| blob | 3ba85bc125a0190c79d150714430e24c79e40f44 |
1 //===- StackProtector.cpp - Stack Protector Insertion ---------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This pass inserts stack protectors into functions which need them. A variable
10 // with a random value in it is stored onto the stack before the local variables
11 // are allocated. Upon exiting the block, the stored value is checked. If it's
12 // changed, then there was some sort of violation and the program aborts.
13 //
14 //===----------------------------------------------------------------------===//
51 #include <optional>
52 #include <utility>
71 }
85 }
103 // TODO(etienneb): Functions with funclets are not correctly supported now.
104 // Do nothing if this is funclet-based personality.
109 }
113 #ifdef EXPENSIVE_CHECKS
117 #endif
120 }
122 /// \param [out] IsLarge is set to true if a protectable array is found and
123 /// it is "large" ( >= ssp-buffer-size). In the case of a structure with
124 /// multiple arrays, this gets set if any of them is large.
132 // If we're on a non-Darwin platform or we're inside of a structure, don't
133 // add stack protectors unless the array is a character array.
134 // However, in strong mode any array, regardless of type and size,
135 // triggers a protector.
138 }
140 // If an array has more than SSPBufferSize bytes of allocated space, then we
141 // emit stack protectors.
145 }
148 // Require a protector for all arrays in strong mode
150 }
159 // If the element is a protectable array and is large (>= SSPBufferSize)
160 // then we are done. If the protectable array is not large, then
161 // keep looking in case a subsequent element is a large array.
165 }
168 }
170 /// Check whether a stack allocation has its address taken.
177 // If this instruction accesses memory make sure it doesn't access beyond
178 // the bounds of the allocated object.
189 // cmpxchg conceptually includes both a load and store from the same
190 // location. So, like store, the value being stored is what matters.
199 // Ignore intrinsics that do not become real instructions.
200 // TODO: Narrow this to intrinsics that have store-like effects.
205 }
209 // If the GEP offset is out-of-bounds, or is non-constant and so has to be
210 // assumed to be potentially out-of-bounds, then any memory access that
211 // would use it could also be out-of-bounds meaning stack protection is
212 // required.
221 // Adjust AllocSize to be the space remaining after this offset.
222 // We can't subtract a fixed size from a scalable one, so in that case
223 // assume the scalable value is of minimum size.
224 TypeSize NewAllocSize =
229 }
237 // Keep track of what PHI nodes we have already visited to ensure
238 // they are only visited once.
244 }
248 // These instructions take an address operand, but have load-like or
249 // other innocuous behavior that should not trigger a stack protector.
250 // atomicrmw conceptually has both load and store semantics, but the
251 // value being stored must be integer; so if a pointer is being stored,
252 // we'll catch it in the PtrToInt case above.
255 // Conservatively return true for any instruction that takes an address
256 // operand, but is not handled above.
258 }
259 }
261 }
263 /// Search for the first call to the llvm.stackprotector intrinsic and return it
264 /// if present.
272 }
274 /// Check whether or not this function needs a stack protector based
275 /// upon the stack protector level.
276 ///
277 /// We use two heuristics: a standard (ssp) and strong (sspstrong).
278 /// The standard heuristic which will add a guard variable to functions that
279 /// call alloca with a either a variable size or a size >= SSPBufferSize,
280 /// functions with character buffers larger than SSPBufferSize, and functions
281 /// with aggregates containing character buffers larger than SSPBufferSize. The
282 /// strong heuristic will add a guard variables to functions that call alloca
283 /// regardless of size, functions with any buffer regardless of type and size,
284 /// functions with aggregates that contain any buffer regardless of type and
285 /// size, and functions that contain stack-based variables that have had their
286 /// address taken.
292 // The set of PHI nodes visited when determining if a variable's reference has
293 // been taken. This set is maintained to ensure we don't visit the same PHI
294 // node multiple times.
303 // We are constructing the OptimizationRemarkEmitter on the fly rather than
304 // using the analysis pass to avoid building DominatorTree and LoopInfo which
305 // are not available this late in the IR pipeline.
316 });
335 };
338 // A call to alloca with size >= SSPBufferSize requires
339 // stack protectors.
347 // Require protectors for all alloca calls in strong mode.
354 }
356 // A call to alloca with a variable size requires protectors.
363 }
365 }
381 });
384 }
400 });
402 }
403 // Clear any PHIs that we visited, to make sure we examine all uses of
404 // any subsequent allocas that we look at.
406 }
407 }
408 }
411 }
413 /// Create a stack guard loading and populate whether SelectionDAG SSP is
414 /// supported.
423 // Use SelectionDAG SSP handling, since there isn't an IR guard.
424 //
425 // This is more or less weird, since we optionally output whether we
426 // should perform a SelectionDAG SP here. The reason is that it's strictly
427 // defined as !TLI->getIRStackGuard(B), where getIRStackGuard is also
428 // mutating. There is no way to get this bit without mutating the IR, so
429 // getting this bit has to happen in this right time.
430 //
431 // We could have define a new function TLI::supportsSelectionDAGSP(), but that
432 // will put more burden on the backends' overriding work, especially when it
433 // actually conveys the same information getIRStackGuard() already gives.
438 }
440 /// Insert code into the entry block that stores the stack guard
441 /// variable onto the stack:
442 ///
443 /// entry:
444 /// StackGuardSlot = alloca i8*
445 /// StackGuard = <stack guard>
446 /// call void @llvm.stackprotector(StackGuard, StackGuardSlot)
447 ///
448 /// Returns true if the platform/triple supports the stackprotectorcreate pseudo
449 /// node.
461 }
463 /// InsertStackProtectors - Insert code into the prologue and epilogue of the
464 /// function.
465 ///
466 /// - The prologue code loads and stores the stack guard onto the stack.
467 /// - The epilogue checks the value stored in the prologue against the original
468 /// value. It calls __stack_chk_fail if they differ.
470 // If the target wants to XOR the frame pointer into the guard value, it's
471 // impossible to emit the check in IR, so the target *must* support stack
472 // protection in SDAG.
480 // This is stack protector auto generated check BB, skip it.
487 // Do stack check before noreturn calls that aren't nounwind (e.g:
488 // __cxa_throw).
492 }
497 // Generate prologue instrumentation if not already generated.
501 }
503 // SelectionDAG based code generation. Nothing else needs to be done here.
504 // The epilogue instrumentation is postponed to SelectionDAG.
508 // Find the stack guard slot if the prologue was not created by this pass
509 // itself via a previous call to CreatePrologue().
514 }
516 // Set HasIRCheck to true, so that SelectionDAG will not generate its own
517 // version. SelectionDAG called 'shouldEmitSDCheck' to check whether
518 // instrumentation has already been generated.
521 // If we're instrumenting a block with a tail call, the check has to be
522 // inserted before the call rather than between it and the return. The
523 // verifier guarantees that a tail call is either directly before the
524 // return or with a single correct bitcast of the return value in between so
525 // we don't need to worry about many situations here.
533 }
535 // Generate epilogue instrumentation. The epilogue intrumentation can be
536 // function-based or inlined depending on which mechanism the target is
537 // providing.
539 // Generate the function-based epilogue instrumentation.
540 // The target provides a guard check function, generate a call to it.
547 // Generate the epilogue with inline instrumentation.
548 // If we do not support SelectionDAG based calls, generate IR level
549 // calls.
550 //
551 // For each block with a return instruction, convert this:
552 //
553 // return:
554 // ...
555 // ret ...
556 //
557 // into this:
558 //
559 // return:
560 // ...
561 // %1 = <stack guard>
562 // %2 = load StackGuardSlot
563 // %3 = icmp ne i1 %1, %2
564 // br i1 %3, label %CallStackCheckFailBlk, label %SP_return
565 //
566 // SP_return:
567 // ret ...
568 //
569 // CallStackCheckFailBlk:
570 // call void @__stack_chk_fail()
571 // unreachable
573 // Create the FailBB. We duplicate the BB every time since the MI tail
574 // merge pass will merge together all of the various BB into one including
575 // fail BB generated by the stack protector pseudo instruction.
603 }
604 }
606 // Return if we didn't modify any basic blocks. i.e., there are no return
607 // statements in the function.
609 }
611 /// CreateFailBB - Create a basic block to jump to when the stack protector
612 /// check fails.
620 FunctionCallee StackChkFail;
628 StackChkFail =
630 }
635 }
639 }
658 }
659 }