 Type *OpType = Operand->getType();
4050 // Check the operand value itself.
4051 insertShadowCheck(Operand, &I);
4052 if (!OpType->isPointerTy() || !isOutput) {
4053 assert(!isOutput);
4054 return;
4055 }
4056 Type *ElType = OpType->getPointerElementType();
4057 if (!ElType->isSized())
4058 return;
4059 int Size = DL.getTypeStoreSize(ElType);
4060 Value *Ptr = IRB.CreatePointerCast(Operand, IRB.getInt8PtrTy());
4061 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
4062 IRB.CreateCall(MS.MsanInstrumentAsmStoreFn, {Ptr, SizeVal});
4063 }
4064
4065 /// Get the number of output arguments returned by pointers.
4066 int getNumOutputArgs(InlineAsm *IA, CallBase *CB) {
4067 int NumRetOutputs = 0;
4068 int NumOutputs = 0;
4069 Type *RetTy = cast<Value>(CB)->getType();
4070 if (!RetTy->isVoidTy()) {
4071 // Register outputs are returned via the CallInst return value.
4072 auto *ST = dyn_cast<StructType>(RetTy);
4073 if (ST)
4074 NumRetOutputs = ST->getNumElements();
4075 else
4076 NumRetOutputs = 1;
4077 }
4078 InlineAsm::ConstraintInfoVector Constraints = IA->ParseConstraints();
4079 for (const InlineAsm::ConstraintInfo &Info : Constraints) {
4080 switch (Info.Type) {
4081 case InlineAsm::isOutput:
4082 NumOutputs++;
4083 break;
4084 default:
4085 break;
4086 }
4087 }
4088 return NumOutputs - NumRetOutputs;
4089 }
4090
4091 void visitAsmInstruction(Instruction &I) {
4092 // Conservative inline assembly handling: check for poisoned shadow of
4093 // asm() arguments, then unpoison the result and all the memory locations
4094 // pointed to by those arguments.
4095 // An inline asm() statement in C++ contains lists of input and output
4096 // arguments used by the assembly code. These are mapped to operands of the
4097 // CallInst as follows:
4098 // - nR register outputs ("=r) are returned by value in a single structure
4099 // (SSA value of the CallInst);
4100 // - nO other outputs ("=m" and others) are returned by pointer as first
4101 // nO operands of the CallInst;
4102 // - nI inputs ("r", "m" and others) are passed to CallInst as the
4103 // remaining nI operands.
4104 // The total number of asm() arguments in the source is nR+nO+nI, and the
4105 // corresponding CallInst has nO+nI+1 operands (the last operand is the
4106 // function to be called).
4107 const DataLayout &DL = F.getParent()->getDataLayout();
4108 CallBase *CB = cast<CallBase>(&I);
4109 IRBuilder<> IRB(&I);
4110 InlineAsm *IA = cast<InlineAsm>(CB->getCalledOperand());
4111 int OutputArgs = getNumOutputArgs(IA, CB);
4112 // The last operand of a CallInst is the function itself.
4113 int NumOperands = CB->getNumOperands() - 1;
4114
4115 // Check input arguments. Doing so before unpoisoning output arguments, so
4116 // that we won't overwrite uninit values before checking them.
4117 for (int i = OutputArgs; i < NumOperands; i++) {
4118 Value *Operand = CB->getOperand(i);
4119 instrumentAsmArgument(Operand, I, IRB, DL, /*isOutput*/ false);
4120 }
4121 // Unpoison output arguments. This must happen before the actual InlineAsm
4122 // call, so that the shadow for memory published in the asm() statement
4123 // remains valid.
4124 for (int i = 0; i < OutputArgs; i++) {
4125 Value *Operand = CB->getOperand(i);
4126 instrumentAsmArgument(Operand, I, IRB, DL, /*isOutput*/ true);
4127 }
4128
4129 setShadow(&I, getCleanShadow(&I));
4130 setOrigin(&I, getCleanOrigin());
4131 }
4132
4133 void visitFreezeInst(FreezeInst &I) {
4134 // Freeze always returns a fully defined value.
4135 setShadow(&I, getCleanShadow(&I));
4136 setOrigin(&I, getCleanOrigin());
4137 }
4138
4139 void visitInstruction(Instruction &I) {
4140 // Everything else: stop propagating and check for poisoned shadow.
4141 if (ClDumpStrictInstructions)
4142 dumpInst(I);
4143 LLVM_DEBUG(dbgs() << "DEFAULT: " << I << "\n");
4144 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) {
4145 Value *Operand = I.getOperand(i);
4146 if (Operand->getType()->isSized())
4147 insertShadowCheck(Operand, &I);
4148 }
4149 setShadow(&I, getCleanShadow(&I));
4150 setOrigin(&I, getCleanOrigin());
4151 }
4152 };
4153
4154 /// AMD64-specific implementation of VarArgHelper.
4155 struct VarArgAMD64Helper : public VarArgHelper {
4156 // An unfortunate workaround for asymmetric lowering of va_arg stuff.
4157 // See a comment in visitCallBase for more details.
4158 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7
4159 static const unsigned AMD64FpEndOffsetSSE = 176;
4160 // If SSE is disabled, fp_offset in va_list is zero.
4161 static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
4162
4163 unsigned AMD64FpEndOffset;
4164 Function &F;
4165 MemorySanitizer &MS;
4166 MemorySanitizerVisitor &MSV;
4167 Value *VAArgTLSCopy = nullptr;
4168 Value *VAArgTLSOriginCopy = nullptr;
4169 Value *VAArgOverflowSize = nullptr;
4170
4171 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4172
4173 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
4174
4175 VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
4176 MemorySanitizerVisitor &MSV)
4177 : F(F), MS(MS), MSV(MSV) {
4178 AMD64FpEndOffset = AMD64FpEndOffsetSSE;
4179 for (const auto &Attr : F.getAttributes().getFnAttrs()) {
4180 if (Attr.isStringAttribute() &&
4181 (Attr.getKindAsString() == "target-features")) {
4182 if (Attr.getValueAsString().contains("-sse"))
4183 AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
4184 break;
4185 }
4186 }
4187 }
4188
4189 ArgKind classifyArgument(Value* arg) {
4190 // A very rough approximation of X86_64 argument classification rules.
4191 Type *T = arg->getType();
4192 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy())
4193 return AK_FloatingPoint;
4194 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
4195 return AK_GeneralPurpose;
4196 if (T->isPointerTy())
4197 return AK_GeneralPurpose;
4198 return AK_Memory;
4199 }
4200
4201 // For VarArg functions, store the argument shadow in an ABI-specific format
4202 // that corresponds to va_list layout.
4203 // We do this because Clang lowers va_arg in the frontend, and this pass
4204 // only sees the low level code that deals with va_list internals.
4205 // A much easier alternative (provided that Clang emits va_arg instructions)
4206 // would have been to associate each live instance of va_list with a copy of
4207 // MSanParamTLS, and extract shadow on va_arg() call in the argument list
4208 // order.
4209 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
4210 unsigned GpOffset = 0;
4211 unsigned FpOffset = AMD64GpEndOffset;
4212 unsigned OverflowOffset = AMD64FpEndOffset;
4213 const DataLayout &DL = F.getParent()->getDataLayout();
4214 for (auto ArgIt = CB.arg_begin(), End = CB.arg_end(); ArgIt != End;
4215 ++ArgIt) {
4216 Value *A = *ArgIt;
4217 unsigned ArgNo = CB.getArgOperandNo(ArgIt);
4218 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
4219 bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
4220 if (IsByVal) {
4221 // ByVal arguments always go to the overflow area.
4222 // Fixed arguments passed through the overflow area will be stepped
4223 // over by va_start, so don't count them towards the offset.
4224 if (IsFixed)
4225 continue;
4226 assert(A->getType()->isPointerTy());
4227 Type *RealTy = CB.getParamByValType(ArgNo);
4228 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
4229 Value *ShadowBase = getShadowPtrForVAArgument(
4230 RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8));
4231 Value *OriginBase = nullptr;
4232 if (MS.TrackOrigins)
4233 OriginBase = getOriginPtrForVAArgument(RealTy, IRB, OverflowOffset);
4234 OverflowOffset += alignTo(ArgSize, 8);
4235 if (!ShadowBase)
4236 continue;
4237 Value *ShadowPtr, *OriginPtr;
4238 std::tie(ShadowPtr, OriginPtr) =
4239 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
4240 /*isStore*/ false);
4241
4242 IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
4243 kShadowTLSAlignment, ArgSize);
4244 if (MS.TrackOrigins)
4245 IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
4246 kShadowTLSAlignment, ArgSize);
4247 } else {
4248 ArgKind AK = classifyArgument(A);
4249 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
4250 AK = AK_Memory;
4251 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
4252 AK = AK_Memory;
4253 Value *ShadowBase, *OriginBase = nullptr;
4254 switch (AK) {
4255 case AK_GeneralPurpose:
4256 ShadowBase =
4257 getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8);
4258 if (MS.TrackOrigins)
4259 OriginBase =
4260 getOriginPtrForVAArgument(A->getType(), IRB, GpOffset);
4261 GpOffset += 8;
4262 break;
4263 case AK_FloatingPoint:
4264 ShadowBase =
4265 getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16);
4266 if (MS.TrackOrigins)
4267 OriginBase =
4268 getOriginPtrForVAArgument(A->getType(), IRB, FpOffset);
4269 FpOffset += 16;
4270 break;
4271 case AK_Memory:
4272 if (IsFixed)
4273 continue;
4274 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4275 ShadowBase =
4276 getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8);
4277 if (MS.TrackOrigins)
4278 OriginBase =
4279 getOriginPtrForVAArgument(A->getType(), IRB, OverflowOffset);
4280 OverflowOffset += alignTo(ArgSize, 8);
4281 }
4282 // Take fixed arguments into account for GpOffset and FpOffset,
4283 // but don't actually store shadows for them.
4284 // TODO(glider): don't call get*PtrForVAArgument() for them.
4285 if (IsFixed)
4286 continue;
4287 if (!ShadowBase)
4288 continue;
4289 Value *Shadow = MSV.getShadow(A);
4290 IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
4291 if (MS.TrackOrigins) {
4292 Value *Origin = MSV.getOrigin(A);
4293 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
4294 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
4295 std::max(kShadowTLSAlignment, kMinOriginAlignment));
4296 }
4297 }
4298 }
4299 Constant *OverflowSize =
4300 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
4301 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
4302 }
4303
4304 /// Compute the shadow address for a given va_arg.
4305 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4306 unsigned ArgOffset, unsigned ArgSize) {
4307 // Make sure we don't overflow __msan_va_arg_tls.
4308 if (ArgOffset + ArgSize > kParamTLSSize)
4309 return nullptr;
4310 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4311 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4312 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4313 "_msarg_va_s");
4314 }
4315
4316 /// Compute the origin address for a given va_arg.
4317 Value *getOriginPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, int ArgOffset) {
4318 Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
4319 // getOriginPtrForVAArgument() is always called after
4320 // getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never
4321 // overflow.
4322 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4323 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
4324 "_msarg_va_o");
4325 }
4326
4327 void unpoisonVAListTagForInst(IntrinsicInst &I) {
4328 IRBuilder<> IRB(&I);
4329 Value *VAListTag = I.getArgOperand(0);
4330 Value *ShadowPtr, *OriginPtr;
4331 const Align Alignment = Align(8);
4332 std::tie(ShadowPtr, OriginPtr) =
4333 MSV.getShadowOriginPtr(VAListTag, IRB, IRB.getInt8Ty(), Alignment,
4334 /*isStore*/ true);
4335
4336 // Unpoison the whole __va_list_tag.
4337 // FIXME: magic ABI constants.
4338 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4339 /* size */ 24, Alignment, false);
4340 // We shouldn't need to zero out the origins, as they're only checked for
4341 // nonzero shadow.
4342 }
4343
4344 void visitVAStartInst(VAStartInst &I) override {
4345 if (F.getCallingConv() == CallingConv::Win64)
4346 return;
4347 VAStartInstrumentationList.push_back(&I);
4348 unpoisonVAListTagForInst(I);
4349 }
4350
4351 void visitVACopyInst(VACopyInst &I) override {
4352 if (F.getCallingConv() == CallingConv::Win64) return;
4353 unpoisonVAListTagForInst(I);
4354 }
4355
4356 void finalizeInstrumentation() override {
4357 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
4358 "finalizeInstrumentation called twice");
4359 if (!VAStartInstrumentationList.empty()) {
4360 // If there is a va_start in this function, make a backup copy of
4361 // va_arg_tls somewhere in the function entry block.
4362 IRBuilder<> IRB(MSV.FnPrologueEnd);
4363 VAArgOverflowSize =
4364 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
4365 Value *CopySize =
4366 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset),
4367 VAArgOverflowSize);
4368 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4369 IRB.CreateMemCpy(VAArgTLSCopy, Align(8), MS.VAArgTLS, Align(8), CopySize);
4370 if (MS.TrackOrigins) {
4371 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4372 IRB.CreateMemCpy(VAArgTLSOriginCopy, Align(8), MS.VAArgOriginTLS,
4373 Align(8), CopySize);
4374 }
4375 }
4376
4377 // Instrument va_start.
4378 // Copy va_list shadow from the backup copy of the TLS contents.
4379 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4380 CallInst *OrigInst = VAStartInstrumentationList[i];
4381 IRBuilder<> IRB(OrigInst->getNextNode());
4382 Value *VAListTag = OrigInst->getArgOperand(0);
4383
4384 Type *RegSaveAreaPtrTy = Type::getInt64PtrTy(*MS.C);
4385 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
4386 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4387 ConstantInt::get(MS.IntptrTy, 16)),
4388 PointerType::get(RegSaveAreaPtrTy, 0));
4389 Value *RegSaveAreaPtr =
4390 IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
4391 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
4392 const Align Alignment = Align(16);
4393 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
4394 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4395 Alignment, /*isStore*/ true);
4396 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
4397 AMD64FpEndOffset);
4398 if (MS.TrackOrigins)
4399 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
4400 Alignment, AMD64FpEndOffset);
4401 Type *OverflowArgAreaPtrTy = Type::getInt64PtrTy(*MS.C);
4402 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
4403 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4404 ConstantInt::get(MS.IntptrTy, 8)),
4405 PointerType::get(OverflowArgAreaPtrTy, 0));
4406 Value *OverflowArgAreaPtr =
4407 IRB.CreateLoad(OverflowArgAreaPtrTy, OverflowArgAreaPtrPtr);
4408 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
4409 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
4410 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
4411 Alignment, /*isStore*/ true);
4412 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
4413 AMD64FpEndOffset);
4414 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
4415 VAArgOverflowSize);
4416 if (MS.TrackOrigins) {
4417 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
4418 AMD64FpEndOffset);
4419 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
4420 VAArgOverflowSize);
4421 }
4422 }
4423 }
4424 };
4425
4426 /// MIPS64-specific implementation of VarArgHelper.
4427 struct VarArgMIPS64Helper : public VarArgHelper {
4428 Function &F;
4429 MemorySanitizer &MS;
4430 MemorySanitizerVisitor &MSV;
4431 Value *VAArgTLSCopy = nullptr;
4432 Value *VAArgSize = nullptr;
4433
4434 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4435
4436 VarArgMIPS64Helper(Function &F, MemorySanitizer &MS,
4437 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
4438
4439 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
4440 unsigned VAArgOffset = 0;
4441 const DataLayout &DL = F.getParent()->getDataLayout();
4442 for (auto ArgIt = CB.arg_begin() + CB.getFunctionType()->getNumParams(),
4443 End = CB.arg_end();
4444 ArgIt != End; ++ArgIt) {
4445 Triple TargetTriple(F.getParent()->getTargetTriple());
4446 Value *A = *ArgIt;
4447 Value *Base;
4448 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4449 if (TargetTriple.getArch() == Triple::mips64) {
4450 // Adjusting the shadow for argument with size < 8 to match the placement
4451 // of bits in big endian system
4452 if (ArgSize < 8)
4453 VAArgOffset += (8 - ArgSize);
4454 }
4455 Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset, ArgSize);
4456 VAArgOffset += ArgSize;
4457 VAArgOffset = alignTo(VAArgOffset, 8);
4458 if (!Base)
4459 continue;
4460 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
4461 }
4462
4463 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset);
4464 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
4465 // a new class member i.e. it is the total size of all VarArgs.
4466 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
4467 }
4468
4469 /// Compute the shadow address for a given va_arg.
4470 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4471 unsigned ArgOffset, unsigned ArgSize) {
4472 // Make sure we don't overflow __msan_va_arg_tls.
4473 if (ArgOffset + ArgSize > kParamTLSSize)
4474 return nullptr;
4475 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4476 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4477 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4478 "_msarg");
4479 }
4480
4481 void visitVAStartInst(VAStartInst &I) override {
4482 IRBuilder<> IRB(&I);
4483 VAStartInstrumentationList.push_back(&I);
4484 Value *VAListTag = I.getArgOperand(0);
4485 Value *ShadowPtr, *OriginPtr;
4486 const Align Alignment = Align(8);
4487 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4488 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4489 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4490 /* size */ 8, Alignment, false);
4491 }
4492
4493 void visitVACopyInst(VACopyInst &I) override {
4494 IRBuilder<> IRB(&I);
4495 VAStartInstrumentationList.push_back(&I);
4496 Value *VAListTag = I.getArgOperand(0);
4497 Value *ShadowPtr, *OriginPtr;
4498 const Align Alignment = Align(8);
4499 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4500 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4501 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4502 /* size */ 8, Alignment, false);
4503 }
4504
4505 void finalizeInstrumentation() override {
4506 assert(!VAArgSize && !VAArgTLSCopy &&
4507 "finalizeInstrumentation called twice");
4508 IRBuilder<> IRB(MSV.FnPrologueEnd);
4509 VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
4510 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0),
4511 VAArgSize);
4512
4513 if (!VAStartInstrumentationList.empty()) {
4514 // If there is a va_start in this function, make a backup copy of
4515 // va_arg_tls somewhere in the function entry block.
4516 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4517 IRB.CreateMemCpy(VAArgTLSCopy, Align(8), MS.VAArgTLS, Align(8), CopySize);
4518 }
4519
4520 // Instrument va_start.
4521 // Copy va_list shadow from the backup copy of the TLS contents.
4522 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4523 CallInst *OrigInst = VAStartInstrumentationList[i];
4524 IRBuilder<> IRB(OrigInst->getNextNode());
4525 Value *VAListTag = OrigInst->getArgOperand(0);
4526 Type *RegSaveAreaPtrTy = Type::getInt64PtrTy(*MS.C);
4527 Value *RegSaveAreaPtrPtr =
4528 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4529 PointerType::get(RegSaveAreaPtrTy, 0));
4530 Value *RegSaveAreaPtr =
4531 IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
4532 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
4533 const Align Alignment = Align(8);
4534 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
4535 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4536 Alignment, /*isStore*/ true);
4537 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
4538 CopySize);
4539 }
4540 }
4541 };
4542
4543 /// AArch64-specific implementation of VarArgHelper.
4544 struct VarArgAArch64Helper : public VarArgHelper {
4545 static const unsigned kAArch64GrArgSize = 64;
4546 static const unsigned kAArch64VrArgSize = 128;
4547
4548 static const unsigned AArch64GrBegOffset = 0;
4549 static const unsigned AArch64GrEndOffset = kAArch64GrArgSize;
4550 // Make VR space aligned to 16 bytes.
4551 static const unsigned AArch64VrBegOffset = AArch64GrEndOffset;
4552 static const unsigned AArch64VrEndOffset = AArch64VrBegOffset
4553 + kAArch64VrArgSize;
4554 static const unsigned AArch64VAEndOffset = AArch64VrEndOffset;
4555
4556 Function &F;
4557 MemorySanitizer &MS;
4558 MemorySanitizerVisitor &MSV;
4559 Value *VAArgTLSCopy = nullptr;
4560 Value *VAArgOverflowSize = nullptr;
4561
4562 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4563
4564 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
4565
4566 VarArgAArch64Helper(Function &F, MemorySanitizer &MS,
4567 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
4568
4569 ArgKind classifyArgument(Value* arg) {
4570 Type *T = arg->getType();
4571 if (T->isFPOrFPVectorTy())
4572 return AK_FloatingPoint;
4573 if ((T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
4574 || (T->isPointerTy()))
4575 return AK_GeneralPurpose;
4576 return AK_Memory;
4577 }
4578
4579 // The instrumentation stores the argument shadow in a non ABI-specific
4580 // format because it does not know which argument is named (since Clang,
4581 // like x86_64 case, lowers the va_args in the frontend and this pass only
4582 // sees the low level code that deals with va_list internals).
4583 // The first seven GR registers are saved in the first 56 bytes of the
4584 // va_arg tls arra, followers by the first 8 FP/SIMD registers, and then
4585 // the remaining arguments.
4586 // Using constant offset within the va_arg TLS array allows fast copy
4587 // in the finalize instrumentation.
4588 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
4589 unsigned GrOffset = AArch64GrBegOffset;
4590 unsigned VrOffset = AArch64VrBegOffset;
4591 unsigned OverflowOffset = AArch64VAEndOffset;
4592
4593 const DataLayout &DL = F.getParent()->getDataLayout();
4594 for (auto ArgIt = CB.arg_begin(), End = CB.arg_end(); ArgIt != End;
4595 ++ArgIt) {
4596 Value *A = *ArgIt;
4597 unsigned ArgNo = CB.getArgOperandNo(ArgIt);
4598 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
4599 ArgKind AK = classifyArgument(A);
4600 if (AK == AK_GeneralPurpose && GrOffset >= AArch64GrEndOffset)
4601 AK = AK_Memory;
4602 if (AK == AK_FloatingPoint && VrOffset >= AArch64VrEndOffset)
4603 AK = AK_Memory;
4604 Value *Base;
4605 switch (AK) {
4606 case AK_GeneralPurpose:
4607 Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset, 8);
4608 GrOffset += 8;
4609 break;
4610 case AK_FloatingPoint:
4611 Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset, 8);
4612 VrOffset += 16;
4613 break;
4614 case AK_Memory:
4615 // Don't count fixed arguments in the overflow area - va_start will
4616 // skip right over them.
4617 if (IsFixed)
4618 continue;
4619 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4620 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset,
4621 alignTo(ArgSize, 8));
4622 OverflowOffset += alignTo(ArgSize, 8);
4623 break;
4624 }
4625 // Count Gp/Vr fixed arguments to their respective offsets, but don't
4626 // bother to actually store a shadow.
4627 if (IsFixed)
4628 continue;
4629 if (!Base)
4630 continue;
4631 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
4632 }
4633 Constant *OverflowSize =
4634 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset);
4635 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
4636 }
4637
4638 /// Compute the shadow address for a given va_arg.
4639 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4640 unsigned ArgOffset, unsigned ArgSize) {
4641 // Make sure we don't overflow __msan_va_arg_tls.
4642 if (ArgOffset + ArgSize > kParamTLSSize)
4643 return nullptr;
4644 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4645 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4646 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4647 "_msarg");
4648 }
4649
4650 void visitVAStartInst(VAStartInst &I) override {
4651 IRBuilder<> IRB(&I);
4652 VAStartInstrumentationList.push_back(&I);
4653 Value *VAListTag = I.getArgOperand(0);
4654 Value *ShadowPtr, *OriginPtr;
4655 const Align Alignment = Align(8);
4656 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4657 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4658 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4659 /* size */ 32, Alignment, false);
4660 }
4661
4662 void visitVACopyInst(VACopyInst &I) override {
4663 IRBuilder<> IRB(&I);
4664 VAStartInstrumentationList.push_back(&I);
4665 Value *VAListTag = I.getArgOperand(0);
4666 Value *ShadowPtr, *OriginPtr;
4667 const Align Alignment = Align(8);
4668 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4669 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4670 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4671 /* size */ 32, Alignment, false);
4672 }
4673
4674 // Retrieve a va_list field of 'void*' size.
4675 Value* getVAField64(IRBuilder<> &IRB, Value *VAListTag, int offset) {
4676 Value *SaveAreaPtrPtr =
4677 IRB.CreateIntToPtr(
4678 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4679 ConstantInt::get(MS.IntptrTy, offset)),
4680 Type::getInt64PtrTy(*MS.C));
4681 return IRB.CreateLoad(Type::getInt64Ty(*MS.C), SaveAreaPtrPtr);
4682 }
4683
4684 // Retrieve a va_list field of 'int' size.
4685 Value* getVAField32(IRBuilder<> &IRB, Value *VAListTag, int offset) {
4686 Value *SaveAreaPtr =
4687 IRB.CreateIntToPtr(
4688 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4689 ConstantInt::get(MS.IntptrTy, offset)),
4690 Type::getInt32PtrTy(*MS.C));
4691 Value *SaveArea32 = IRB.CreateLoad(IRB.getInt32Ty(), SaveAreaPtr);
4692 return IRB.CreateSExt(SaveArea32, MS.IntptrTy);
4693 }
4694
4695 void finalizeInstrumentation() override {
4696 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
4697 "finalizeInstrumentation called twice");
4698 if (!VAStartInstrumentationList.empty()) {
4699 // If there is a va_start in this function, make a backup copy of
4700 // va_arg_tls somewhere in the function entry block.
4701 IRBuilder<> IRB(MSV.FnPrologueEnd);
4702 VAArgOverflowSize =
4703 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
4704 Value *CopySize =
4705 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AArch64VAEndOffset),
4706 VAArgOverflowSize);
4707 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4708 IRB.CreateMemCpy(VAArgTLSCopy, Align(8), MS.VAArgTLS, Align(8), CopySize);
4709 }
4710
4711 Value *GrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64GrArgSize);
4712 Value *VrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64VrArgSize);
4713
4714 // Instrument va_start, copy va_list shadow from the backup copy of
4715 // the TLS contents.
4716 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4717 CallInst *OrigInst = VAStartInstrumentationList[i];
4718 IRBuilder<> IRB(OrigInst->getNextNode());
4719
4720 Value *VAListTag = OrigInst->getArgOperand(0);
4721
4722 // The variadic ABI for AArch64 creates two areas to save the incoming
4723 // argument registers (one for 64-bit general register xn-x7 and another
4724 // for 128-bit FP/SIMD vn-v7).
4725 // We need then to propagate the shadow arguments on both regions
4726 // 'va::__gr_top + va::__gr_offs' and 'va::__vr_top + va::__vr_offs'.
4727 // The remaining arguments are saved on shadow for 'va::stack'.
4728 // One caveat is it requires only to propagate the non-named arguments,
4729 // however on the call site instrumentation 'all' the arguments are
4730 // saved. So to copy the shadow values from the va_arg TLS array
4731 // we need to adjust the offset for both GR and VR fields based on
4732 // the __{gr,vr}_offs value (since they are stores based on incoming
4733 // named arguments).
4734
4735 // Read the stack pointer from the va_list.
4736 Value *StackSaveAreaPtr = getVAField64(IRB, VAListTag, 0);
4737
4738 // Read both the __gr_top and __gr_off and add them up.
4739 Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8);
4740 Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24);
4741
4742 Value *GrRegSaveAreaPtr = IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea);
4743
4744 // Read both the __vr_top and __vr_off and add them up.
4745 Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16);
4746 Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28);
4747
4748 Value *VrRegSaveAreaPtr = IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea);
4749
4750 // It does not know how many named arguments is being used and, on the
4751 // callsite all the arguments were saved. Since __gr_off is defined as
4752 // '0 - ((8 - named_gr) * 8)', the idea is to just propagate the variadic
4753 // argument by ignoring the bytes of shadow from named arguments.
4754 Value *GrRegSaveAreaShadowPtrOff =
4755 IRB.CreateAdd(GrArgSize, GrOffSaveArea);
4756
4757 Value *GrRegSaveAreaShadowPtr =
4758 MSV.getShadowOriginPtr(GrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4759 Align(8), /*isStore*/ true)
4760 .first;
4761
4762 Value *GrSrcPtr = IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4763 GrRegSaveAreaShadowPtrOff);
4764 Value *GrCopySize = IRB.CreateSub(GrArgSize, GrRegSaveAreaShadowPtrOff);
4765
4766 IRB.CreateMemCpy(GrRegSaveAreaShadowPtr, Align(8), GrSrcPtr, Align(8),
4767 GrCopySize);
4768
4769 // Again, but for FP/SIMD values.
4770 Value *VrRegSaveAreaShadowPtrOff =
4771 IRB.CreateAdd(VrArgSize, VrOffSaveArea);
4772
4773 Value *VrRegSaveAreaShadowPtr =
4774 MSV.getShadowOriginPtr(VrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4775 Align(8), /*isStore*/ true)
4776 .first;
4777
4778 Value *VrSrcPtr = IRB.CreateInBoundsGEP(
4779 IRB.getInt8Ty(),
4780 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4781 IRB.getInt32(AArch64VrBegOffset)),
4782 VrRegSaveAreaShadowPtrOff);
4783 Value *VrCopySize = IRB.CreateSub(VrArgSize, VrRegSaveAreaShadowPtrOff);
4784
4785 IRB.CreateMemCpy(VrRegSaveAreaShadowPtr, Align(8), VrSrcPtr, Align(8),
4786 VrCopySize);
4787
4788 // And finally for remaining arguments.
4789 Value *StackSaveAreaShadowPtr =
4790 MSV.getShadowOriginPtr(StackSaveAreaPtr, IRB, IRB.getInt8Ty(),
4791 Align(16), /*isStore*/ true)
4792 .first;
4793
4794 Value *StackSrcPtr =
4795 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4796 IRB.getInt32(AArch64VAEndOffset));
4797
4798 IRB.CreateMemCpy(StackSaveAreaShadowPtr, Align(16), StackSrcPtr,
4799 Align(16), VAArgOverflowSize);
4800 }
4801 }
4802 };
4803
4804 /// PowerPC64-specific implementation of VarArgHelper.
4805 struct VarArgPowerPC64Helper : public VarArgHelper {
4806 Function &F;
4807 MemorySanitizer &MS;
4808 MemorySanitizerVisitor &MSV;
4809 Value *VAArgTLSCopy = nullptr;
4810 Value *VAArgSize = nullptr;
4811
4812 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4813
4814 VarArgPowerPC64Helper(Function &F, MemorySanitizer &MS,
4815 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
4816
4817 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
4818 // For PowerPC, we need to deal with alignment of stack arguments -
4819 // they are mostly aligned to 8 bytes, but vectors and i128 arrays
4820 // are aligned to 16 bytes, byvals can be aligned to 8 or 16 bytes,
4821 // For that reason, we compute current offset from stack pointer (which is
4822 // always properly aligned), and offset for the first vararg, then subtract
4823 // them.
4824 unsigned VAArgBase;
4825 Triple TargetTriple(F.getParent()->getTargetTriple());
4826 // Parameter save area starts at 48 bytes from frame pointer for ABIv1,
4827 // and 32 bytes for ABIv2. This is usually determined by target
4828 // endianness, but in theory could be overridden by function attribute.
4829 if (TargetTriple.getArch() == Triple::ppc64)
4830 VAArgBase = 48;
4831 else
4832 VAArgBase = 32;
4833 unsigned VAArgOffset = VAArgBase;
4834 const DataLayout &DL = F.getParent()->getDataLayout();
4835 for (auto ArgIt = CB.arg_begin(), End = CB.arg_end(); ArgIt != End;
4836 ++ArgIt) {
4837 Value *A = *ArgIt;
4838 unsigned ArgNo = CB.getArgOperandNo(ArgIt);
4839 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
4840 bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
4841 if (IsByVal) {
4842 assert(A->getType()->isPointerTy());
4843 Type *RealTy = CB.getParamByValType(ArgNo);
4844 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
4845 MaybeAlign ArgAlign = CB.getParamAlign(ArgNo);
4846 if (!ArgAlign || *ArgAlign < Align(8))
4847 ArgAlign = Align(8);
4848 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
4849 if (!IsFixed) {
4850 Value *Base = getShadowPtrForVAArgument(
4851 RealTy, IRB, VAArgOffset - VAArgBase, ArgSize);
4852 if (Base) {
4853 Value *AShadowPtr, *AOriginPtr;
4854 std::tie(AShadowPtr, AOriginPtr) =
4855 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
4856 kShadowTLSAlignment, /*isStore*/ false);
4857
4858 IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
4859 kShadowTLSAlignment, ArgSize);
4860 }
4861 }
4862 VAArgOffset += alignTo(ArgSize, 8);
4863 } else {
4864 Value *Base;
4865 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4866 uint64_t ArgAlign = 8;
4867 if (A->getType()->isArrayTy()) {
4868 // Arrays are aligned to element size, except for long double
4869 // arrays, which are aligned to 8 bytes.
4870 Type *ElementTy = A->getType()->getArrayElementType();
4871 if (!ElementTy->isPPC_FP128Ty())
4872 ArgAlign = DL.getTypeAllocSize(ElementTy);
4873 } else if (A->getType()->isVectorTy()) {
4874 // Vectors are naturally aligned.
4875 ArgAlign = DL.getTypeAllocSize(A->getType());
4876 }
4877 if (ArgAlign < 8)
4878 ArgAlign = 8;
4879 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
4880 if (DL.isBigEndian()) {
4881 // Adjusting the shadow for argument with size < 8 to match the placement
4882 // of bits in big endian system
4883 if (ArgSize < 8)
4884 VAArgOffset += (8 - ArgSize);
4885 }
4886 if (!IsFixed) {
4887 Base = getShadowPtrForVAArgument(A->getType(), IRB,
4888 VAArgOffset - VAArgBase, ArgSize);
4889 if (Base)
4890 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
4891 }
4892 VAArgOffset += ArgSize;
4893 VAArgOffset = alignTo(VAArgOffset, 8);
4894 }
4895 if (IsFixed)
4896 VAArgBase = VAArgOffset;
4897 }
4898
4899 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(),
4900 VAArgOffset - VAArgBase);
4901 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
4902 // a new class member i.e. it is the total size of all VarArgs.
4903 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
4904 }
4905
4906 /// Compute the shadow address for a given va_arg.
4907 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4908 unsigned ArgOffset, unsigned ArgSize) {
4909 // Make sure we don't overflow __msan_va_arg_tls.
4910 if (ArgOffset + ArgSize > kParamTLSSize)
4911 return nullptr;
4912 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4913 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4914 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4915 "_msarg");
4916 }
4917
4918 void visitVAStartInst(VAStartInst &I) override {
4919 IRBuilder<> IRB(&I);
4920 VAStartInstrumentationList.push_back(&I);
4921 Value *VAListTag = I.getArgOperand(0);
4922 Value *ShadowPtr, *OriginPtr;
4923 const Align Alignment = Align(8);
4924 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4925 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4926 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4927 /* size */ 8, Alignment, false);
4928 }
4929
4930 void visitVACopyInst(VACopyInst &I) override {
4931 IRBuilder<> IRB(&I);
4932 Value *VAListTag = I.getArgOperand(0);
4933 Value *ShadowPtr, *OriginPtr;
4934 const Align Alignment = Align(8);
4935 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4936 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4937 // Unpoison the whole __va_list_tag.
4938 // FIXME: magic ABI constants.
4939 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4940 /* size */ 8, Alignment, false);
4941 }
4942
4943 void finalizeInstrumentation() override {
4944 assert(!VAArgSize && !VAArgTLSCopy &&
4945 "finalizeInstrumentation called twice");
4946 IRBuilder<> IRB(MSV.FnPrologueEnd);
4947 VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
4948 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0),
4949 VAArgSize);
4950
4951 if (!VAStartInstrumentationList.empty()) {
4952 // If there is a va_start in this function, make a backup copy of
4953 // va_arg_tls somewhere in the function entry block.
4954 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4955 IRB.CreateMemCpy(VAArgTLSCopy, Align(8), MS.VAArgTLS, Align(8), CopySize);
4956 }
4957
4958 // Instrument va_start.
4959 // Copy va_list shadow from the backup copy of the TLS contents.
4960 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4961 CallInst *OrigInst = VAStartInstrumentationList[i];
4962 IRBuilder<> IRB(OrigInst->getNextNode());
4963 Value *VAListTag = OrigInst->getArgOperand(0);
4964 Type *RegSaveAreaPtrTy = Type::getInt64PtrTy(*MS.C);
4965 Value *RegSaveAreaPtrPtr =
4966 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4967 PointerType::get(RegSaveAreaPtrTy, 0));
4968 Value *RegSaveAreaPtr =
4969 IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
4970 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
4971 const Align Alignment = Align(8);
4972 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
4973 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4974 Alignment, /*isStore*/ true);
4975 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
4976 CopySize);
4977 }
4978 }
4979 };
4980
4981 /// SystemZ-specific implementation of VarArgHelper.
4982 struct VarArgSystemZHelper : public VarArgHelper {
4983 static const unsigned SystemZGpOffset = 16;
4984 static const unsigned SystemZGpEndOffset = 56;
4985 static const unsigned SystemZFpOffset = 128;
4986 static const unsigned SystemZFpEndOffset = 160;
4987 static const unsigned SystemZMaxVrArgs = 8;
4988 static const unsigned SystemZRegSaveAreaSize = 160;
4989 static const unsigned SystemZOverflowOffset = 160;
4990 static const unsigned SystemZVAListTagSize = 32;
4991 static const unsigned SystemZOverflowArgAreaPtrOffset = 16;
4992 static const unsigned SystemZRegSaveAreaPtrOffset = 24;
4993
4994 Function &F;
4995 MemorySanitizer &MS;
4996 MemorySanitizerVisitor &MSV;
4997 Value *VAArgTLSCopy = nullptr;
4998 Value *VAArgTLSOriginCopy = nullptr;
4999 Value *VAArgOverflowSize = nullptr;
5000
5001 SmallVector<CallInst *, 16> VAStartInstrumentationList;
5002
5003 enum class ArgKind {
5004 GeneralPurpose,
5005 FloatingPoint,
5006 Vector,
5007 Memory,
5008 Indirect,
5009 };
5010
5011 enum class ShadowExtension { None, Zero, Sign };
5012
5013 VarArgSystemZHelper(Function &F, MemorySanitizer &MS,
5014 MemorySanitizerVisitor &MSV)
5015 : F(F), MS(MS), MSV(MSV) {}
5016
5017 ArgKind classifyArgument(Type *T, bool IsSoftFloatABI) {
5018 // T is a SystemZABIInfo::classifyArgumentType() output, and there are
5019 // only a few possibilities of what it can be. In particular, enums, single
5020 // element structs and large types have already been taken care of.
5021
5022 // Some i128 and fp128 arguments are converted to pointers only in the
5023 // back end.
5024 if (T->isIntegerTy(128) || T->isFP128Ty())
5025 return ArgKind::Indirect;
5026 if (T->isFloatingPointTy())
5027 return IsSoftFloatABI ? ArgKind::GeneralPurpose : ArgKind::FloatingPoint;
5028 if (T->isIntegerTy() || T->isPointerTy())
5029 return ArgKind::GeneralPurpose;
5030 if (T->isVectorTy())
5031 return ArgKind::Vector;
5032 return ArgKind::Memory;
5033 }
5034
5035 ShadowExtension getShadowExtension(const CallBase &CB, unsigned ArgNo) {
5036 // ABI says: "One of the simple integer types no more than 64 bits wide.
5037 // ... If such an argument is shorter than 64 bits, replace it by a full
5038 // 64-bit integer representing the same number, using sign or zero
5039 // extension". Shadow for an integer argument has the same type as the
5040 // argument itself, so it can be sign or zero extended as well.
5041 bool ZExt = CB.paramHasAttr(ArgNo, Attribute::ZExt);
5042 bool SExt = CB.paramHasAttr(ArgNo, Attribute::SExt);
5043 if (ZExt) {
5044 assert(!SExt);
5045 return ShadowExtension::Zero;
5046 }
5047 if (SExt) {
5048 assert(!ZExt);
5049 return ShadowExtension::Sign;
5050 }
5051 return ShadowExtension::None;
5052 }
5053
5054 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5055 bool IsSoftFloatABI = CB.getCalledFunction()
5056 ->getFnAttribute("use-soft-float")
5057 .getValueAsBool();
5058 unsigned GpOffset = SystemZGpOffset;
5059 unsigned FpOffset = SystemZFpOffset;
5060 unsigned VrIndex = 0;
5061 unsigned OverflowOffset = SystemZOverflowOffset;
5062 const DataLayout &DL = F.getParent()->getDataLayout();
5063 for (auto ArgIt = CB.arg_begin(), End = CB.arg_end(); ArgIt != End;
5064 ++ArgIt) {
5065 Value *A = *ArgIt;
5066 unsigned ArgNo = CB.getArgOperandNo(ArgIt);
5067 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5068 // SystemZABIInfo does not produce ByVal parameters.
5069 assert(!CB.paramHasAttr(ArgNo, Attribute::ByVal));
5070 Type *T = A->getType();
5071 ArgKind AK = classifyArgument(T, IsSoftFloatABI);
5072 if (AK == ArgKind::Indirect) {
5073 T = PointerType::get(T, 0);
5074 AK = ArgKind::GeneralPurpose;
5075 }
5076 if (AK == ArgKind::GeneralPurpose && GpOffset >= SystemZGpEndOffset)
5077 AK = ArgKind::Memory;
5078 if (AK == ArgKind::FloatingPoint && FpOffset >= SystemZFpEndOffset)
5079 AK = ArgKind::Memory;
5080 if (AK == ArgKind::Vector && (VrIndex >= SystemZMaxVrArgs || !IsFixed))
5081 AK = ArgKind::Memory;
5082 Value *ShadowBase = nullptr;
5083 Value *OriginBase = nullptr;
5084 ShadowExtension SE = ShadowExtension::None;
5085 switch (AK) {
5086 case ArgKind::GeneralPurpose: {
5087 // Always keep track of GpOffset, but store shadow only for varargs.
5088 uint64_t ArgSize = 8;
5089 if (GpOffset + ArgSize <= kParamTLSSize) {
5090 if (!IsFixed) {
5091 SE = getShadowExtension(CB, ArgNo);
5092 uint64_t GapSize = 0;
5093 if (SE == ShadowExtension::None) {
5094 uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5095 assert(ArgAllocSize <= ArgSize);
5096 GapSize = ArgSize - ArgAllocSize;
5097 }
5098 ShadowBase = getShadowAddrForVAArgument(IRB, GpOffset + GapSize);
5099 if (MS.TrackOrigins)
5100 OriginBase = getOriginPtrForVAArgument(IRB, GpOffset + GapSize);
5101 }
5102 GpOffset += ArgSize;
5103 } else {
5104 GpOffset = kParamTLSSize;
5105 }
5106 break;
5107 }
5108 case ArgKind::FloatingPoint: {
5109 // Always keep track of FpOffset, but store shadow only for varargs.
5110 uint64_t ArgSize = 8;
5111 if (FpOffset + ArgSize <= kParamTLSSize) {
5112 if (!IsFixed) {
5113 // PoP says: "A short floating-point datum requires only the
5114 // left-most 32 bit positions of a floating-point register".
5115 // Therefore, in contrast to AK_GeneralPurpose and AK_Memory,
5116 // don't extend shadow and don't mind the gap.
5117 ShadowBase = getShadowAddrForVAArgument(IRB, FpOffset);
5118 if (MS.TrackOrigins)
5119 OriginBase = getOriginPtrForVAArgument(IRB, FpOffset);
5120 }
5121 FpOffset += ArgSize;
5122 } else {
5123 FpOffset = kParamTLSSize;
5124 }
5125 break;
5126 }
5127 case ArgKind::Vector: {
5128 // Keep track of VrIndex. No need to store shadow, since vector varargs
5129 // go through AK_Memory.
5130 assert(IsFixed);
5131 VrIndex++;
5132 break;
5133 }
5134 case ArgKind::Memory: {
5135 // Keep track of OverflowOffset and store shadow only for varargs.
5136 // Ignore fixed args, since we need to copy only the vararg portion of
5137 // the overflow area shadow.
5138 if (!IsFixed) {
5139 uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5140 uint64_t ArgSize = alignTo(ArgAllocSize, 8);
5141 if (OverflowOffset + ArgSize <= kParamTLSSize) {
5142 SE = getShadowExtension(CB, ArgNo);
5143 uint64_t GapSize =
5144 SE == ShadowExtension::None ? ArgSize - ArgAllocSize : 0;
5145 ShadowBase =
5146 getShadowAddrForVAArgument(IRB, OverflowOffset + GapSize);
5147 if (MS.TrackOrigins)
5148 OriginBase =
5149 getOriginPtrForVAArgument(IRB, OverflowOffset + GapSize);
5150 OverflowOffset += ArgSize;
5151 } else {
5152 OverflowOffset = kParamTLSSize;
5153 }
5154 }
5155 break;
5156 }
5157 case ArgKind::Indirect:
5158 llvm_unreachable("Indirect must be converted to GeneralPurpose");
5159 }
5160 if (ShadowBase == nullptr)
5161 continue;
5162 Value *Shadow = MSV.getShadow(A);
5163 if (SE != ShadowExtension::None)
5164 Shadow = MSV.CreateShadowCast(IRB, Shadow, IRB.getInt64Ty(),
5165 /*Signed*/ SE == ShadowExtension::Sign);
5166 ShadowBase = IRB.CreateIntToPtr(
5167 ShadowBase, PointerType::get(Shadow->getType(), 0), "_msarg_va_s");
5168 IRB.CreateStore(Shadow, ShadowBase);
5169 if (MS.TrackOrigins) {
5170 Value *Origin = MSV.getOrigin(A);
5171 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
5172 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
5173 kMinOriginAlignment);
5174 }
5175 }
5176 Constant *OverflowSize = ConstantInt::get(
5177 IRB.getInt64Ty(), OverflowOffset - SystemZOverflowOffset);
5178 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5179 }
5180
5181 Value *getShadowAddrForVAArgument(IRBuilder<> &IRB, unsigned ArgOffset) {
5182 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
5183 return IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
5184 }
5185
5186 Value *getOriginPtrForVAArgument(IRBuilder<> &IRB, int ArgOffset) {
5187 Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
5188 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
5189 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
5190 "_msarg_va_o");
5191 }
5192
5193 void unpoisonVAListTagForInst(IntrinsicInst &I) {
5194 IRBuilder<> IRB(&I);
5195 Value *VAListTag = I.getArgOperand(0);
5196 Value *ShadowPtr, *OriginPtr;
5197 const Align Alignment = Align(8);
5198 std::tie(ShadowPtr, OriginPtr) =
5199 MSV.getShadowOriginPtr(VAListTag, IRB, IRB.getInt8Ty(), Alignment,
5200 /*isStore*/ true);
5201 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
5202 SystemZVAListTagSize, Alignment, false);
5203 }
5204
5205 void visitVAStartInst(VAStartInst &I) override {
5206 VAStartInstrumentationList.push_back(&I);
5207 unpoisonVAListTagForInst(I);
5208 }
5209
5210 void visitVACopyInst(VACopyInst &I) override { unpoisonVAListTagForInst(I); }
5211
5212 void copyRegSaveArea(IRBuilder<> &IRB, Value *VAListTag) {
5213 Type *RegSaveAreaPtrTy = Type::getInt64PtrTy(*MS.C);
5214 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
5215 IRB.CreateAdd(
5216 IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5217 ConstantInt::get(MS.IntptrTy, SystemZRegSaveAreaPtrOffset)),
5218 PointerType::get(RegSaveAreaPtrTy, 0));
5219 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
5220 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5221 const Align Alignment = Align(8);
5222 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5223 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), Alignment,
5224 /*isStore*/ true);
5225 // TODO(iii): copy only fragments filled by visitCallBase()
5226 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5227 SystemZRegSaveAreaSize);
5228 if (MS.TrackOrigins)
5229 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
5230 Alignment, SystemZRegSaveAreaSize);
5231 }
5232
5233 void copyOverflowArea(IRBuilder<> &IRB, Value *VAListTag) {
5234 Type *OverflowArgAreaPtrTy = Type::getInt64PtrTy(*MS.C);
5235 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
5236 IRB.CreateAdd(
5237 IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5238 ConstantInt::get(MS.IntptrTy, SystemZOverflowArgAreaPtrOffset)),
5239 PointerType::get(OverflowArgAreaPtrTy, 0));
5240 Value *OverflowArgAreaPtr =
5241 IRB.CreateLoad(OverflowArgAreaPtrTy, OverflowArgAreaPtrPtr);
5242 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
5243 const Align Alignment = Align(8);
5244 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
5245 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
5246 Alignment, /*isStore*/ true);
5247 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
5248 SystemZOverflowOffset);
5249 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
5250 VAArgOverflowSize);
5251 if (MS.TrackOrigins) {
5252 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
5253 SystemZOverflowOffset);
5254 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
5255 VAArgOverflowSize);
5256 }
5257 }
5258
5259 void finalizeInstrumentation() override {
5260 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5261 "finalizeInstrumentation called twice");
5262 if (!VAStartInstrumentationList.empty()) {
5263 // If there is a va_start in this function, make a backup copy of
5264 // va_arg_tls somewhere in the function entry block.
5265 IRBuilder<> IRB(MSV.FnPrologueEnd);
5266 VAArgOverflowSize =
5267 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5268 Value *CopySize =
5269 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, SystemZOverflowOffset),
5270 VAArgOverflowSize);
5271 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5272 IRB.CreateMemCpy(VAArgTLSCopy, Align(8), MS.VAArgTLS, Align(8), CopySize);
5273 if (MS.TrackOrigins) {
5274 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5275 IRB.CreateMemCpy(VAArgTLSOriginCopy, Align(8), MS.VAArgOriginTLS,
5276 Align(8), CopySize);
5277 }
5278 }
5279
5280 // Instrument va_start.
5281 // Copy va_list shadow from the backup copy of the TLS contents.
5282 for (size_t VaStartNo = 0, VaStartNum = VAStartInstrumentationList.size();
5283 VaStartNo < VaStartNum; VaStartNo++) {
5284 CallInst *OrigInst = VAStartInstrumentationList[VaStartNo];
5285 IRBuilder<> IRB(OrigInst->getNextNode());
5286 Value *VAListTag = OrigInst->getArgOperand(0);
5287 copyRegSaveArea(IRB, VAListTag);
5288 copyOverflowArea(IRB, VAListTag);
5289 }
5290 }
5291 };
5292
5293 /// A no-op implementation of VarArgHelper.
5294 struct VarArgNoOpHelper : public VarArgHelper {
5295 VarArgNoOpHelper(Function &F, MemorySanitizer &MS,
5296 MemorySanitizerVisitor &MSV) {}
5297
5298 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {}
5299
5300 void visitVAStartInst(VAStartInst &I) override {}
5301
5302 void visitVACopyInst(VACopyInst &I) override {}
5303
5304 void finalizeInstrumentation() override {}
5305 };
5306
5307 } // end anonymous namespace
5308
5309 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
5310 MemorySanitizerVisitor &Visitor) {
5311 // VarArg handling is only implemented on AMD64. False positives are possible
5312 // on other platforms.
5313 Triple TargetTriple(Func.getParent()->getTargetTriple());
5314 if (TargetTriple.getArch() == Triple::x86_64)
5315 return new VarArgAMD64Helper(Func, Msan, Visitor);
5316 else if (TargetTriple.isMIPS64())
5317 return new VarArgMIPS64Helper(Func, Msan, Visitor);
5318 else if (TargetTriple.getArch() == Triple::aarch64)
5319 return new VarArgAArch64Helper(Func, Msan, Visitor);
5320 else if (TargetTriple.getArch() == Triple::ppc64 ||
5321 TargetTriple.getArch() == Triple::ppc64le)
5322 return new VarArgPowerPC64Helper(Func, Msan, Visitor);
5323 else if (TargetTriple.getArch() == Triple::systemz)
5324 return new VarArgSystemZHelper(Func, Msan, Visitor);
5325 else
5326 return new VarArgNoOpHelper(Func, Msan, Visitor);
5327 }
5328
5329 bool MemorySanitizer::sanitizeFunction(Function &F, TargetLibraryInfo &TLI) {
5330 if (!CompileKernel && F.getName() == kMsanModuleCtorName)
5331 return false;
5332
5333 if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation))
5334 return false;
5335
5336 MemorySanitizerVisitor Visitor(F, *this, TLI);
5337
5338 // Clear out readonly/readnone attributes.
5339 AttrBuilder B;
5340 B.addAttribute(Attribute::ReadOnly)
5341 .addAttribute(Attribute::ReadNone)
5342 .addAttribute(Attribute::WriteOnly)
5343 .addAttribute(Attribute::ArgMemOnly)
5344 .addAttribute(Attribute::Speculatable);
5345 F.removeFnAttrs(B);
5346
5347 return Visitor.runOnFunction();
5348 }
LLVM monorepo