This is an archive of the discontinued LLVM Phabricator instance.

asan: do not instrument direct inbounds accesses to stack variables
AbandonedPublic

Authored by dvyukov on Feb 12 2015, 4:50 AM.

Download Raw Diff

Details

Reviewers

kcc
nlopes

Summary

This is most likely wrong.

But it eliminates 33% of instrumentation on webrtc/modules_unittests (number of memory accesses goes down from 290152 to 193998) and reduces binary size by 15% (from 74M to 64M) _and_ all existing asan tests pass.
This means that either our tests are bad or we are missing a good optimization opportunity.

Currently we instrument even the following code, which looks wrong:

define void @foo() uwtable sanitize_address {
entry:

%a = alloca i32, align 4
store i32 42, i32* %a, align 4
ret void

}

I've found one case which fails with this change. We do not instrument the store in this case:

define void @bar() sanitize_address {
entry:

%a = alloca [10 x i32], align 4
%e = getelementptr inbounds [10 x i32]* %a, i32 0, i64 12
store i32 42, i32* %e, align 4
ret void

; CHECK-LABEL: define void @bar
; CHECK: __asan_report
; CHECK: ret void
}

However, compiler should be able to recognize such cases (and it does because it issues a warning).

I am a bit lost.
There is Value::isGEPWithNoNotionalOverIndexing which looks like what we need (should eliminate array accesses with constant inbounds indices and struct field accesses). However, it does not give the desired effect.
Value::stripInBoundsConstantOffsets also looks like what we need and it gives the desired effect. However, there is a note that "Value::isGEPWithNoNotionalOverIndexing is not equivalant to, a subset of, or a superset of the "inbounds" property". Which suggests that stripInBoundsConstantOffsets is not what we want.

Also, is it possible to refer to an AllocaInst outside of its lifetime? It is not possible in C/C++ due to scoping rules, you simply can't mention a name that is out of scope. However, I am not sure about llvm and its transformations.

I am looking for advice here.

Diff Detail

Event Timeline

dvyukov updated this revision to Diff 19817.Feb 12 2015, 4:50 AM

dvyukov retitled this revision from to asan: do not instrument direct inbounds accesses to stack variables.

dvyukov updated this object.

dvyukov edited the test plan for this revision. (Show Details)

dvyukov added reviewers: kcc, chandlerc.

dvyukov added a subscriber: Unknown Object (MLST).

To make it clear, I want to eliminate instrumentation of locals within its lifetime (so it is not a use-after-scope) and that is known to be inbounds (that is, direct accesses, field accesses and array element accesses with constant indices; so it is not a out-of-bounds).

kcc added inline comments.Feb 17 2015, 5:34 PM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
935	mega cool. Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play with it more.
939	remove this then?

dvyukov added inline comments.Feb 17 2015, 10:48 PM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
935	Is it possible to make it work correctly? I am lost in all possible llvm predicates and their meaning. I don't understand how "int x[10]; x[12] = 1" can be an "in bounds constant offset".

kcc mentioned this in D7741: Skip promotable allocas to improve performance at -O0.Feb 23 2015, 3:37 PM

stripInBoundsConstantOffsets is not want you want, see the definition of "inbounds" ( http://llvm.org/docs/LangRef.html#getelementptr-instruction)
"If the inbounds keyword is present, the result value of the getelementptr is a poison value if the base pointer is not an in bounds address of an allocated object, or if any of the addresses that would be formed by successive addition of the offsets implied by the indices to the base address with infinitely precise signed arithmetic are not an in bounds address of that allocated object. The in bounds addresses for an allocated object are all the addresses that point into the object, plus the address one byte past the end. In cases where the base is a vector of pointers the inbounds keyword applies to each of the computations element-wise."

I recall Nuno Lopes working on reducing the number of bounce checks, but all I can find is this:
./lib/Transforms/Instrumentation/BoundsChecking.cpp

kubamracek added a subscriber: kubamracek.Feb 24 2015, 3:40 AM

Rewrote to use SizeOffsetEvalType.compute to find inbounds accesses.

Thank you, Anna!

Changed the code to use SizeOffsetEvalType.compute to find inbounds accesses.
This patch still eliminates ~33% of accesses and binaries are 15% smaller. All existing and new tests pass.

Anna, does it fix the issue that you are trying to solve in the other patch?

Kostya, PTAL.

How are you getting the speedup/size improvement measurements? Are these at -O1 or -O0?

When comparing to my patch, the intend of this patch is to be more aggressive in removing bounds checking. My patch does not introduce any improvement at optimization levels higher than -O0 and is trying to simulate mem2reg. On the other hand, the analysis here are more aggressive in the checks it removes. For example, my patch would not remove provably in bounds array accesses with constant offset and it does not do anything for non-alloca values.

On the other hand, with my patch, the allocas that are known not to have instrumented accesses do not get poisoned. Currently, this patch is only targeting removal of bounds checking. Also, I am not sure what is the compile time overhead this brings and how reliable it is since I don't think ObjectSizeOffsetEvaluator is used much.

I preference is to have this on top of non-promotable allocas.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
18	These seem out of place - should be moved after ADT.
206	This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should probably go through more testing, though I am not sure how to catch issues here since we are removing checking.
439	const?
1556	/RoundToAlign=/true
2116	Why not use getTypeStoreSize()? uint64_t getTypeStoreSizeInBits(Type Ty) const { return 8 getTypeStoreSize(Ty); } Also, is overflow possible in these calculations?

Also, I believe removal of all unnecessary checks is a bigger task. If we want to ensure that all possible out of bounds accesses are instrumented, we'd have to do something similar to what Chandler suggested in the other thread. That would eliminate the false negatives that are now possible at -O1 and higher. We'd need to have an instrumentation pass that runs early on and instruments accesses before the optimizer kicks in. Later, we would work with LLVM analysis to remove those checks.

Here is the answer from Nuno on bounds check removal. Enjoy:)

"The file you mention is the instrumentation pass. It is pretty dumb: it basically instruments any memory write (it just performs one optimization to reduce the cost of the check if certain conditions hold; but it always introduces the check). So this one is not interesting for AddressSanitizer (the likelihood it can detect anything that ASan cannot detect is very small; the idea was to have something with a very small overhead to deploy on release builds). It can detect overflows that Valgrind cannot btw.

The part about removing checks is done by several passes which are run by default (with -O2). Instcombine can remove some checks, then Transforms/Scalar/CorrelatedValuePropagation.cpp performs range analysis to delete checks that are always safe. This analysis existed previously, but it had a bunch of problems and shortcomings.
The range analysis is in Analysis/LazyValueInfo.cpp. It's still fundamentally weak, because of the way it traverses basic-blocks to constrain the range due to branching conditions. We have discussed this quite a bit, but the major improvements were never implemented (ask me if you want more details).

There's also Analysis/MemoryBuiltins.cpp. This analysis provides (static or dynamic) information about the allocated size of an object (and knows about malloc, stack, etc).

A very important aspect of reducing the overhead of bounds checks is to hoist them out of loops. By default, LLVM cannot and won't do this. The reason is that it's not legal to move a function that has side-effects (namely terminate the application) because LLVM has precise exception semantics. However, for bounds checks we don't really care; if we know that the program will crash inside the loop, why not crash it sooner? (well, there's a price to pay, of course. the state of the program will be different when looking through a debugger, but I think that's ok).
Again, right now LLVM cannot do this transformation. At the time, I proposed that we introduced an "antecipable" trap to the IR. Something that the compiler could move freely up to the beginning of the function (or of the program), as long as we know it would only execute if it executed in the original program.
An example makes it clear I guess:

for (i=0; i < n; ++i) {

if (a[i] out of bounds)
  antecipable_trap();
a[i] = …;

}

Transform to:

if (any of a[0..n-1] out of bounds)

antecipable_trap();

for (i=0; i < n; ++i) {

a[i] = …;

}

This is an obvious transformation. Without it, vectorization will not kick in at all (since it is mostly oblivious about multiple exit loops). Anyway, this is something for the backend guys to work on. It isn't very hard to implement; it just hasn't been done.

The other thing that has been committed recently to LLVM (last month) is a loop splitter (Transforms/Scalar/InductiveRangeCheckElimination.cpp). The idea is that if we can prove that in the first x iterations of the loop, everything is in bounds, then we can duplicate the loop, and remove all checks from the first loop. This increases code size, but can enable many optimizations on the first x iterations (which we hope will be the majority, but that's only a hope).

Finally, how does all of this applies to ASan? I don't know. Sorry, I never took a look to how ASan instruments stuff. If it exposes, say, the bounds checks in the IR (i.e., if the comparison is inlined in the IR), then current transformation passes will look at that and try to optimized them away (with the caveat there is still work required on the backend). If ASan just introduces a function call (e.g., check_pointer_is_ok(%p)), then the optimizers have no clue what that function does and will not touch it. Of course it is possible to patch, say, the CVP pass to know about these ASan functions and then reuse the same range analysis. Or, alternatively, build a simple pass that is only runs when ASan is used and that queries current analyses.
So, yes, building analyses from scratch doesn't make sense IMHO. It should be possible to reuse what LLVM already has. Then, how to use the information is a different story, but grepping for ASan functions in the IR and using current analyses shouldn't be a hard task (again, I have no clue how ASan works).
ASan also has stronger guarantees that my bounds checkers. For example, I don't check if the object has been deleted in the meantime. And ASan does. So the analysis has to work a bit harder (basically check liveness of objects as well as the size; but then if we only managed to get one piece of information but not the other, probably it's possible to optimize the check).

Ok, so I think the email is already quite long, but feel free to ask me for more details. I just tried to give an overview of what LLVM can and cannot do. I'm sorry I don't know more about ASan to give you a more concrete answer.

Nuno"

kcc added inline comments.Feb 24 2015, 6:16 PM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
206	ouch. Indeed, don't make it true by default for now. Unfortunately, I don't know any good way to test complex optimizations that eliminate checks, and so I don't know what it will take us to enable this by default. But at least having this code in trunk will simplify the experiments.

dvyukov updated this revision to Diff 20673.Feb 25 2015, 7:09 AM

uploaded new patch

lib/Transforms/Instrumentation/AddressSanitizer.cpp
18	Done
206	changed default value to false
439	done
1556	done
2116	done These are int64's. I don't see how overflow can happen.

In D7583#129129, @zaks.anna wrote:

How are you getting the speedup/size improvement measurements? Are these at -O1 or -O0?

I compiled a large program with -O2 and measured binary size difference.
Then compiled with -O2 and call threshold set to -1 and objdump -d | grep "call.*__asan_report_" | wc -l

When comparing to my patch, the intend of this patch is to be more aggressive in removing bounds checking. My patch does not introduce any improvement at optimization levels higher than -O0 and is trying to simulate mem2reg. On the other hand, the analysis here are more aggressive in the checks it removes. For example, my patch would not remove provably in bounds array accesses with constant offset and it does not do anything for non-alloca values.

On the other hand, with my patch, the allocas that are known not to have instrumented accesses do not get poisoned. Currently, this patch is only targeting removal of bounds checking. Also, I am not sure what is the compile time overhead this brings and how reliable it is since I don't think ObjectSizeOffsetEvaluator is used much.

I preference is to have this on top of non-promotable allocas.

I am perfectly OK with it. But what do I know?

Also, I believe removal of all unnecessary checks is a bigger task.

I would say it is an infinite task. Besides loops there are also access coalescing, inter-BB duduplication, range deduplication (if we checked [this, this+X), then we may omit checks of everything in [this, this+X)), figuring out what calls can actually free what objects, etc.

You should use ObjectSizeOffsetVisitor instead of ObjectSizeOffsetEvaluator. The interface is the similar, but it gives up when the object size is not constant, while the later may insert new instructions in the code. ObjectSizeOffsetVisitor is well tested (it's used by alias analysis, for example).

Second, the inbounds check is unsound (it may overflow -- check the prove here: http://rise4fun.com/Z3/PVrF). The correct set of checks are the following 3:

Offset >= 0 (signed; you have this one)
Size >= Offset (unsigned)
Size - Offset >= AccessSize (unsigned)

Finally, you cannot derive the access size from "DL->getTypeStoreSize(OrigTy)". For example, just because an array has elements of size 4, it doesn't mean that all stores must be of size 4. You can have done a bitcast, and stored 8 bytes. Basically you need to get hold of the element stored and check its store size.

After fixing these 3 issues, I think the patch becomes correct and desirable for commit.

This revision now requires changes to proceed.Feb 25 2015, 8:40 AM

Thanks for the review, Nuno!
All you three comments are addressed. Please take another look.

FWIW: This optimization looks right to me.
GVN uses similar logic to do an optimization to loads it can prove come directly from allocation functions.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
2107	You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset (This is what GVN, DeadStoreElimination, etc use to do what you are doing here - compute the pointer base and constant offset, make sure they match, then they use getTypeSizeInBits to compare the sizes)

This looks very good to me as well. I think you can submit now. The remaining issues are I think quite minor.

However, I would love to find some form of naming that doesn't so easily confuse the GEP "inbounds" keyword with this check. Sadly, I can't come up with any good ideas. Maybe just talk about "safe" in the APIs and explain what the object size check is computing, etc.? Anyways, a minor point.

If this causes a compile-time regression, it should be easy to track down. You might do a quick sanity check for some big inputs Dmitry, since it seems like you have them.

Danny, I'm pretty sure that the object size code is newer and should at least in theory be more powerful than just getting the base address. I could be wrong though. Still, easy to switch to that in a follow-up if needed.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
414–416	Surely clang-format puts this 'const' somewhere else...

applied clang-format

Chandler,

I've applied clang-format.

Renamed s/inbounds/safe/. Comment above the function explains the meaning of safe.

Regarding compilation speed. On top of removing instrumentation and reducing binary size, it also speedups compilation (less stuff for backed to deal with). I've tested on llvm's largest source file lib/Target/X86/X86ISelLowering.cpp.

current without asan -O0:
real 0m4.847s
real 0m4.813s
real 0m4.776s
(I cross-checked that the new compiler has the same performance)

current -fsanitize=address -O0
real 0m7.191s
real 0m7.257s
real 0m7.183s

new -fsanitize=address -O0
real 0m6.619s
real 0m6.798s
real 0m6.722s
(~-6.4%)

current -fsanitize=address -O1
real 0m17.466s
real 0m17.553s
real 0m17.449s

new -fsanitize=address -O1
real 0m15.908s
real 0m15.853s
real 0m15.329s
(~-12.15%)

current -fsanitize=address -O2
real 0m24.337s
real 0m24.246s
real 0m24.604s

new -fsanitize=address -O2
real 0m23.662s
real 0m23.430s
real 0m23.400s
(~-3.49%)

Object file size:
w/o asan: 1228800
current with asan: 3658480 (+197.73%)
new with asan: 3444760 (-5.84%)

Amount of instrumentation (since it is just an object file, I grepped for "callq"):
w/o asan: 8235
current with asan: 37342
new with asan: 33706 (-12.5%)

Reformat code with -style=Google, because otherwise linter in check-all barks.

Committed in rev 231241.
We also need some plan for testing and enabling such optimization by default.

chandlerc removed a reviewer: chandlerc.Mar 29 2015, 7:58 PM

nlopes resigned from this revision.Jul 26 2017, 5:58 AM

dvyukov abandoned this revision.Apr 15 2021, 1:19 AM

Herald added a subscriber: jfb. · View Herald TranscriptApr 15 2021, 1:19 AM

Revision Contents

Path

Size

lib/

Transforms/

Instrumentation/

AddressSanitizer.cpp

553 lines

test/

Instrumentation/

AddressSanitizer/

instrument-stack.ll

48 lines

Diff 21178

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show All 9 Lines
// This file is a part of AddressSanitizer, an address sanity checker.		// This file is a part of AddressSanitizer, an address sanity checker.
// Details of the algorithm:		// Details of the algorithm:
// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm		// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "llvm/Transforms/Instrumentation.h"		#include "llvm/Transforms/Instrumentation.h"
#include "llvm/ADT/ArrayRef.h"		#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
		zaks.annaUnsubmitted Not Done Reply Inline Actions These seem out of place - should be moved after ADT. zaks.anna: These seem out of place - should be moved after ADT.
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions Done dvyukov: Done
#include "llvm/ADT/DenseSet.h"		#include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/DepthFirstIterator.h"		#include "llvm/ADT/DepthFirstIterator.h"
#include "llvm/ADT/SmallSet.h"		#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/SmallString.h"		#include "llvm/ADT/SmallString.h"
#include "llvm/ADT/SmallVector.h"		#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h"		#include "llvm/ADT/Statistic.h"
#include "llvm/ADT/StringExtras.h"		#include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/Triple.h"		#include "llvm/ADT/Triple.h"
		#include "llvm/Analysis/MemoryBuiltins.h"
		#include "llvm/Analysis/TargetLibraryInfo.h"
		#include "llvm/Analysis/ValueTracking.h"
#include "llvm/IR/CallSite.h"		#include "llvm/IR/CallSite.h"
#include "llvm/IR/DIBuilder.h"		#include "llvm/IR/DIBuilder.h"
#include "llvm/IR/DataLayout.h"		#include "llvm/IR/DataLayout.h"
#include "llvm/IR/Dominators.h"		#include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h"		#include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h"		#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InlineAsm.h"		#include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstVisitor.h"		#include "llvm/IR/InstVisitor.h"
Show All 22 Lines
using namespace llvm;		using namespace llvm;

#define DEBUG_TYPE "asan"		#define DEBUG_TYPE "asan"

static const uint64_t kDefaultShadowScale = 3;		static const uint64_t kDefaultShadowScale = 3;
static const uint64_t kDefaultShadowOffset32 = 1ULL << 29;		static const uint64_t kDefaultShadowOffset32 = 1ULL << 29;
static const uint64_t kIOSShadowOffset32 = 1ULL << 30;		static const uint64_t kIOSShadowOffset32 = 1ULL << 30;
static const uint64_t kDefaultShadowOffset64 = 1ULL << 44;		static const uint64_t kDefaultShadowOffset64 = 1ULL << 44;
static const uint64_t kSmallX86_64ShadowOffset = 0x7FFF8000; // < 2G.		static const uint64_t kSmallX86_64ShadowOffset = 0x7FFF8000; // < 2G.
static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41;		static const uint64_t kPPC64_ShadowOffset64 = 1ULL << 41;
static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000;		static const uint64_t kMIPS32_ShadowOffset32 = 0x0aaa0000;
static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37;		static const uint64_t kMIPS64_ShadowOffset64 = 1ULL << 37;
static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36;		static const uint64_t kAArch64_ShadowOffset64 = 1ULL << 36;
static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30;		static const uint64_t kFreeBSD_ShadowOffset32 = 1ULL << 30;
static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46;		static const uint64_t kFreeBSD_ShadowOffset64 = 1ULL << 46;
static const uint64_t kWindowsShadowOffset32 = 3ULL << 28;		static const uint64_t kWindowsShadowOffset32 = 3ULL << 28;

static const size_t kMinStackMallocSize = 1 << 6; // 64B		static const size_t kMinStackMallocSize = 1 << 6; // 64B
static const size_t kMaxStackMallocSize = 1 << 16; // 64K		static const size_t kMaxStackMallocSize = 1 << 16; // 64K
static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3;		static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3;
static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E;		static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E;

static const char *const kAsanModuleCtorName = "asan.module_ctor";		static const char *const kAsanModuleCtorName = "asan.module_ctor";
static const char *const kAsanModuleDtorName = "asan.module_dtor";		static const char *const kAsanModuleDtorName = "asan.module_dtor";
static const uint64_t kAsanCtorAndDtorPriority = 1;		static const uint64_t kAsanCtorAndDtorPriority = 1;
static const char *const kAsanReportErrorTemplate = "__asan_report_";		static const char *const kAsanReportErrorTemplate = "__asan_report_";
static const char *const kAsanReportLoadN = "__asan_report_load_n";		static const char *const kAsanReportLoadN = "__asan_report_load_n";
static const char *const kAsanReportStoreN = "__asan_report_store_n";		static const char *const kAsanReportStoreN = "__asan_report_store_n";
static const char *const kAsanRegisterGlobalsName = "__asan_register_globals";		static const char *const kAsanRegisterGlobalsName = "__asan_register_globals";
static const char *const kAsanUnregisterGlobalsName =		static const char *const kAsanUnregisterGlobalsName =
"__asan_unregister_globals";		"__asan_unregister_globals";
static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init";		static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init";
static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";		static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";
static const char *const kAsanInitName = "__asan_init_v5";		static const char *const kAsanInitName = "__asan_init_v5";
static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";		static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";
static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";		static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";
static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";		static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";
static const int kMaxAsanStackMallocSizeClass = 10;		static const int kMaxAsanStackMallocSizeClass = 10;
static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_";		static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_";
static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_";		static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_";
static const char *const kAsanGenPrefix = "__asan_gen_";		static const char *const kAsanGenPrefix = "__asan_gen_";
static const char *const kSanCovGenPrefix = "__sancov_gen_";		static const char *const kSanCovGenPrefix = "__sancov_gen_";
static const char *const kAsanPoisonStackMemoryName =		static const char *const kAsanPoisonStackMemoryName =
"__asan_poison_stack_memory";		"__asan_poison_stack_memory";
static const char *const kAsanUnpoisonStackMemoryName =		static const char *const kAsanUnpoisonStackMemoryName =
"__asan_unpoison_stack_memory";		"__asan_unpoison_stack_memory";
Show All 13 Lines
static const unsigned kAsanAllocaRightMagic = 0xcbcbcbcbU;		static const unsigned kAsanAllocaRightMagic = 0xcbcbcbcbU;
static const unsigned kAsanAllocaPartialVal1 = 0xcbcbcb00U;		static const unsigned kAsanAllocaPartialVal1 = 0xcbcbcb00U;
static const unsigned kAsanAllocaPartialVal2 = 0x000000cbU;		static const unsigned kAsanAllocaPartialVal2 = 0x000000cbU;

// Command-line flags.		// Command-line flags.

// This flag may need to be replaced with -f[no-]asan-reads.		// This flag may need to be replaced with -f[no-]asan-reads.
static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",		static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",
cl::desc("instrument read instructions"), cl::Hidden, cl::init(true));		cl::desc("instrument read instructions"),
static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes",
cl::desc("instrument write instructions"), cl::Hidden, cl::init(true));
static cl::opt<bool> ClInstrumentAtomics("asan-instrument-atomics",
cl::desc("instrument atomic instructions (rmw, cmpxchg)"),
cl::Hidden, cl::init(true));		cl::Hidden, cl::init(true));
static cl::opt<bool> ClAlwaysSlowPath("asan-always-slow-path",		static cl::opt<bool>
cl::desc("use instrumentation with slow path for all accesses"),		ClInstrumentWrites("asan-instrument-writes",
cl::Hidden, cl::init(false));		cl::desc("instrument write instructions"), cl::Hidden,
		cl::init(true));
		static cl::opt<bool> ClInstrumentAtomics(
		"asan-instrument-atomics",
		cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
		cl::init(true));
		static cl::opt<bool> ClAlwaysSlowPath(
		"asan-always-slow-path",
		cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden,
		cl::init(false));
// This flag limits the number of instructions to be instrumented		// This flag limits the number of instructions to be instrumented
// in any given BB. Normally, this should be set to unlimited (INT_MAX),		// in any given BB. Normally, this should be set to unlimited (INT_MAX),
// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary		// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary
// set it to 10000.		// set it to 10000.
static cl::opt<int> ClMaxInsnsToInstrumentPerBB("asan-max-ins-per-bb",		static cl::opt<int> ClMaxInsnsToInstrumentPerBB(
cl::init(10000),		"asan-max-ins-per-bb", cl::init(10000),
cl::desc("maximal number of instructions to instrument in any given BB"),		cl::desc("maximal number of instructions to instrument in any given BB"),
cl::Hidden);		cl::Hidden);
// This flag may need to be replaced with -f[no]asan-stack.		// This flag may need to be replaced with -f[no]asan-stack.
static cl::opt<bool> ClStack("asan-stack",		static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"),
cl::desc("Handle stack memory"), cl::Hidden, cl::init(true));		cl::Hidden, cl::init(true));
static cl::opt<bool> ClUseAfterReturn("asan-use-after-return",		static cl::opt<bool> ClUseAfterReturn("asan-use-after-return",
cl::desc("Check return-after-free"), cl::Hidden, cl::init(true));		cl::desc("Check return-after-free"),
		cl::Hidden, cl::init(true));
// This flag may need to be replaced with -f[no]asan-globals.		// This flag may need to be replaced with -f[no]asan-globals.
static cl::opt<bool> ClGlobals("asan-globals",		static cl::opt<bool> ClGlobals("asan-globals",
cl::desc("Handle global objects"), cl::Hidden, cl::init(true));		cl::desc("Handle global objects"), cl::Hidden,
		cl::init(true));
static cl::opt<bool> ClInitializers("asan-initialization-order",		static cl::opt<bool> ClInitializers("asan-initialization-order",
cl::desc("Handle C++ initializer order"), cl::Hidden, cl::init(true));		cl::desc("Handle C++ initializer order"),
static cl::opt<bool> ClInvalidPointerPairs("asan-detect-invalid-pointer-pair",		cl::Hidden, cl::init(true));
cl::desc("Instrument <, <=, >, >=, - with pointer operands"),		static cl::opt<bool> ClInvalidPointerPairs(
cl::Hidden, cl::init(false));		"asan-detect-invalid-pointer-pair",
static cl::opt<unsigned> ClRealignStack("asan-realign-stack",		cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden,
		cl::init(false));
		static cl::opt<unsigned> ClRealignStack(
		"asan-realign-stack",
cl::desc("Realign stack to the value of this flag (power of two)"),		cl::desc("Realign stack to the value of this flag (power of two)"),
cl::Hidden, cl::init(32));		cl::Hidden, cl::init(32));
static cl::opt<int> ClInstrumentationWithCallsThreshold(		static cl::opt<int> ClInstrumentationWithCallsThreshold(
"asan-instrumentation-with-call-threshold",		"asan-instrumentation-with-call-threshold",
cl::desc("If the function being instrumented contains more than "		cl::desc("If the function being instrumented contains more than "
"this number of memory accesses, use callbacks instead of "		"this number of memory accesses, use callbacks instead of "
"inline checks (-1 means never use callbacks)."),		"inline checks (-1 means never use callbacks)."),
cl::Hidden, cl::init(7000));		cl::Hidden, cl::init(7000));
static cl::opt<std::string> ClMemoryAccessCallbackPrefix(		static cl::opt<std::string>
"asan-memory-access-callback-prefix",		ClMemoryAccessCallbackPrefix("asan-memory-access-callback-prefix",
cl::desc("Prefix for memory access callbacks"), cl::Hidden,		cl::desc("Prefix for memory access callbacks"),
cl::init("__asan_"));		cl::Hidden, cl::init("__asan_"));
static cl::opt<bool> ClInstrumentAllocas("asan-instrument-allocas",		static cl::opt<bool> ClInstrumentAllocas("asan-instrument-allocas",
cl::desc("instrument dynamic allocas"), cl::Hidden, cl::init(false));		cl::desc("instrument dynamic allocas"),
static cl::opt<bool> ClSkipPromotableAllocas("asan-skip-promotable-allocas",		cl::Hidden, cl::init(false));
		static cl::opt<bool>
		ClSkipPromotableAllocas("asan-skip-promotable-allocas",
cl::desc("Do not instrument promotable allocas"),		cl::desc("Do not instrument promotable allocas"),
cl::Hidden, cl::init(true));		cl::Hidden, cl::init(true));

// These flags allow to change the shadow mapping.		// These flags allow to change the shadow mapping.
// The shadow mapping looks like		// The shadow mapping looks like
// Shadow = (Mem >> scale) + (1 << offset_log)		// Shadow = (Mem >> scale) + (1 << offset_log)
static cl::opt<int> ClMappingScale("asan-mapping-scale",		static cl::opt<int> ClMappingScale("asan-mapping-scale",
cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0));		cl::desc("scale of asan shadow mapping"),
		cl::Hidden, cl::init(0));

// Optimization flags. Not user visible, used mostly for testing		// Optimization flags. Not user visible, used mostly for testing
// and benchmarking the tool.		// and benchmarking the tool.
static cl::opt<bool> ClOpt("asan-opt",		static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"),
cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true));		cl::Hidden, cl::init(true));
static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp",		static cl::opt<bool>
		ClOptSameTemp("asan-opt-same-temp",
cl::desc("Instrument the same temp just once"), cl::Hidden,		cl::desc("Instrument the same temp just once"), cl::Hidden,
cl::init(true));		cl::init(true));
static cl::opt<bool> ClOptGlobals("asan-opt-globals",		static cl::opt<bool> ClOptGlobals("asan-opt-globals",
cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true));		cl::desc("Don't instrument scalar globals"),
		cl::Hidden, cl::init(true));
static cl::opt<bool> ClCheckLifetime("asan-check-lifetime",		static cl::opt<bool>
		zaks.annaUnsubmitted Not Done Reply Inline Actions This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should probably go through more testing, though I am not sure how to catch issues here since we are removing checking. zaks.anna: This makes me nervous. I don't think ObjectSizeOffsetEvaluator is used much. This should…
		kccUnsubmitted Not Done Reply Inline Actions ouch. Indeed, don't make it true by default for now. Unfortunately, I don't know any good way to test complex optimizations that eliminate checks, and so I don't know what it will take us to enable this by default. But at least having this code in trunk will simplify the experiments. kcc: ouch. Indeed, don't make it true by default for now. Unfortunately, I don't know any good way…
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions changed default value to false dvyukov: changed default value to false
cl::desc("Use llvm.lifetime intrinsics to insert extra checks"),		ClOptStack("asan-opt-stack",
cl::Hidden, cl::init(false));		cl::desc("Don't instrument scalar stack variables"), cl::Hidden,
		cl::init(false));

		static cl::opt<bool> ClCheckLifetime(
		"asan-check-lifetime",
		cl::desc("Use llvm.lifetime intrinsics to insert extra checks"), cl::Hidden,
		cl::init(false));

static cl::opt<bool> ClDynamicAllocaStack(		static cl::opt<bool> ClDynamicAllocaStack(
"asan-stack-dynamic-alloca",		"asan-stack-dynamic-alloca",
cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,		cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,
cl::init(true));		cl::init(true));

// Debug flags.		// Debug flags.
static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,		static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,
cl::init(0));		cl::init(0));
static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),		static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),
cl::Hidden, cl::init(0));		cl::Hidden, cl::init(0));
static cl::opt<std::string> ClDebugFunc("asan-debug-func",		static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden,
cl::Hidden, cl::desc("Debug func"));		cl::desc("Debug func"));
static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),		static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),
cl::Hidden, cl::init(-1));		cl::Hidden, cl::init(-1));
static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"),		static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"),
cl::Hidden, cl::init(-1));		cl::Hidden, cl::init(-1));

STATISTIC(NumInstrumentedReads, "Number of instrumented reads");		STATISTIC(NumInstrumentedReads, "Number of instrumented reads");
STATISTIC(NumInstrumentedWrites, "Number of instrumented writes");		STATISTIC(NumInstrumentedWrites, "Number of instrumented writes");
STATISTIC(NumInstrumentedDynamicAllocas,		STATISTIC(NumInstrumentedDynamicAllocas,
"Number of instrumented dynamic allocas");		"Number of instrumented dynamic allocas");
STATISTIC(NumOptimizedAccessesToGlobalArray,
"Number of optimized accesses to global arrays");
STATISTIC(NumOptimizedAccessesToGlobalVar,		STATISTIC(NumOptimizedAccessesToGlobalVar,
"Number of optimized accesses to global vars");		"Number of optimized accesses to global vars");
		STATISTIC(NumOptimizedAccessesToStackVar,
		"Number of optimized accesses to stack vars");

namespace {		namespace {
/// Frontend-provided metadata for source location.		/// Frontend-provided metadata for source location.
struct LocationMetadata {		struct LocationMetadata {
StringRef Filename;		StringRef Filename;
int LineNo;		int LineNo;
int ColumnNo;		int ColumnNo;

Show All 9 Lines	LineNo =
mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue();		mdconst::extract<ConstantInt>(MDN->getOperand(1))->getLimitedValue();
ColumnNo =		ColumnNo =
mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue();		mdconst::extract<ConstantInt>(MDN->getOperand(2))->getLimitedValue();
}		}
};		};

/// Frontend-provided metadata for global variables.		/// Frontend-provided metadata for global variables.
class GlobalsMetadata {		class GlobalsMetadata {
public:		public:
struct Entry {		struct Entry {
Entry()		Entry() : SourceLoc(), Name(), IsDynInit(false), IsBlacklisted(false) {}
: SourceLoc(), Name(), IsDynInit(false),
IsBlacklisted(false) {}
LocationMetadata SourceLoc;		LocationMetadata SourceLoc;
StringRef Name;		StringRef Name;
bool IsDynInit;		bool IsDynInit;
bool IsBlacklisted;		bool IsBlacklisted;
};		};

GlobalsMetadata() : inited_(false) {}		GlobalsMetadata() : inited_(false) {}

void init(Module& M) {		void init(Module &M) {
assert(!inited_);		assert(!inited_);
inited_ = true;		inited_ = true;
NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals");		NamedMDNode *Globals = M.getNamedMetadata("llvm.asan.globals");
if (!Globals)		if (!Globals)
return;		return;
for (auto MDN : Globals->operands()) {		for (auto MDN : Globals->operands()) {
// Metadata node contains the global and the fields of "Entry".		// Metadata node contains the global and the fields of "Entry".
assert(MDN->getNumOperands() == 5);		assert(MDN->getNumOperands() == 5);
Show All 18 Lines	public:
}		}

/// Returns metadata entry for a given global.		/// Returns metadata entry for a given global.
Entry get(GlobalVariable *G) const {		Entry get(GlobalVariable *G) const {
auto Pos = Entries.find(G);		auto Pos = Entries.find(G);
return (Pos != Entries.end()) ? Pos->second : Entry();		return (Pos != Entries.end()) ? Pos->second : Entry();
}		}

private:		private:
bool inited_;		bool inited_;
DenseMap<GlobalVariable*, Entry> Entries;		DenseMap<GlobalVariable *, Entry> Entries;
};		};

/// This struct defines the shadow mapping using the rule:		/// This struct defines the shadow mapping using the rule:
/// shadow = (mem >> Scale) ADD-or-OR Offset.		/// shadow = (mem >> Scale) ADD-or-OR Offset.
struct ShadowMapping {		struct ShadowMapping {
int Scale;		int Scale;
uint64_t Offset;		uint64_t Offset;
bool OrShadowOffset;		bool OrShadowOffset;
Show All 24 Lines	if (LongSize == 32) {
else if (IsFreeBSD)		else if (IsFreeBSD)
Mapping.Offset = kFreeBSD_ShadowOffset32;		Mapping.Offset = kFreeBSD_ShadowOffset32;
else if (IsIOS)		else if (IsIOS)
Mapping.Offset = kIOSShadowOffset32;		Mapping.Offset = kIOSShadowOffset32;
else if (IsWindows)		else if (IsWindows)
Mapping.Offset = kWindowsShadowOffset32;		Mapping.Offset = kWindowsShadowOffset32;
else		else
Mapping.Offset = kDefaultShadowOffset32;		Mapping.Offset = kDefaultShadowOffset32;
} else { // LongSize == 64		} else { // LongSize == 64
if (IsPPC64)		if (IsPPC64)
Mapping.Offset = kPPC64_ShadowOffset64;		Mapping.Offset = kPPC64_ShadowOffset64;
else if (IsFreeBSD)		else if (IsFreeBSD)
Mapping.Offset = kFreeBSD_ShadowOffset64;		Mapping.Offset = kFreeBSD_ShadowOffset64;
else if (IsLinux && IsX86_64)		else if (IsLinux && IsX86_64)
Mapping.Offset = kSmallX86_64ShadowOffset;		Mapping.Offset = kSmallX86_64ShadowOffset;
else if (IsMIPS64)		else if (IsMIPS64)
Mapping.Offset = kMIPS64_ShadowOffset64;		Mapping.Offset = kMIPS64_ShadowOffset64;
Show All 27 Lines	struct AddressSanitizer : public FunctionPass {
AddressSanitizer() : FunctionPass(ID) {		AddressSanitizer() : FunctionPass(ID) {
initializeAddressSanitizerPass(*PassRegistry::getPassRegistry());		initializeAddressSanitizerPass(*PassRegistry::getPassRegistry());
}		}
const char *getPassName() const override {		const char *getPassName() const override {
return "AddressSanitizerFunctionPass";		return "AddressSanitizerFunctionPass";
}		}
void getAnalysisUsage(AnalysisUsage &AU) const override {		void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<DominatorTreeWrapperPass>();		AU.addRequired<DominatorTreeWrapperPass>();
		AU.addRequired<DataLayoutPass>();
		AU.addRequired<TargetLibraryInfoWrapperPass>();
}		}
uint64_t getAllocaSizeInBytes(AllocaInst *AI) const {		uint64_t getAllocaSizeInBytes(AllocaInst *AI) const {
Type *Ty = AI->getAllocatedType();		Type *Ty = AI->getAllocatedType();
uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);		uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);
return SizeInBytes;		return SizeInBytes;
}		}
/// Check if we want (and can) handle this alloca.		/// Check if we want (and can) handle this alloca.
bool isInterestingAlloca(AllocaInst &AI) const;		bool isInterestingAlloca(AllocaInst &AI) const;
/// If it is an interesting memory access, return the PointerOperand		/// If it is an interesting memory access, return the PointerOperand
/// and set IsWrite/Alignment. Otherwise return nullptr.		/// and set IsWrite/Alignment. Otherwise return nullptr.
Value isInterestingMemoryAccess(Instruction I, bool *IsWrite,		Value isInterestingMemoryAccess(Instruction I, bool *IsWrite,
		uint64_t *TypeSize,
unsigned *Alignment) const;		unsigned *Alignment) const;
void instrumentMop(Instruction *I, bool UseCalls);		void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis, Instruction *I,
		bool UseCalls);
void instrumentPointerComparisonOrSubtraction(Instruction *I);		void instrumentPointerComparisonOrSubtraction(Instruction *I);
		chandlercUnsubmitted Not Done Reply Inline Actions Surely clang-format puts this 'const' somewhere else... chandlerc: Surely clang-format puts this 'const' somewhere else...
void instrumentAddress(Instruction OrigIns, Instruction InsertBefore,		void instrumentAddress(Instruction OrigIns, Instruction InsertBefore,
Value *Addr, uint32_t TypeSize, bool IsWrite,		Value *Addr, uint32_t TypeSize, bool IsWrite,
Value *SizeArgument, bool UseCalls);		Value *SizeArgument, bool UseCalls);
Value createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,		Value createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
Value *ShadowValue, uint32_t TypeSize);		Value *ShadowValue, uint32_t TypeSize);
Instruction generateCrashCode(Instruction InsertBefore, Value *Addr,		Instruction generateCrashCode(Instruction InsertBefore, Value *Addr,
bool IsWrite, size_t AccessSizeIndex,		bool IsWrite, size_t AccessSizeIndex,
Value *SizeArgument);		Value *SizeArgument);
void instrumentMemIntrinsic(MemIntrinsic *MI);		void instrumentMemIntrinsic(MemIntrinsic *MI);
Value memToShadow(Value Shadow, IRBuilder<> &IRB);		Value memToShadow(Value Shadow, IRBuilder<> &IRB);
bool runOnFunction(Function &F) override;		bool runOnFunction(Function &F) override;
bool maybeInsertAsanInitAtFunctionEntry(Function &F);		bool maybeInsertAsanInitAtFunctionEntry(Function &F);
bool doInitialization(Module &M) override;		bool doInitialization(Module &M) override;
static char ID; // Pass identification, replacement for typeid		static char ID; // Pass identification, replacement for typeid

DominatorTree &getDominatorTree() const { return *DT; }		DominatorTree &getDominatorTree() const { return *DT; }

private:		private:
void initializeCallbacks(Module &M);		void initializeCallbacks(Module &M);

bool LooksLikeCodeInBug11395(Instruction *I);		bool LooksLikeCodeInBug11395(Instruction *I);
bool GlobalIsLinkerInitialized(GlobalVariable *G);		bool GlobalIsLinkerInitialized(GlobalVariable *G);
		bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr,
		zaks.annaUnsubmitted Not Done Reply Inline Actions const? zaks.anna: const?
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions done dvyukov: done
		uint64_t TypeSize) const;

LLVMContext *C;		LLVMContext *C;
const DataLayout *DL;		const DataLayout *DL;
Triple TargetTriple;		Triple TargetTriple;
int LongSize;		int LongSize;
Type *IntptrTy;		Type *IntptrTy;
ShadowMapping Mapping;		ShadowMapping Mapping;
DominatorTree *DT;		DominatorTree *DT;
Function *AsanCtorFunction;		Function *AsanCtorFunction;
Function *AsanInitFunction;		Function *AsanInitFunction;
Function *AsanHandleNoReturnFunc;		Function *AsanHandleNoReturnFunc;
Function AsanPtrCmpFunction, AsanPtrSubFunction;		Function AsanPtrCmpFunction, AsanPtrSubFunction;
// This array is indexed by AccessIsWrite and log2(AccessSize).		// This array is indexed by AccessIsWrite and log2(AccessSize).
Function *AsanErrorCallback[2][kNumberOfAccessSizes];		Function *AsanErrorCallback[2][kNumberOfAccessSizes];
Function *AsanMemoryAccessCallback[2][kNumberOfAccessSizes];		Function *AsanMemoryAccessCallback[2][kNumberOfAccessSizes];
// This array is indexed by AccessIsWrite.		// This array is indexed by AccessIsWrite.
Function *AsanErrorCallbackSized[2],		Function AsanErrorCallbackSized[2], AsanMemoryAccessCallbackSized[2];
*AsanMemoryAccessCallbackSized[2];
Function AsanMemmove, AsanMemcpy, *AsanMemset;		Function AsanMemmove, AsanMemcpy, *AsanMemset;
InlineAsm *EmptyAsm;		InlineAsm *EmptyAsm;
GlobalsMetadata GlobalsMD;		GlobalsMetadata GlobalsMD;

friend struct FunctionStackPoisoner;		friend struct FunctionStackPoisoner;
};		};

class AddressSanitizerModule : public ModulePass {		class AddressSanitizerModule : public ModulePass {
public:		public:
AddressSanitizerModule() : ModulePass(ID) {}		AddressSanitizerModule() : ModulePass(ID) {}
bool runOnModule(Module &M) override;		bool runOnModule(Module &M) override;
static char ID; // Pass identification, replacement for typeid		static char ID; // Pass identification, replacement for typeid
const char *getPassName() const override {		const char *getPassName() const override { return "AddressSanitizerModule"; }
return "AddressSanitizerModule";
}

private:		private:
void initializeCallbacks(Module &M);		void initializeCallbacks(Module &M);

bool InstrumentGlobals(IRBuilder<> &IRB, Module &M);		bool InstrumentGlobals(IRBuilder<> &IRB, Module &M);
bool ShouldInstrumentGlobal(GlobalVariable *G);		bool ShouldInstrumentGlobal(GlobalVariable *G);
void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName);		void poisonOneInitializer(Function &GlobalInit, GlobalValue *ModuleName);
void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName);		void createInitializerPoisonCalls(Module &M, GlobalValue *ModuleName);
size_t MinRedzoneSizeForGlobal() const {		size_t MinRedzoneSizeForGlobal() const {
return RedzoneSizeForScale(Mapping.Scale);		return RedzoneSizeForScale(Mapping.Scale);
Show All 24 Lines	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
Function &F;		Function &F;
AddressSanitizer &ASan;		AddressSanitizer &ASan;
DIBuilder DIB;		DIBuilder DIB;
LLVMContext *C;		LLVMContext *C;
Type *IntptrTy;		Type *IntptrTy;
Type *IntptrPtrTy;		Type *IntptrPtrTy;
ShadowMapping Mapping;		ShadowMapping Mapping;

SmallVector<AllocaInst*, 16> AllocaVec;		SmallVector<AllocaInst *, 16> AllocaVec;
SmallVector<Instruction*, 8> RetVec;		SmallVector<Instruction *, 8> RetVec;
unsigned StackAlignment;		unsigned StackAlignment;

Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1],		Function *AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + 1],
*AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1];		*AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + 1];
Function AsanPoisonStackMemoryFunc, AsanUnpoisonStackMemoryFunc;		Function AsanPoisonStackMemoryFunc, AsanUnpoisonStackMemoryFunc;

// Stores a place and arguments of poisoning/unpoisoning call for alloca.		// Stores a place and arguments of poisoning/unpoisoning call for alloca.
struct AllocaPoisonCall {		struct AllocaPoisonCall {
IntrinsicInst *InsBefore;		IntrinsicInst *InsBefore;
AllocaInst *AI;		AllocaInst *AI;
uint64_t Size;		uint64_t Size;
bool DoPoison;		bool DoPoison;
};		};
SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec;		SmallVector<AllocaPoisonCall, 8> AllocaPoisonCallVec;

// Stores left and right redzone shadow addresses for dynamic alloca		// Stores left and right redzone shadow addresses for dynamic alloca
// and pointer to alloca instruction itself.		// and pointer to alloca instruction itself.
// LeftRzAddr is a shadow address for alloca left redzone.		// LeftRzAddr is a shadow address for alloca left redzone.
// RightRzAddr is a shadow address for alloca right redzone.		// RightRzAddr is a shadow address for alloca right redzone.
struct DynamicAllocaCall {		struct DynamicAllocaCall {
AllocaInst *AI;		AllocaInst *AI;
Value *LeftRzAddr;		Value *LeftRzAddr;
Value *RightRzAddr;		Value *RightRzAddr;
bool Poison;		bool Poison;
explicit DynamicAllocaCall(AllocaInst *AI,		explicit DynamicAllocaCall(AllocaInst AI, Value LeftRzAddr = nullptr,
Value *LeftRzAddr = nullptr,
Value *RightRzAddr = nullptr)		Value *RightRzAddr = nullptr)
: AI(AI), LeftRzAddr(LeftRzAddr), RightRzAddr(RightRzAddr), Poison(true)		: AI(AI), LeftRzAddr(LeftRzAddr), RightRzAddr(RightRzAddr),
{}		Poison(true) {}
};		};
SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec;		SmallVector<DynamicAllocaCall, 1> DynamicAllocaVec;

// Maps Value to an AllocaInst from which the Value is originated.		// Maps Value to an AllocaInst from which the Value is originated.
typedef DenseMap<Value, AllocaInst> AllocaForValueMapTy;		typedef DenseMap<Value , AllocaInst > AllocaForValueMapTy;
AllocaForValueMapTy AllocaForValue;		AllocaForValueMapTy AllocaForValue;

bool HasNonEmptyInlineAsm;		bool HasNonEmptyInlineAsm;
std::unique_ptr<CallInst> EmptyInlineAsm;		std::unique_ptr<CallInst> EmptyInlineAsm;

FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)		FunctionStackPoisoner(Function &F, AddressSanitizer &ASan)
: F(F), ASan(ASan), DIB(F.getParent(), /AllowUnresolved*/ false),		: F(F), ASan(ASan), DIB(F.getParent(), /AllowUnresolved*/ false),
C(ASan.C), IntptrTy(ASan.IntptrTy),		C(ASan.C), IntptrTy(ASan.IntptrTy),
IntptrPtrTy(PointerType::get(IntptrTy, 0)), Mapping(ASan.Mapping),		IntptrPtrTy(PointerType::get(IntptrTy, 0)), Mapping(ASan.Mapping),
StackAlignment(1 << Mapping.Scale), HasNonEmptyInlineAsm(false),		StackAlignment(1 << Mapping.Scale), HasNonEmptyInlineAsm(false),
EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}		EmptyInlineAsm(CallInst::Create(ASan.EmptyAsm)) {}

bool runOnFunction() {		bool runOnFunction() {
if (!ClStack) return false;		if (!ClStack)
		return false;
// Collect alloca, ret, lifetime instructions etc.		// Collect alloca, ret, lifetime instructions etc.
for (BasicBlock *BB : depth_first(&F.getEntryBlock()))		for (BasicBlock *BB : depth_first(&F.getEntryBlock()))
visit(*BB);		visit(*BB);

if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;		if (AllocaVec.empty() && DynamicAllocaVec.empty())
		return false;

initializeCallbacks(*F.getParent());		initializeCallbacks(*F.getParent());

poisonStack();		poisonStack();

if (ClDebugStack) {		if (ClDebugStack) {
DEBUG(dbgs() << F);		DEBUG(dbgs() << F);
}		}
return true;		return true;
}		}

// Finds all Alloca instructions and puts		// Finds all Alloca instructions and puts
// poisoned red zones around all of them.		// poisoned red zones around all of them.
// Then unpoison everything back before the function returns.		// Then unpoison everything back before the function returns.
void poisonStack();		void poisonStack();

// ----------------------- Visitors.		// ----------------------- Visitors.
/// \brief Collect all Ret instructions.		/// \brief Collect all Ret instructions.
void visitReturnInst(ReturnInst &RI) {		void visitReturnInst(ReturnInst &RI) { RetVec.push_back(&RI); }
RetVec.push_back(&RI);
}

// Unpoison dynamic allocas redzones.		// Unpoison dynamic allocas redzones.
void unpoisonDynamicAlloca(DynamicAllocaCall &AllocaCall) {		void unpoisonDynamicAlloca(DynamicAllocaCall &AllocaCall) {
if (!AllocaCall.Poison)		if (!AllocaCall.Poison)
return;		return;
for (auto Ret : RetVec) {		for (auto Ret : RetVec) {
IRBuilder<> IRBRet(Ret);		IRBuilder<> IRBRet(Ret);
PointerType *Int32PtrTy = PointerType::getUnqual(IRBRet.getInt32Ty());		PointerType *Int32PtrTy = PointerType::getUnqual(IRBRet.getInt32Ty());
Value *Zero = Constant::getNullValue(IRBRet.getInt32Ty());		Value *Zero = Constant::getNullValue(IRBRet.getInt32Ty());
Value *PartialRzAddr = IRBRet.CreateSub(AllocaCall.RightRzAddr,		Value *PartialRzAddr = IRBRet.CreateSub(AllocaCall.RightRzAddr,
ConstantInt::get(IntptrTy, 4));		ConstantInt::get(IntptrTy, 4));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(AllocaCall.LeftRzAddr,		IRBRet.CreateStore(
Int32PtrTy));		Zero, IRBRet.CreateIntToPtr(AllocaCall.LeftRzAddr, Int32PtrTy));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(PartialRzAddr,		IRBRet.CreateStore(Zero,
Int32PtrTy));		IRBRet.CreateIntToPtr(PartialRzAddr, Int32PtrTy));
IRBRet.CreateStore(Zero, IRBRet.CreateIntToPtr(AllocaCall.RightRzAddr,		IRBRet.CreateStore(
Int32PtrTy));		Zero, IRBRet.CreateIntToPtr(AllocaCall.RightRzAddr, Int32PtrTy));
}		}
}		}

// Right shift for BigEndian and left shift for LittleEndian.		// Right shift for BigEndian and left shift for LittleEndian.
Value shiftAllocaMagic(Value Val, IRBuilder<> &IRB, Value *Shift) {		Value shiftAllocaMagic(Value Val, IRBuilder<> &IRB, Value *Shift) {
return ASan.DL->isLittleEndian() ? IRB.CreateShl(Val, Shift)		return ASan.DL->isLittleEndian() ? IRB.CreateShl(Val, Shift)
: IRB.CreateLShr(Val, Shift);		: IRB.CreateLShr(Val, Shift);
}		}
Show All 19 Lines	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
// (1) Left redzone with kAsanAllocaLeftMagic.		// (1) Left redzone with kAsanAllocaLeftMagic.
// (2) Partial redzone with the value, computed in runtime by		// (2) Partial redzone with the value, computed in runtime by
// computePartialRzMagic function.		// computePartialRzMagic function.
// (3) Right redzone with kAsanAllocaRightMagic.		// (3) Right redzone with kAsanAllocaRightMagic.
void handleDynamicAllocaCall(DynamicAllocaCall &AllocaCall);		void handleDynamicAllocaCall(DynamicAllocaCall &AllocaCall);

/// \brief Collect Alloca instructions we want (and can) handle.		/// \brief Collect Alloca instructions we want (and can) handle.
void visitAllocaInst(AllocaInst &AI) {		void visitAllocaInst(AllocaInst &AI) {
if (!ASan.isInterestingAlloca(AI)) return;		if (!ASan.isInterestingAlloca(AI))
		return;

StackAlignment = std::max(StackAlignment, AI.getAlignment());		StackAlignment = std::max(StackAlignment, AI.getAlignment());
if (isDynamicAlloca(AI))		if (isDynamicAlloca(AI))
DynamicAllocaVec.push_back(DynamicAllocaCall(&AI));		DynamicAllocaVec.push_back(DynamicAllocaCall(&AI));
else		else
AllocaVec.push_back(&AI);		AllocaVec.push_back(&AI);
}		}

/// \brief Collect lifetime intrinsic calls to check for use-after-scope		/// \brief Collect lifetime intrinsic calls to check for use-after-scope
/// errors.		/// errors.
void visitIntrinsicInst(IntrinsicInst &II) {		void visitIntrinsicInst(IntrinsicInst &II) {
if (!ClCheckLifetime) return;		if (!ClCheckLifetime)
		return;
Intrinsic::ID ID = II.getIntrinsicID();		Intrinsic::ID ID = II.getIntrinsicID();
if (ID != Intrinsic::lifetime_start &&		if (ID != Intrinsic::lifetime_start && ID != Intrinsic::lifetime_end)
ID != Intrinsic::lifetime_end)
return;		return;
// Found lifetime intrinsic, add ASan instrumentation if necessary.		// Found lifetime intrinsic, add ASan instrumentation if necessary.
ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0));		ConstantInt *Size = dyn_cast<ConstantInt>(II.getArgOperand(0));
// If size argument is undefined, don't do anything.		// If size argument is undefined, don't do anything.
if (Size->isMinusOne()) return;		if (Size->isMinusOne())
		return;
// Check that size doesn't saturate uint64_t and can		// Check that size doesn't saturate uint64_t and can
// be stored in IntptrTy.		// be stored in IntptrTy.
const uint64_t SizeValue = Size->getValue().getLimitedValue();		const uint64_t SizeValue = Size->getValue().getLimitedValue();
if (SizeValue == ~0ULL \|\|		if (SizeValue == ~0ULL \|\|
!ConstantInt::isValueValidForType(IntptrTy, SizeValue))		!ConstantInt::isValueValidForType(IntptrTy, SizeValue))
return;		return;
// Find alloca instruction that corresponds to llvm.lifetime argument.		// Find alloca instruction that corresponds to llvm.lifetime argument.
AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));		AllocaInst *AI = findAllocaForValue(II.getArgOperand(1));
if (!AI) return;		if (!AI)
		return;
bool DoPoison = (ID == Intrinsic::lifetime_end);		bool DoPoison = (ID == Intrinsic::lifetime_end);
AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};		AllocaPoisonCall APC = {&II, AI, SizeValue, DoPoison};
AllocaPoisonCallVec.push_back(APC);		AllocaPoisonCallVec.push_back(APC);
}		}

void visitCallInst(CallInst &CI) {		void visitCallInst(CallInst &CI) {
HasNonEmptyInlineAsm \|=		HasNonEmptyInlineAsm \|=
CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get());		CI.isInlineAsm() && !CI.isIdenticalTo(EmptyInlineAsm.get());
Show All 22 Lines	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase,		void SetShadowToStackAfterReturnInlined(IRBuilder<> &IRB, Value *ShadowBase,
int Size);		int Size);
Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L,		Value *createAllocaForLayout(IRBuilder<> &IRB, const ASanStackFrameLayout &L,
bool Dynamic);		bool Dynamic);
PHINode createPHI(IRBuilder<> &IRB, Value Cond, Value *ValueIfTrue,		PHINode createPHI(IRBuilder<> &IRB, Value Cond, Value *ValueIfTrue,
Instruction ThenTerm, Value ValueIfFalse);		Instruction ThenTerm, Value ValueIfFalse);
};		};

} // namespace		} // namespace

char AddressSanitizer::ID = 0;		char AddressSanitizer::ID = 0;
INITIALIZE_PASS_BEGIN(AddressSanitizer, "asan",		INITIALIZE_PASS_BEGIN(
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.",		AddressSanitizer, "asan",
false, false)		"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
		false)
INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)		INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
INITIALIZE_PASS_END(AddressSanitizer, "asan",		INITIALIZE_PASS_END(
"AddressSanitizer: detects use-after-free and out-of-bounds bugs.",		AddressSanitizer, "asan",
false, false)		"AddressSanitizer: detects use-after-free and out-of-bounds bugs.", false,
		false)
FunctionPass *llvm::createAddressSanitizerFunctionPass() {		FunctionPass *llvm::createAddressSanitizerFunctionPass() {
return new AddressSanitizer();		return new AddressSanitizer();
}		}

char AddressSanitizerModule::ID = 0;		char AddressSanitizerModule::ID = 0;
INITIALIZE_PASS(AddressSanitizerModule, "asan-module",		INITIALIZE_PASS(
		AddressSanitizerModule, "asan-module",
"AddressSanitizer: detects use-after-free and out-of-bounds bugs."		"AddressSanitizer: detects use-after-free and out-of-bounds bugs."
"ModulePass", false, false)		"ModulePass",
		false, false)
ModulePass *llvm::createAddressSanitizerModulePass() {		ModulePass *llvm::createAddressSanitizerModulePass() {
return new AddressSanitizerModule();		return new AddressSanitizerModule();
}		}

static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {		static size_t TypeSizeToSizeIndex(uint32_t TypeSize) {
size_t Res = countTrailingZeros(TypeSize / 8);		size_t Res = countTrailingZeros(TypeSize / 8);
assert(Res < kNumberOfAccessSizes);		assert(Res < kNumberOfAccessSizes);
return Res;		return Res;
}		}

// \brief Create a constant for Str so that we can pass it to the run-time lib.		// \brief Create a constant for Str so that we can pass it to the run-time lib.
static GlobalVariable *createPrivateGlobalForString(		static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str,
Module &M, StringRef Str, bool AllowMerging) {		bool AllowMerging) {
Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);		Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
// We use private linkage for module-local strings. If they can be merged		// We use private linkage for module-local strings. If they can be merged
// with another one, we set the unnamed_addr attribute.		// with another one, we set the unnamed_addr attribute.
GlobalVariable *GV =		GlobalVariable *GV =
new GlobalVariable(M, StrConst->getType(), true,		new GlobalVariable(M, StrConst->getType(), true,
GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix);		GlobalValue::PrivateLinkage, StrConst, kAsanGenPrefix);
if (AllowMerging)		if (AllowMerging)
GV->setUnnamedAddr(true);		GV->setUnnamedAddr(true);
GV->setAlignment(1); // Strings may not be merged w/o setting align 1.		GV->setAlignment(1); // Strings may not be merged w/o setting align 1.
return GV;		return GV;
}		}

/// \brief Create a global describing a source location.		/// \brief Create a global describing a source location.
static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M,		static GlobalVariable *createPrivateGlobalForSourceLoc(Module &M,
LocationMetadata MD) {		LocationMetadata MD) {
Constant *LocData[] = {		Constant *LocData[] = {
createPrivateGlobalForString(M, MD.Filename, true),		createPrivateGlobalForString(M, MD.Filename, true),
▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines	return (AI.getAllocatedType()->isSized() &&
// Promotable allocas are common under -O0.		// Promotable allocas are common under -O0.
(!ClSkipPromotableAllocas \|\| !isAllocaPromotable(&AI)));		(!ClSkipPromotableAllocas \|\| !isAllocaPromotable(&AI)));
}		}

/// If I is an interesting memory access, return the PointerOperand		/// If I is an interesting memory access, return the PointerOperand
/// and set IsWrite/Alignment. Otherwise return nullptr.		/// and set IsWrite/Alignment. Otherwise return nullptr.
Value AddressSanitizer::isInterestingMemoryAccess(Instruction I,		Value AddressSanitizer::isInterestingMemoryAccess(Instruction I,
bool *IsWrite,		bool *IsWrite,
		uint64_t *TypeSize,
unsigned *Alignment) const {		unsigned *Alignment) const {
// Skip memory accesses inserted by another instrumentation.		// Skip memory accesses inserted by another instrumentation.
if (I->getMetadata("nosanitize"))		if (I->getMetadata("nosanitize"))
return nullptr;		return nullptr;

Value *PtrOperand = nullptr;		Value *PtrOperand = nullptr;
if (LoadInst *LI = dyn_cast<LoadInst>(I)) {		if (LoadInst *LI = dyn_cast<LoadInst>(I)) {
if (!ClInstrumentReads) return nullptr;		if (!ClInstrumentReads)
		return nullptr;
*IsWrite = false;		*IsWrite = false;
		*TypeSize = DL->getTypeStoreSizeInBits(LI->getType());
*Alignment = LI->getAlignment();		*Alignment = LI->getAlignment();
PtrOperand = LI->getPointerOperand();		PtrOperand = LI->getPointerOperand();
} else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {		} else if (StoreInst *SI = dyn_cast<StoreInst>(I)) {
if (!ClInstrumentWrites) return nullptr;		if (!ClInstrumentWrites)
		return nullptr;
*IsWrite = true;		*IsWrite = true;
		*TypeSize = DL->getTypeStoreSizeInBits(SI->getValueOperand()->getType());
*Alignment = SI->getAlignment();		*Alignment = SI->getAlignment();
PtrOperand = SI->getPointerOperand();		PtrOperand = SI->getPointerOperand();
} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {		} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(I)) {
if (!ClInstrumentAtomics) return nullptr;		if (!ClInstrumentAtomics)
		return nullptr;
*IsWrite = true;		*IsWrite = true;
		*TypeSize = DL->getTypeStoreSizeInBits(RMW->getValOperand()->getType());
*Alignment = 0;		*Alignment = 0;
PtrOperand = RMW->getPointerOperand();		PtrOperand = RMW->getPointerOperand();
} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {		} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(I)) {
if (!ClInstrumentAtomics) return nullptr;		if (!ClInstrumentAtomics)
		return nullptr;
*IsWrite = true;		*IsWrite = true;
		*TypeSize =
		DL->getTypeStoreSizeInBits(XCHG->getCompareOperand()->getType());
*Alignment = 0;		*Alignment = 0;
PtrOperand = XCHG->getPointerOperand();		PtrOperand = XCHG->getPointerOperand();
}		}

// Treat memory accesses to promotable allocas as non-interesting since they		// Treat memory accesses to promotable allocas as non-interesting since they
// will not cause memory violations. This greatly speeds up the instrumented		// will not cause memory violations. This greatly speeds up the instrumented
// executable at -O0.		// executable at -O0.
if (ClSkipPromotableAllocas)		if (ClSkipPromotableAllocas)
Show All 17 Lines	static bool isInterestingPointerComparisonOrSubtraction(Instruction *I) {
} else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) {		} else if (BinaryOperator *BO = dyn_cast<BinaryOperator>(I)) {
if (BO->getOpcode() != Instruction::Sub)		if (BO->getOpcode() != Instruction::Sub)
return false;		return false;
} else {		} else {
return false;		return false;
}		}
if (!isPointerOperand(I->getOperand(0)) \|\|		if (!isPointerOperand(I->getOperand(0)) \|\|
!isPointerOperand(I->getOperand(1)))		!isPointerOperand(I->getOperand(1)))
return false;		return false;
return true;		return true;
}		}

bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {		bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {
// If a global variable does not have dynamic initialization we don't		// If a global variable does not have dynamic initialization we don't
// have to instrument it. However, if a global does not have initializer		// have to instrument it. However, if a global does not have initializer
// at all, we assume it has dynamic initializer (in other TU).		// at all, we assume it has dynamic initializer (in other TU).
return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit;		return G->hasInitializer() && !GlobalsMD.get(G).IsDynInit;
}		}

void		void AddressSanitizer::instrumentPointerComparisonOrSubtraction(
AddressSanitizer::instrumentPointerComparisonOrSubtraction(Instruction *I) {		Instruction *I) {
IRBuilder<> IRB(I);		IRBuilder<> IRB(I);
Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction;		Function *F = isa<ICmpInst>(I) ? AsanPtrCmpFunction : AsanPtrSubFunction;
Value *Param[2] = {I->getOperand(0), I->getOperand(1)};		Value *Param[2] = {I->getOperand(0), I->getOperand(1)};
for (int i = 0; i < 2; i++) {		for (int i = 0; i < 2; i++) {
if (Param[i]->getType()->isPointerTy())		if (Param[i]->getType()->isPointerTy())
Param[i] = IRB.CreatePointerCast(Param[i], IntptrTy);		Param[i] = IRB.CreatePointerCast(Param[i], IntptrTy);
}		}
IRB.CreateCall2(F, Param[0], Param[1]);		IRB.CreateCall2(F, Param[0], Param[1]);
}		}

void AddressSanitizer::instrumentMop(Instruction *I, bool UseCalls) {		void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
		Instruction *I, bool UseCalls) {
bool IsWrite = false;		bool IsWrite = false;
unsigned Alignment = 0;		unsigned Alignment = 0;
Value *Addr = isInterestingMemoryAccess(I, &IsWrite, &Alignment);		uint64_t TypeSize = 0;
		Value *Addr = isInterestingMemoryAccess(I, &IsWrite, &TypeSize, &Alignment);
assert(Addr);		assert(Addr);

if (ClOpt && ClOptGlobals) {		if (ClOpt && ClOptGlobals) {
if (GlobalVariable *G = dyn_cast<GlobalVariable>(Addr)) {
// If initialization order checking is disabled, a simple access to a		// If initialization order checking is disabled, a simple access to a
// dynamically initialized global is always valid.		// dynamically initialized global is always valid.
if (!ClInitializers \|\| GlobalIsLinkerInitialized(G)) {		GlobalVariable *G =
		dyn_cast<GlobalVariable>(GetUnderlyingObject(Addr, nullptr));
		if (G != NULL && (!ClInitializers \|\| GlobalIsLinkerInitialized(G)) &&
		isSafeAccess(ObjSizeVis, Addr, TypeSize)) {
NumOptimizedAccessesToGlobalVar++;		NumOptimizedAccessesToGlobalVar++;
return;		return;
}		}
}		}
ConstantExpr *CE = dyn_cast<ConstantExpr>(Addr);
if (CE && CE->isGEPWithNoNotionalOverIndexing()) {		if (ClOpt && ClOptStack) {
if (GlobalVariable *G = dyn_cast<GlobalVariable>(CE->getOperand(0))) {		// A direct inbounds access to a stack variable is always valid.
		kccUnsubmitted Not Done Reply Inline Actions mega cool. Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play with it more. kcc: mega cool. Let's put it under a flag e.g. asan-opt-stack-inbounds (off by default) and play…
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions Is it possible to make it work correctly? I am lost in all possible llvm predicates and their meaning. I don't understand how "int x[10]; x[12] = 1" can be an "in bounds constant offset". dvyukov: Is it possible to make it work correctly? I am lost in all possible llvm predicates and their…
if (CE->getOperand(1)->isNullValue() && GlobalIsLinkerInitialized(G)) {		if (isa<AllocaInst>(GetUnderlyingObject(Addr, nullptr)) &&
NumOptimizedAccessesToGlobalArray++;		isSafeAccess(ObjSizeVis, Addr, TypeSize)) {
		NumOptimizedAccessesToStackVar++;
return;		return;
		kccUnsubmitted Not Done Reply Inline Actions remove this then? kcc: remove this then?
}		}
}		}
}
}

Type *OrigPtrTy = Addr->getType();
Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType();

assert(OrigTy->isSized());
uint32_t TypeSize = DL->getTypeStoreSizeInBits(OrigTy);

assert((TypeSize % 8) == 0);

if (IsWrite)		if (IsWrite)
NumInstrumentedWrites++;		NumInstrumentedWrites++;
else		else
NumInstrumentedReads++;		NumInstrumentedReads++;

unsigned Granularity = 1 << Mapping.Scale;		unsigned Granularity = 1 << Mapping.Scale;
// Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check		// Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check
Show All 9 Lines	void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
IRBuilder<> IRB(I);		IRBuilder<> IRB(I);
Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8);		Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);		Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
if (UseCalls) {		if (UseCalls) {
IRB.CreateCall2(AsanMemoryAccessCallbackSized[IsWrite], AddrLong, Size);		IRB.CreateCall2(AsanMemoryAccessCallbackSized[IsWrite], AddrLong, Size);
} else {		} else {
Value *LastByte = IRB.CreateIntToPtr(		Value *LastByte = IRB.CreateIntToPtr(
IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)),		IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)),
OrigPtrTy);		Addr->getType());
instrumentAddress(I, I, Addr, 8, IsWrite, Size, false);		instrumentAddress(I, I, Addr, 8, IsWrite, Size, false);
instrumentAddress(I, I, LastByte, 8, IsWrite, Size, false);		instrumentAddress(I, I, LastByte, 8, IsWrite, Size, false);
}		}
}		}

// Validate the result of Module::getOrInsertFunction called for an interface		// Validate the result of Module::getOrInsertFunction called for an interface
// function of AddressSanitizer. If the instrumented module defines a function		// function of AddressSanitizer. If the instrumented module defines a function
// with the same name, their prototypes must match, otherwise		// with the same name, their prototypes must match, otherwise
// getOrInsertFunction returns a bitcast.		// getOrInsertFunction returns a bitcast.
static Function checkInterfaceFunction(Constant FuncOrBitcast) {		static Function checkInterfaceFunction(Constant FuncOrBitcast) {
if (isa<Function>(FuncOrBitcast)) return cast<Function>(FuncOrBitcast);		if (isa<Function>(FuncOrBitcast))
		return cast<Function>(FuncOrBitcast);
FuncOrBitcast->dump();		FuncOrBitcast->dump();
report_fatal_error("trying to redefine an AddressSanitizer "		report_fatal_error("trying to redefine an AddressSanitizer "
"interface function");		"interface function");
}		}

Instruction *AddressSanitizer::generateCrashCode(		Instruction AddressSanitizer::generateCrashCode(Instruction InsertBefore,
Instruction InsertBefore, Value Addr,		Value *Addr, bool IsWrite,
bool IsWrite, size_t AccessSizeIndex, Value *SizeArgument) {		size_t AccessSizeIndex,
		Value *SizeArgument) {
IRBuilder<> IRB(InsertBefore);		IRBuilder<> IRB(InsertBefore);
CallInst *Call = SizeArgument		CallInst *Call =
		SizeArgument
? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument)		? IRB.CreateCall2(AsanErrorCallbackSized[IsWrite], Addr, SizeArgument)
: IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr);		: IRB.CreateCall(AsanErrorCallback[IsWrite][AccessSizeIndex], Addr);

// We don't do Call->setDoesNotReturn() because the BB already has		// We don't do Call->setDoesNotReturn() because the BB already has
// UnreachableInst at the end.		// UnreachableInst at the end.
// This EmptyAsm is required to avoid callback merge.		// This EmptyAsm is required to avoid callback merge.
IRB.CreateCall(EmptyAsm);		IRB.CreateCall(EmptyAsm);
return Call;		return Call;
}		}

Value AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,		Value AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
Value *ShadowValue,		Value *ShadowValue,
uint32_t TypeSize) {		uint32_t TypeSize) {
size_t Granularity = 1 << Mapping.Scale;		size_t Granularity = 1 << Mapping.Scale;
// Addr & (Granularity - 1)		// Addr & (Granularity - 1)
Value *LastAccessedByte = IRB.CreateAnd(		Value *LastAccessedByte =
AddrLong, ConstantInt::get(IntptrTy, Granularity - 1));		IRB.CreateAnd(AddrLong, ConstantInt::get(IntptrTy, Granularity - 1));
// (Addr & (Granularity - 1)) + size - 1		// (Addr & (Granularity - 1)) + size - 1
if (TypeSize / 8 > 1)		if (TypeSize / 8 > 1)
LastAccessedByte = IRB.CreateAdd(		LastAccessedByte = IRB.CreateAdd(
LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1));		LastAccessedByte, ConstantInt::get(IntptrTy, TypeSize / 8 - 1));
// (uint8_t) ((Addr & (Granularity-1)) + size - 1)		// (uint8_t) ((Addr & (Granularity-1)) + size - 1)
LastAccessedByte = IRB.CreateIntCast(		LastAccessedByte =
LastAccessedByte, ShadowValue->getType(), false);		IRB.CreateIntCast(LastAccessedByte, ShadowValue->getType(), false);
// ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue		// ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue
return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue);		return IRB.CreateICmpSGE(LastAccessedByte, ShadowValue);
}		}

void AddressSanitizer::instrumentAddress(Instruction *OrigIns,		void AddressSanitizer::instrumentAddress(Instruction *OrigIns,
Instruction InsertBefore, Value Addr,		Instruction InsertBefore, Value Addr,
uint32_t TypeSize, bool IsWrite,		uint32_t TypeSize, bool IsWrite,
Value *SizeArgument, bool UseCalls) {		Value *SizeArgument, bool UseCalls) {
IRBuilder<> IRB(InsertBefore);		IRBuilder<> IRB(InsertBefore);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);		Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize);		size_t AccessSizeIndex = TypeSizeToSizeIndex(TypeSize);

if (UseCalls) {		if (UseCalls) {
IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][AccessSizeIndex],		IRB.CreateCall(AsanMemoryAccessCallback[IsWrite][AccessSizeIndex],
AddrLong);		AddrLong);
return;		return;
}		}

Type *ShadowTy = IntegerType::get(		Type *ShadowTy =
*C, std::max(8U, TypeSize >> Mapping.Scale));		IntegerType::get(*C, std::max(8U, TypeSize >> Mapping.Scale));
Type *ShadowPtrTy = PointerType::get(ShadowTy, 0);		Type *ShadowPtrTy = PointerType::get(ShadowTy, 0);
Value *ShadowPtr = memToShadow(AddrLong, IRB);		Value *ShadowPtr = memToShadow(AddrLong, IRB);
Value *CmpVal = Constant::getNullValue(ShadowTy);		Value *CmpVal = Constant::getNullValue(ShadowTy);
Value *ShadowValue = IRB.CreateLoad(		Value *ShadowValue =
IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy));		IRB.CreateLoad(IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy));

Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal);		Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal);
size_t Granularity = 1 << Mapping.Scale;		size_t Granularity = 1 << Mapping.Scale;
TerminatorInst *CrashTerm = nullptr;		TerminatorInst *CrashTerm = nullptr;

if (ClAlwaysSlowPath \|\| (TypeSize < 8 * Granularity)) {		if (ClAlwaysSlowPath \|\| (TypeSize < 8 * Granularity)) {
// We use branch weights for the slow path check, to indicate that the slow		// We use branch weights for the slow path check, to indicate that the slow
// path is rarely taken. This seems to be the case for SPEC benchmarks.		// path is rarely taken. This seems to be the case for SPEC benchmarks.
TerminatorInst *CheckTerm =		TerminatorInst *CheckTerm = SplitBlockAndInsertIfThen(
SplitBlockAndInsertIfThen(Cmp, InsertBefore, false,		Cmp, InsertBefore, false, MDBuilder(*C).createBranchWeights(1, 100000));
MDBuilder(*C).createBranchWeights(1, 100000));
assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional());		assert(dyn_cast<BranchInst>(CheckTerm)->isUnconditional());
BasicBlock *NextBB = CheckTerm->getSuccessor(0);		BasicBlock *NextBB = CheckTerm->getSuccessor(0);
IRB.SetInsertPoint(CheckTerm);		IRB.SetInsertPoint(CheckTerm);
Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize);		Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeSize);
BasicBlock *CrashBlock =		BasicBlock *CrashBlock =
BasicBlock::Create(*C, "", NextBB->getParent(), NextBB);		BasicBlock::Create(*C, "", NextBB->getParent(), NextBB);
CrashTerm = new UnreachableInst(*C, CrashBlock);		CrashTerm = new UnreachableInst(*C, CrashBlock);
BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2);		BranchInst *NewTerm = BranchInst::Create(CrashBlock, NextBB, Cmp2);
ReplaceInstWithInst(CheckTerm, NewTerm);		ReplaceInstWithInst(CheckTerm, NewTerm);
} else {		} else {
CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, true);		CrashTerm = SplitBlockAndInsertIfThen(Cmp, InsertBefore, true);
}		}

Instruction *Crash = generateCrashCode(		Instruction *Crash = generateCrashCode(CrashTerm, AddrLong, IsWrite,
CrashTerm, AddrLong, IsWrite, AccessSizeIndex, SizeArgument);		AccessSizeIndex, SizeArgument);
Crash->setDebugLoc(OrigIns->getDebugLoc());		Crash->setDebugLoc(OrigIns->getDebugLoc());
}		}

void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit,		void AddressSanitizerModule::poisonOneInitializer(Function &GlobalInit,
GlobalValue *ModuleName) {		GlobalValue *ModuleName) {
// Set up the arguments to our poison/unpoison functions.		// Set up the arguments to our poison/unpoison functions.
IRBuilder<> IRB(GlobalInit.begin()->getFirstInsertionPt());		IRBuilder<> IRB(GlobalInit.begin()->getFirstInsertionPt());

Show All 13 Lines	void AddressSanitizerModule::createInitializerPoisonCalls(

ConstantArray *CA = cast<ConstantArray>(GV->getInitializer());		ConstantArray *CA = cast<ConstantArray>(GV->getInitializer());
for (Use &OP : CA->operands()) {		for (Use &OP : CA->operands()) {
if (isa<ConstantAggregateZero>(OP))		if (isa<ConstantAggregateZero>(OP))
continue;		continue;
ConstantStruct *CS = cast<ConstantStruct>(OP);		ConstantStruct *CS = cast<ConstantStruct>(OP);

// Must have a function or null ptr.		// Must have a function or null ptr.
if (Function* F = dyn_cast<Function>(CS->getOperand(1))) {		if (Function *F = dyn_cast<Function>(CS->getOperand(1))) {
if (F->getName() == kAsanModuleCtorName) continue;		if (F->getName() == kAsanModuleCtorName)
		continue;
ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0));		ConstantInt *Priority = dyn_cast<ConstantInt>(CS->getOperand(0));
// Don't instrument CTORs that will run before asan.module_ctor.		// Don't instrument CTORs that will run before asan.module_ctor.
if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority) continue;		if (Priority->getLimitedValue() <= kAsanCtorAndDtorPriority)
		continue;
poisonOneInitializer(*F, ModuleName);		poisonOneInitializer(*F, ModuleName);
}		}
}		}
}		}

bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) {		bool AddressSanitizerModule::ShouldInstrumentGlobal(GlobalVariable *G) {
Type *Ty = cast<PointerType>(G->getType())->getElementType();		Type *Ty = cast<PointerType>(G->getType())->getElementType();
DEBUG(dbgs() << "GLOBAL: " << *G << "\n");		DEBUG(dbgs() << "GLOBAL: " << *G << "\n");

if (GlobalsMD.get(G).IsBlacklisted) return false;		if (GlobalsMD.get(G).IsBlacklisted)
if (!Ty->isSized()) return false;		return false;
if (!G->hasInitializer()) return false;		if (!Ty->isSized())
if (GlobalWasGeneratedByAsan(G)) return false; // Our own global.		return false;
		if (!G->hasInitializer())
		return false;
		if (GlobalWasGeneratedByAsan(G))
		return false; // Our own global.
// Touch only those globals that will not be defined in other modules.		// Touch only those globals that will not be defined in other modules.
// Don't handle ODR linkage types and COMDATs since other modules may be built		// Don't handle ODR linkage types and COMDATs since other modules may be built
// without ASan.		// without ASan.
if (G->getLinkage() != GlobalVariable::ExternalLinkage &&		if (G->getLinkage() != GlobalVariable::ExternalLinkage &&
G->getLinkage() != GlobalVariable::PrivateLinkage &&		G->getLinkage() != GlobalVariable::PrivateLinkage &&
G->getLinkage() != GlobalVariable::InternalLinkage)		G->getLinkage() != GlobalVariable::InternalLinkage)
return false;		return false;
if (G->hasComdat())		if (G->hasComdat())
return false;		return false;
// Two problems with thread-locals:		// Two problems with thread-locals:
// - The address of the main thread's copy can't be computed at link-time.		// - The address of the main thread's copy can't be computed at link-time.
// - Need to poison all copies, not just the main thread's one.		// - Need to poison all copies, not just the main thread's one.
if (G->isThreadLocal())		if (G->isThreadLocal())
return false;		return false;
// For now, just ignore this Global if the alignment is large.		// For now, just ignore this Global if the alignment is large.
if (G->getAlignment() > MinRedzoneSizeForGlobal()) return false;		if (G->getAlignment() > MinRedzoneSizeForGlobal())
		return false;

if (G->hasSection()) {		if (G->hasSection()) {
StringRef Section(G->getSection());		StringRef Section(G->getSection());

if (TargetTriple.isOSBinFormatMachO()) {		if (TargetTriple.isOSBinFormatMachO()) {
StringRef ParsedSegment, ParsedSection;		StringRef ParsedSegment, ParsedSection;
unsigned TAA = 0, StubSize = 0;		unsigned TAA = 0, StubSize = 0;
bool TAAParsed;		bool TAAParsed;
std::string ErrorCode =		std::string ErrorCode = MCSectionMachO::ParseSectionSpecifier(
MCSectionMachO::ParseSectionSpecifier(Section, ParsedSegment,		Section, ParsedSegment, ParsedSection, TAA, TAAParsed, StubSize);
ParsedSection, TAA, TAAParsed,
StubSize);
if (!ErrorCode.empty()) {		if (!ErrorCode.empty()) {
report_fatal_error("Invalid section specifier '" + ParsedSection +		report_fatal_error("Invalid section specifier '" + ParsedSection +
"': " + ErrorCode + ".");		"': " + ErrorCode + ".");
}		}

// Ignore the globals from the __OBJC section. The ObjC runtime assumes		// Ignore the globals from the __OBJC section. The ObjC runtime assumes
// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to		// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to
// them.		// them.
Show All 27 Lines	if (G->hasSection()) {
// See https://code.google.com/p/address-sanitizer/issues/detail?id=305		// See https://code.google.com/p/address-sanitizer/issues/detail?id=305
// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx		// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx
if (Section.startswith(".CRT")) {		if (Section.startswith(".CRT")) {
DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n");		DEBUG(dbgs() << "Ignoring a global initializer callback: " << *G << "\n");
return false;		return false;
}		}

// Globals from llvm.metadata aren't emitted, do not instrument them.		// Globals from llvm.metadata aren't emitted, do not instrument them.
if (Section == "llvm.metadata") return false;		if (Section == "llvm.metadata")
		return false;
}		}

return true;		return true;
}		}

void AddressSanitizerModule::initializeCallbacks(Module &M) {		void AddressSanitizerModule::initializeCallbacks(Module &M) {
IRBuilder<> IRB(*C);		IRBuilder<> IRB(*C);
// Declare our poisoning and unpoisoning functions.		// Declare our poisoning and unpoisoning functions.
AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(		AsanPoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, nullptr));		kAsanPoisonGlobalsName, IRB.getVoidTy(), IntptrTy, nullptr));
AsanPoisonGlobals->setLinkage(Function::ExternalLinkage);		AsanPoisonGlobals->setLinkage(Function::ExternalLinkage);
AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(		AsanUnpoisonGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanUnpoisonGlobalsName, IRB.getVoidTy(), nullptr));		kAsanUnpoisonGlobalsName, IRB.getVoidTy(), nullptr));
AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage);		AsanUnpoisonGlobals->setLinkage(Function::ExternalLinkage);
// Declare functions that register/unregister globals.		// Declare functions that register/unregister globals.
AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction(		AsanRegisterGlobals = checkInterfaceFunction(M.getOrInsertFunction(
kAsanRegisterGlobalsName, IRB.getVoidTy(),		kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
IntptrTy, IntptrTy, nullptr));
AsanRegisterGlobals->setLinkage(Function::ExternalLinkage);		AsanRegisterGlobals->setLinkage(Function::ExternalLinkage);
AsanUnregisterGlobals = checkInterfaceFunction(M.getOrInsertFunction(		AsanUnregisterGlobals = checkInterfaceFunction(
kAsanUnregisterGlobalsName,		M.getOrInsertFunction(kAsanUnregisterGlobalsName, IRB.getVoidTy(),
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		IntptrTy, IntptrTy, nullptr));
AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage);		AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage);
}		}

// This function replaces all global variables with new variables that have		// This function replaces all global variables with new variables that have
// trailing redzones. It also creates a function that poisons		// trailing redzones. It also creates a function that poisons
// redzones and inserts this function into llvm.global_ctors.		// redzones and inserts this function into llvm.global_ctors.
bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) {		bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) {
GlobalsMD.init(M);		GlobalsMD.init(M);

SmallVector<GlobalVariable *, 16> GlobalsToChange;		SmallVector<GlobalVariable *, 16> GlobalsToChange;

for (auto &G : M.globals()) {		for (auto &G : M.globals()) {
if (ShouldInstrumentGlobal(&G))		if (ShouldInstrumentGlobal(&G))
GlobalsToChange.push_back(&G);		GlobalsToChange.push_back(&G);
}		}

size_t n = GlobalsToChange.size();		size_t n = GlobalsToChange.size();
if (n == 0) return false;		if (n == 0)
		return false;

// A global is described by a structure		// A global is described by a structure
// size_t beg;		// size_t beg;
// size_t size;		// size_t size;
// size_t size_with_redzone;		// size_t size_with_redzone;
// const char *name;		// const char *name;
// const char *module_name;		// const char *module_name;
// size_t has_dynamic_init;		// size_t has_dynamic_init;
// void *source_location;		// void *source_location;
// We initialize an array of such structures and pass it to a run-time call.		// We initialize an array of such structures and pass it to a run-time call.
StructType *GlobalStructTy =		StructType *GlobalStructTy =
StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy,		StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy,
IntptrTy, IntptrTy, nullptr);		IntptrTy, IntptrTy, nullptr);
SmallVector<Constant *, 16> Initializers(n);		SmallVector<Constant *, 16> Initializers(n);

bool HasDynamicallyInitializedGlobals = false;		bool HasDynamicallyInitializedGlobals = false;

// We shouldn't merge same module names, as this string serves as unique		// We shouldn't merge same module names, as this string serves as unique
// module ID in runtime.		// module ID in runtime.
GlobalVariable *ModuleName = createPrivateGlobalForString(		GlobalVariable *ModuleName = createPrivateGlobalForString(
M, M.getModuleIdentifier(), /AllowMerging/false);		M, M.getModuleIdentifier(), /AllowMerging/ false);

for (size_t i = 0; i < n; i++) {		for (size_t i = 0; i < n; i++) {
static const uint64_t kMaxGlobalRedzone = 1 << 18;		static const uint64_t kMaxGlobalRedzone = 1 << 18;
GlobalVariable *G = GlobalsToChange[i];		GlobalVariable *G = GlobalsToChange[i];

auto MD = GlobalsMD.get(G);		auto MD = GlobalsMD.get(G);
// Create string holding the global name (use global name from metadata		// Create string holding the global name (use global name from metadata
// if it's available, otherwise just write the name of global variable).		// if it's available, otherwise just write the name of global variable).
GlobalVariable *Name = createPrivateGlobalForString(		GlobalVariable *Name = createPrivateGlobalForString(
M, MD.Name.empty() ? G->getName() : MD.Name,		M, MD.Name.empty() ? G->getName() : MD.Name,
/AllowMerging/ true);		/AllowMerging/ true);

PointerType *PtrTy = cast<PointerType>(G->getType());		PointerType *PtrTy = cast<PointerType>(G->getType());
Type *Ty = PtrTy->getElementType();		Type *Ty = PtrTy->getElementType();
uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);		uint64_t SizeInBytes = DL->getTypeAllocSize(Ty);
uint64_t MinRZ = MinRedzoneSizeForGlobal();		uint64_t MinRZ = MinRedzoneSizeForGlobal();
// MinRZ <= RZ <= kMaxGlobalRedzone		// MinRZ <= RZ <= kMaxGlobalRedzone
// and trying to make RZ to be ~ 1/4 of SizeInBytes.		// and trying to make RZ to be ~ 1/4 of SizeInBytes.
uint64_t RZ = std::max(MinRZ,		uint64_t RZ = std::max(
std::min(kMaxGlobalRedzone,		MinRZ, std::min(kMaxGlobalRedzone, (SizeInBytes / MinRZ / 4) * MinRZ));
(SizeInBytes / MinRZ / 4) * MinRZ));
uint64_t RightRedzoneSize = RZ;		uint64_t RightRedzoneSize = RZ;
// Round up to MinRZ		// Round up to MinRZ
if (SizeInBytes % MinRZ)		if (SizeInBytes % MinRZ)
RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ);		RightRedzoneSize += MinRZ - (SizeInBytes % MinRZ);
assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0);		assert(((RightRedzoneSize + SizeInBytes) % MinRZ) == 0);
Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize);		Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize);

StructType *NewTy = StructType::get(Ty, RightRedZoneTy, nullptr);		StructType *NewTy = StructType::get(Ty, RightRedZoneTy, nullptr);
Constant *NewInitializer = ConstantStruct::get(		Constant *NewInitializer =
NewTy, G->getInitializer(),		ConstantStruct::get(NewTy, G->getInitializer(),
Constant::getNullValue(RightRedZoneTy), nullptr);		Constant::getNullValue(RightRedZoneTy), nullptr);

// Create a new global variable with enough space for a redzone.		// Create a new global variable with enough space for a redzone.
GlobalValue::LinkageTypes Linkage = G->getLinkage();		GlobalValue::LinkageTypes Linkage = G->getLinkage();
if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage)		if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage)
Linkage = GlobalValue::InternalLinkage;		Linkage = GlobalValue::InternalLinkage;
GlobalVariable *NewGlobal = new GlobalVariable(		GlobalVariable *NewGlobal =
M, NewTy, G->isConstant(), Linkage,		new GlobalVariable(M, NewTy, G->isConstant(), Linkage, NewInitializer,
NewInitializer, "", G, G->getThreadLocalMode());		"", G, G->getThreadLocalMode());
NewGlobal->copyAttributesFrom(G);		NewGlobal->copyAttributesFrom(G);
NewGlobal->setAlignment(MinRZ);		NewGlobal->setAlignment(MinRZ);

Value *Indices2[2];		Value *Indices2[2];
Indices2[0] = IRB.getInt32(0);		Indices2[0] = IRB.getInt32(0);
Indices2[1] = IRB.getInt32(0);		Indices2[1] = IRB.getInt32(0);

G->replaceAllUsesWith(		G->replaceAllUsesWith(
Show All 32 Lines	bool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) {
if (HasDynamicallyInitializedGlobals)		if (HasDynamicallyInitializedGlobals)
createInitializerPoisonCalls(M, ModuleName);		createInitializerPoisonCalls(M, ModuleName);
IRB.CreateCall2(AsanRegisterGlobals,		IRB.CreateCall2(AsanRegisterGlobals,
IRB.CreatePointerCast(AllGlobals, IntptrTy),		IRB.CreatePointerCast(AllGlobals, IntptrTy),
ConstantInt::get(IntptrTy, n));		ConstantInt::get(IntptrTy, n));

// We also need to unregister globals at the end, e.g. when a shared library		// We also need to unregister globals at the end, e.g. when a shared library
// gets closed.		// gets closed.
Function *AsanDtorFunction = Function::Create(		Function *AsanDtorFunction =
FunctionType::get(Type::getVoidTy(*C), false),		Function::Create(FunctionType::get(Type::getVoidTy(*C), false),
GlobalValue::InternalLinkage, kAsanModuleDtorName, &M);		GlobalValue::InternalLinkage, kAsanModuleDtorName, &M);
BasicBlock AsanDtorBB = BasicBlock::Create(C, "", AsanDtorFunction);		BasicBlock AsanDtorBB = BasicBlock::Create(C, "", AsanDtorFunction);
IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB));		IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB));
IRB_Dtor.CreateCall2(AsanUnregisterGlobals,		IRB_Dtor.CreateCall2(AsanUnregisterGlobals,
IRB.CreatePointerCast(AllGlobals, IntptrTy),		IRB.CreatePointerCast(AllGlobals, IntptrTy),
ConstantInt::get(IntptrTy, n));		ConstantInt::get(IntptrTy, n));
appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority);		appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndDtorPriority);

DEBUG(dbgs() << M);		DEBUG(dbgs() << M);
Show All 39 Lines	for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
IRB.getVoidTy(), IntptrTy, nullptr));		IRB.getVoidTy(), IntptrTy, nullptr));
AsanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] =		AsanMemoryAccessCallback[AccessIsWrite][AccessSizeIndex] =
checkInterfaceFunction(		checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + Suffix,		M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + Suffix,
IRB.getVoidTy(), IntptrTy, nullptr));		IRB.getVoidTy(), IntptrTy, nullptr));
}		}
}		}
AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction(		AsanErrorCallbackSized[0] = checkInterfaceFunction(M.getOrInsertFunction(
kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		kAsanReportLoadN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction(		AsanErrorCallbackSized[1] = checkInterfaceFunction(M.getOrInsertFunction(
kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		kAsanReportStoreN, IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));

AsanMemoryAccessCallbackSized[0] = checkInterfaceFunction(		AsanMemoryAccessCallbackSized[0] = checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "loadN",		M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "loadN",
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
AsanMemoryAccessCallbackSized[1] = checkInterfaceFunction(		AsanMemoryAccessCallbackSized[1] = checkInterfaceFunction(
M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "storeN",		M.getOrInsertFunction(ClMemoryAccessCallbackPrefix + "storeN",
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));

Show All 30 Lines	bool AddressSanitizer::doInitialization(Module &M) {

GlobalsMD.init(M);		GlobalsMD.init(M);

C = &(M.getContext());		C = &(M.getContext());
LongSize = DL->getPointerSizeInBits();		LongSize = DL->getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize);		IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple());		TargetTriple = Triple(M.getTargetTriple());

AsanCtorFunction = Function::Create(		AsanCtorFunction =
FunctionType::get(Type::getVoidTy(*C), false),		Function::Create(FunctionType::get(Type::getVoidTy(*C), false),
GlobalValue::InternalLinkage, kAsanModuleCtorName, &M);		GlobalValue::InternalLinkage, kAsanModuleCtorName, &M);
BasicBlock AsanCtorBB = BasicBlock::Create(C, "", AsanCtorFunction);		BasicBlock AsanCtorBB = BasicBlock::Create(C, "", AsanCtorFunction);
// call __asan_init in the module ctor.		// call __asan_init in the module ctor.
IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB));		IRBuilder<> IRB(ReturnInst::Create(*C, AsanCtorBB));
AsanInitFunction = checkInterfaceFunction(		AsanInitFunction = checkInterfaceFunction(
M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr));		M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), nullptr));
AsanInitFunction->setLinkage(Function::ExternalLinkage);		AsanInitFunction->setLinkage(Function::ExternalLinkage);
IRB.CreateCall(AsanInitFunction);		IRB.CreateCall(AsanInitFunction);

Show All 15 Lines	if (F.getName().find(" load]") != std::string::npos) {
IRBuilder<> IRB(F.begin()->begin());		IRBuilder<> IRB(F.begin()->begin());
IRB.CreateCall(AsanInitFunction);		IRB.CreateCall(AsanInitFunction);
return true;		return true;
}		}
return false;		return false;
}		}

bool AddressSanitizer::runOnFunction(Function &F) {		bool AddressSanitizer::runOnFunction(Function &F) {
if (&F == AsanCtorFunction) return false;		if (&F == AsanCtorFunction)
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return false;		return false;
		if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage)
		return false;
DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");		DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
initializeCallbacks(*F.getParent());		initializeCallbacks(*F.getParent());

DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();		DT = &getAnalysis<DominatorTreeWrapperPass>().getDomTree();

// If needed, insert __asan_init before checking for SanitizeAddress attr.		// If needed, insert __asan_init before checking for SanitizeAddress attr.
maybeInsertAsanInitAtFunctionEntry(F);		maybeInsertAsanInitAtFunctionEntry(F);

if (!F.hasFnAttribute(Attribute::SanitizeAddress))		if (!F.hasFnAttribute(Attribute::SanitizeAddress))
return false;		return false;

if (!ClDebugFunc.empty() && ClDebugFunc != F.getName())		if (!ClDebugFunc.empty() && ClDebugFunc != F.getName())
return false;		return false;

// We want to instrument every address only once per basic block (unless there		// We want to instrument every address only once per basic block (unless there
// are calls between uses).		// are calls between uses).
SmallSet<Value*, 16> TempsToInstrument;		SmallSet<Value *, 16> TempsToInstrument;
SmallVector<Instruction*, 16> ToInstrument;		SmallVector<Instruction *, 16> ToInstrument;
SmallVector<Instruction*, 8> NoReturnCalls;		SmallVector<Instruction *, 8> NoReturnCalls;
SmallVector<BasicBlock*, 16> AllBlocks;		SmallVector<BasicBlock *, 16> AllBlocks;
SmallVector<Instruction*, 16> PointerComparisonsOrSubtracts;		SmallVector<Instruction *, 16> PointerComparisonsOrSubtracts;
int NumAllocas = 0;		int NumAllocas = 0;
bool IsWrite;		bool IsWrite;
unsigned Alignment;		unsigned Alignment;
		uint64_t TypeSize;

// Fill the set of memory operations to instrument.		// Fill the set of memory operations to instrument.
for (auto &BB : F) {		for (auto &BB : F) {
AllBlocks.push_back(&BB);		AllBlocks.push_back(&BB);
TempsToInstrument.clear();		TempsToInstrument.clear();
int NumInsnsPerBB = 0;		int NumInsnsPerBB = 0;
for (auto &Inst : BB) {		for (auto &Inst : BB) {
if (LooksLikeCodeInBug11395(&Inst)) return false;		if (LooksLikeCodeInBug11395(&Inst))
if (Value *Addr =		return false;
isInterestingMemoryAccess(&Inst, &IsWrite, &Alignment)) {		if (Value *Addr = isInterestingMemoryAccess(&Inst, &IsWrite, &TypeSize,
		&Alignment)) {
if (ClOpt && ClOptSameTemp) {		if (ClOpt && ClOptSameTemp) {
if (!TempsToInstrument.insert(Addr).second)		if (!TempsToInstrument.insert(Addr).second)
continue; // We've seen this temp in the current BB.		continue; // We've seen this temp in the current BB.
}		}
} else if (ClInvalidPointerPairs &&		} else if (ClInvalidPointerPairs &&
isInterestingPointerComparisonOrSubtraction(&Inst)) {		isInterestingPointerComparisonOrSubtraction(&Inst)) {
PointerComparisonsOrSubtracts.push_back(&Inst);		PointerComparisonsOrSubtracts.push_back(&Inst);
continue;		continue;
} else if (isa<MemIntrinsic>(Inst)) {		} else if (isa<MemIntrinsic>(Inst)) {
// ok, take it.		// ok, take it.
} else {		} else {
Show All 15 Lines	for (auto &BB : F) {
}		}
}		}

bool UseCalls = false;		bool UseCalls = false;
if (ClInstrumentationWithCallsThreshold >= 0 &&		if (ClInstrumentationWithCallsThreshold >= 0 &&
ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold)		ToInstrument.size() > (unsigned)ClInstrumentationWithCallsThreshold)
UseCalls = true;		UseCalls = true;

		const TargetLibraryInfo *TLI =
		&getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
		ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext(),
		zaks.annaUnsubmitted Not Done Reply Inline Actions /RoundToAlign=/true zaks.anna: /RoundToAlign=/true
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions done dvyukov: done
		/RoundToAlign=/true);

// Instrument.		// Instrument.
int NumInstrumented = 0;		int NumInstrumented = 0;
for (auto Inst : ToInstrument) {		for (auto Inst : ToInstrument) {
if (ClDebugMin < 0 \|\| ClDebugMax < 0 \|\|		if (ClDebugMin < 0 \|\| ClDebugMax < 0 \|\|
(NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) {		(NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) {
if (isInterestingMemoryAccess(Inst, &IsWrite, &Alignment))		if (isInterestingMemoryAccess(Inst, &IsWrite, &TypeSize, &Alignment))
instrumentMop(Inst, UseCalls);		instrumentMop(ObjSizeVis, Inst, UseCalls);
else		else
instrumentMemIntrinsic(cast<MemIntrinsic>(Inst));		instrumentMemIntrinsic(cast<MemIntrinsic>(Inst));
}		}
NumInstrumented++;		NumInstrumented++;
}		}

FunctionStackPoisoner FSP(F, *this);		FunctionStackPoisoner FSP(F, *this);
bool ChangedStack = FSP.runOnFunction();		bool ChangedStack = FSP.runOnFunction();
Show All 16 Lines	bool AddressSanitizer::runOnFunction(Function &F) {

return res;		return res;
}		}

// Workaround for bug 11395: we don't want to instrument stack in functions		// Workaround for bug 11395: we don't want to instrument stack in functions
// with large assembly blobs (32-bit only), otherwise reg alloc may crash.		// with large assembly blobs (32-bit only), otherwise reg alloc may crash.
// FIXME: remove once the bug 11395 is fixed.		// FIXME: remove once the bug 11395 is fixed.
bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {		bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {
if (LongSize != 32) return false;		if (LongSize != 32)
		return false;
CallInst *CI = dyn_cast<CallInst>(I);		CallInst *CI = dyn_cast<CallInst>(I);
if (!CI \|\| !CI->isInlineAsm()) return false;		if (!CI \|\| !CI->isInlineAsm())
if (CI->getNumArgOperands() <= 5) return false;		return false;
		if (CI->getNumArgOperands() <= 5)
		return false;
// We have inline assembly with quite a few arguments.		// We have inline assembly with quite a few arguments.
return true;		return true;
}		}

void FunctionStackPoisoner::initializeCallbacks(Module &M) {		void FunctionStackPoisoner::initializeCallbacks(Module &M) {
IRBuilder<> IRB(*C);		IRBuilder<> IRB(*C);
for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) {		for (int i = 0; i <= kMaxAsanStackMallocSizeClass; i++) {
std::string Suffix = itostr(i);		std::string Suffix = itostr(i);
AsanStackMallocFunc[i] = checkInterfaceFunction(M.getOrInsertFunction(		AsanStackMallocFunc[i] = checkInterfaceFunction(M.getOrInsertFunction(
kAsanStackMallocNameTemplate + Suffix, IntptrTy, IntptrTy, nullptr));		kAsanStackMallocNameTemplate + Suffix, IntptrTy, IntptrTy, nullptr));
AsanStackFreeFunc[i] = checkInterfaceFunction(		AsanStackFreeFunc[i] = checkInterfaceFunction(
M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix,		M.getOrInsertFunction(kAsanStackFreeNameTemplate + Suffix,
IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));		IRB.getVoidTy(), IntptrTy, IntptrTy, nullptr));
}		}
AsanPoisonStackMemoryFunc = checkInterfaceFunction(		AsanPoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(),		M.getOrInsertFunction(kAsanPoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr));		IntptrTy, IntptrTy, nullptr));
AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(		AsanUnpoisonStackMemoryFunc = checkInterfaceFunction(
M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(),		M.getOrInsertFunction(kAsanUnpoisonStackMemoryName, IRB.getVoidTy(),
IntptrTy, IntptrTy, nullptr));		IntptrTy, IntptrTy, nullptr));
}		}

void		void FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes,
FunctionStackPoisoner::poisonRedZones(ArrayRef<uint8_t> ShadowBytes,
IRBuilder<> &IRB, Value *ShadowBase,		IRBuilder<> &IRB, Value *ShadowBase,
bool DoPoison) {		bool DoPoison) {
size_t n = ShadowBytes.size();		size_t n = ShadowBytes.size();
size_t i = 0;		size_t i = 0;
// We need to (un)poison n bytes of stack shadow. Poison as many as we can		// We need to (un)poison n bytes of stack shadow. Poison as many as we can
// using 64-bit stores (if we are on 64-bit arch), then poison the rest		// using 64-bit stores (if we are on 64-bit arch), then poison the rest
// with 32-bit stores, then with 16-byte stores, then with 8-byte stores.		// with 32-bit stores, then with 16-byte stores, then with 8-byte stores.
for (size_t LargeStoreSizeInBytes = ASan.LongSize / 8;		for (size_t LargeStoreSizeInBytes = ASan.LongSize / 8;
LargeStoreSizeInBytes != 0; LargeStoreSizeInBytes /= 2) {		LargeStoreSizeInBytes != 0; LargeStoreSizeInBytes /= 2) {
for (; i + LargeStoreSizeInBytes - 1 < n; i += LargeStoreSizeInBytes) {		for (; i + LargeStoreSizeInBytes - 1 < n; i += LargeStoreSizeInBytes) {
uint64_t Val = 0;		uint64_t Val = 0;
for (size_t j = 0; j < LargeStoreSizeInBytes; j++) {		for (size_t j = 0; j < LargeStoreSizeInBytes; j++) {
if (ASan.DL->isLittleEndian())		if (ASan.DL->isLittleEndian())
Val \|= (uint64_t)ShadowBytes[i + j] << (8 * j);		Val \|= (uint64_t)ShadowBytes[i + j] << (8 * j);
else		else
Val = (Val << 8) \| ShadowBytes[i + j];		Val = (Val << 8) \| ShadowBytes[i + j];
}		}
if (!Val) continue;		if (!Val)
		continue;
Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i));		Value *Ptr = IRB.CreateAdd(ShadowBase, ConstantInt::get(IntptrTy, i));
Type StoreTy = Type::getIntNTy(C, LargeStoreSizeInBytes * 8);		Type StoreTy = Type::getIntNTy(C, LargeStoreSizeInBytes * 8);
Value *Poison = ConstantInt::get(StoreTy, DoPoison ? Val : 0);		Value *Poison = ConstantInt::get(StoreTy, DoPoison ? Val : 0);
IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, StoreTy->getPointerTo()));		IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, StoreTy->getPointerTo()));
}		}
}		}
}		}

// Fake stack allocator (asan_fake_stack.h) has 11 size classes		// Fake stack allocator (asan_fake_stack.h) has 11 size classes
// for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass		// for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass
static int StackMallocSizeClass(uint64_t LocalStackSize) {		static int StackMallocSizeClass(uint64_t LocalStackSize) {
assert(LocalStackSize <= kMaxStackMallocSize);		assert(LocalStackSize <= kMaxStackMallocSize);
uint64_t MaxSize = kMinStackMallocSize;		uint64_t MaxSize = kMinStackMallocSize;
for (int i = 0; ; i++, MaxSize *= 2)		for (int i = 0;; i++, MaxSize *= 2)
if (LocalStackSize <= MaxSize)		if (LocalStackSize <= MaxSize)
return i;		return i;
llvm_unreachable("impossible LocalStackSize");		llvm_unreachable("impossible LocalStackSize");
}		}

// Set Size bytes starting from ShadowBase to kAsanStackAfterReturnMagic.		// Set Size bytes starting from ShadowBase to kAsanStackAfterReturnMagic.
// We can not use MemSet intrinsic because it may end up calling the actual		// We can not use MemSet intrinsic because it may end up calling the actual
// memset. Size is a multiple of 8.		// memset. Size is a multiple of 8.
▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines	void FunctionStackPoisoner::poisonStack() {
if (ClInstrumentAllocas) {		if (ClInstrumentAllocas) {
// Handle dynamic allocas.		// Handle dynamic allocas.
for (auto &AllocaCall : DynamicAllocaVec) {		for (auto &AllocaCall : DynamicAllocaVec) {
handleDynamicAllocaCall(AllocaCall);		handleDynamicAllocaCall(AllocaCall);
unpoisonDynamicAlloca(AllocaCall);		unpoisonDynamicAlloca(AllocaCall);
}		}
}		}

if (AllocaVec.size() == 0) return;		if (AllocaVec.size() == 0)
		return;

int StackMallocIdx = -1;		int StackMallocIdx = -1;
DebugLoc EntryDebugLocation = getFunctionEntryDebugLocation(F);		DebugLoc EntryDebugLocation = getFunctionEntryDebugLocation(F);

Instruction *InsBefore = AllocaVec[0];		Instruction *InsBefore = AllocaVec[0];
IRBuilder<> IRB(InsBefore);		IRBuilder<> IRB(InsBefore);
IRB.SetCurrentDebugLocation(EntryDebugLocation);		IRB.SetCurrentDebugLocation(EntryDebugLocation);

SmallVector<ASanStackVariableDescription, 16> SVD;		SmallVector<ASanStackVariableDescription, 16> SVD;
SVD.reserve(AllocaVec.size());		SVD.reserve(AllocaVec.size());
for (AllocaInst *AI : AllocaVec) {		for (AllocaInst *AI : AllocaVec) {
ASanStackVariableDescription D = { AI->getName().data(),		ASanStackVariableDescription D = {AI->getName().data(),
ASan.getAllocaSizeInBytes(AI),		ASan.getAllocaSizeInBytes(AI),
AI->getAlignment(), AI, 0};		AI->getAlignment(), AI, 0};
SVD.push_back(D);		SVD.push_back(D);
}		}
// Minimal header size (left redzone) is 4 pointers,		// Minimal header size (left redzone) is 4 pointers,
// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.		// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
size_t MinHeaderSize = ASan.LongSize / 2;		size_t MinHeaderSize = ASan.LongSize / 2;
ASanStackFrameLayout L;		ASanStackFrameLayout L;
ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L);		ComputeASanStackFrameLayout(SVD, 1UL << Mapping.Scale, MinHeaderSize, &L);
DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n");		DEBUG(dbgs() << L.DescriptionString << " --- " << L.FrameSize << "\n");
▲ Show 20 Lines • Show All 74 Lines • ▼ Show 20 Lines	void FunctionStackPoisoner::poisonStack() {

// The left-most redzone has enough space for at least 4 pointers.		// The left-most redzone has enough space for at least 4 pointers.
// Write the Magic value to redzone[0].		// Write the Magic value to redzone[0].
Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy);		Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy);
IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic),		IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic),
BasePlus0);		BasePlus0);
// Write the frame description constant to redzone[1].		// Write the frame description constant to redzone[1].
Value *BasePlus1 = IRB.CreateIntToPtr(		Value *BasePlus1 = IRB.CreateIntToPtr(
IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, ASan.LongSize/8)),		IRB.CreateAdd(LocalStackBase,
		ConstantInt::get(IntptrTy, ASan.LongSize / 8)),
IntptrPtrTy);		IntptrPtrTy);
GlobalVariable *StackDescriptionGlobal =		GlobalVariable *StackDescriptionGlobal =
createPrivateGlobalForString(*F.getParent(), L.DescriptionString,		createPrivateGlobalForString(*F.getParent(), L.DescriptionString,
/AllowMerging/true);		/AllowMerging/ true);
Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal,		Value *Description = IRB.CreatePointerCast(StackDescriptionGlobal, IntptrTy);
IntptrTy);
IRB.CreateStore(Description, BasePlus1);		IRB.CreateStore(Description, BasePlus1);
// Write the PC to redzone[2].		// Write the PC to redzone[2].
Value *BasePlus2 = IRB.CreateIntToPtr(		Value *BasePlus2 = IRB.CreateIntToPtr(
IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy,		IRB.CreateAdd(LocalStackBase,
2 * ASan.LongSize/8)),		ConstantInt::get(IntptrTy, 2 * ASan.LongSize / 8)),
IntptrPtrTy);		IntptrPtrTy);
IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2);		IRB.CreateStore(IRB.CreatePointerCast(&F, IntptrTy), BasePlus2);

// Poison the stack redzones at the entry.		// Poison the stack redzones at the entry.
Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB);		Value *ShadowBase = ASan.memToShadow(LocalStackBase, IRB);
poisonRedZones(L.ShadowBytes, IRB, ShadowBase, true);		poisonRedZones(L.ShadowBytes, IRB, ShadowBase, true);

// (Un)poison the stack before all ret instructions.		// (Un)poison the stack before all ret instructions.
for (auto Ret : RetVec) {		for (auto Ret : RetVec) {
▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines	AllocaInst FunctionStackPoisoner::findAllocaForValue(Value V) {
AllocaForValue[V] = nullptr;		AllocaForValue[V] = nullptr;
AllocaInst *Res = nullptr;		AllocaInst *Res = nullptr;
if (CastInst *CI = dyn_cast<CastInst>(V))		if (CastInst *CI = dyn_cast<CastInst>(V))
Res = findAllocaForValue(CI->getOperand(0));		Res = findAllocaForValue(CI->getOperand(0));
else if (PHINode *PN = dyn_cast<PHINode>(V)) {		else if (PHINode *PN = dyn_cast<PHINode>(V)) {
for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) {		for (unsigned i = 0, e = PN->getNumIncomingValues(); i != e; ++i) {
Value *IncValue = PN->getIncomingValue(i);		Value *IncValue = PN->getIncomingValue(i);
// Allow self-referencing phi-nodes.		// Allow self-referencing phi-nodes.
if (IncValue == PN) continue;		if (IncValue == PN)
		continue;
AllocaInst *IncValueAI = findAllocaForValue(IncValue);		AllocaInst *IncValueAI = findAllocaForValue(IncValue);
// AI for incoming values should exist and should all be equal.		// AI for incoming values should exist and should all be equal.
if (IncValueAI == nullptr \|\| (Res != nullptr && IncValueAI != Res))		if (IncValueAI == nullptr \|\| (Res != nullptr && IncValueAI != Res))
return nullptr;		return nullptr;
Res = IncValueAI;		Res = IncValueAI;
}		}
}		}
if (Res)		if (Res)
▲ Show 20 Lines • Show All 132 Lines • ▼ Show 20 Lines	void FunctionStackPoisoner::handleDynamicAllocaCall(
// Replace all uses of AddessReturnedByAlloca with NewAddress.		// Replace all uses of AddessReturnedByAlloca with NewAddress.
AI->replaceAllUsesWith(NewAddressPtr);		AI->replaceAllUsesWith(NewAddressPtr);

// We are done. Erase old alloca and store left, partial and right redzones		// We are done. Erase old alloca and store left, partial and right redzones
// shadow addresses for future unpoisoning.		// shadow addresses for future unpoisoning.
AI->eraseFromParent();		AI->eraseFromParent();
NumInstrumentedDynamicAllocas++;		NumInstrumentedDynamicAllocas++;
}		}

		// isSafeAccess returns true if Addr is always inbounds with respect to its
		// base object. For example, it is a field access or an array access with
		// constant inbounds index.
		bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis,
		Value *Addr, uint64_t TypeSize) const {
		SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr);
		dberlinUnsubmitted Not Done Reply Inline Actions You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset (This is what GVN, DeadStoreElimination, etc use to do what you are doing here - compute the pointer base and constant offset, make sure they match, then they use getTypeSizeInBits to compare the sizes) dberlin: You may want to look if this does a better/worse job than GetPointerBaseWithConstantOffset…
		if (!ObjSizeVis.bothKnown(SizeOffset))
		return false;
		int64_t Size = SizeOffset.first.getSExtValue();
		int64_t Offset = SizeOffset.second.getSExtValue();
		// Three checks are required to ensure safety:
		// . Offset >= 0 (since the offset is given from the base ptr)
		// . Size >= Offset (unsigned)
		// . Size - Offset >= NeededSize (unsigned)
		return Offset >= 0 && Size >= Offset &&
		zaks.annaUnsubmitted Not Done Reply Inline Actions Why not use getTypeStoreSize()? uint64_t getTypeStoreSizeInBits(Type Ty) const { return 8 getTypeStoreSize(Ty); } Also, is overflow possible in these calculations? zaks.anna: Why not use getTypeStoreSize()? uint64_t getTypeStoreSizeInBits(Type *Ty) const { return…
		dvyukovAuthorUnsubmitted Not Done Reply Inline Actions done These are int64's. I don't see how overflow can happen. dvyukov: done These are int64's. I don't see how overflow can happen.
		uint64_t(Size - Offset) >= TypeSize / 8;
		}

test/Instrumentation/AddressSanitizer/instrument-stack.ll

				; This test checks that we are not instrumenting direct inbound stack accesses.
				; RUN: opt < %s -asan -asan-module -asan-opt-stack -S \| FileCheck %s

				target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
				target triple = "x86_64-unknown-linux-gnu"

				;@sink = global i32* null, align 4

				; Ignore direct inbounds stack access.
				define void @foo() uwtable sanitize_address {
				entry:
				%a = alloca i32, align 4
				store i32 42, i32* %a, align 4
				ret void
				; CHECK-LABEL: define void @foo
				; CHECK-NOT: __asan_report
				; CHECK: ret void
				}

				; Don't ignore dynamic indexing.
				define void @baz(i64 %i) sanitize_address {
				entry:
				%a = alloca [10 x i32], align 4
				%e = getelementptr inbounds [10 x i32], [10 x i32]* %a, i32 0, i64 %i
				store i32 42, i32* %e, align 4
				ret void
				; CHECK-LABEL: define void @baz
				; CHECK: __asan_report
				; CHECK: ret void
				}

				define void @bar() sanitize_address {
				entry:
				%a = alloca [10 x i32], align 4
				%e = getelementptr inbounds [10 x i32], [10 x i32]* %a, i32 0, i64 12
				store i32 42, i32* %e, align 4
				ret void
				; CHECK-LABEL: define void @bar
				; CHECK: __asan_report
				; CHECK: ret void
				}

				define void @endoftests() sanitize_address {
				entry:
				ret void
				; CHECK-LABEL: define void @endoftests
				}