1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 /// \file
10 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow
11 /// analysis.
12 ///
13 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific
14 /// class of bugs on its own. Instead, it provides a generic dynamic data flow
15 /// analysis framework to be used by clients to help detect application-specific
16 /// issues within their own code.
17 ///
18 /// The analysis is based on automatic propagation of data flow labels (also
19 /// known as taint labels) through a program as it performs computation. Each
20 /// byte of application memory is backed by two bytes of shadow memory which
21 /// hold the label. On Linux/x86_64, memory is laid out as follows:
22 ///
23 /// +--------------------+ 0x800000000000 (top of memory)
24 /// | application memory |
25 /// +--------------------+ 0x700000008000 (kAppAddr)
26 /// | |
27 /// | unused |
28 /// | |
29 /// +--------------------+ 0x200200000000 (kUnusedAddr)
30 /// | union table |
31 /// +--------------------+ 0x200000000000 (kUnionTableAddr)
32 /// | shadow memory |
33 /// +--------------------+ 0x000000010000 (kShadowAddr)
34 /// | reserved by kernel |
35 /// +--------------------+ 0x000000000000
36 ///
37 /// To derive a shadow memory address from an application memory address,
38 /// bits 44-46 are cleared to bring the address into the range
39 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to
40 /// account for the double byte representation of shadow labels and move the
41 /// address into the shadow memory range. See the function
42 /// DataFlowSanitizer::getShadowAddress below.
43 ///
44 /// For more information, please refer to the design document:
45 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
46 //
47 //===----------------------------------------------------------------------===//
48
49 #include "llvm/Transforms/Instrumentation/DataFlowSanitizer.h"
50 #include "llvm/ADT/DenseMap.h"
51 #include "llvm/ADT/DenseSet.h"
52 #include "llvm/ADT/DepthFirstIterator.h"
53 #include "llvm/ADT/None.h"
54 #include "llvm/ADT/SmallPtrSet.h"
55 #include "llvm/ADT/SmallVector.h"
56 #include "llvm/ADT/StringExtras.h"
57 #include "llvm/ADT/StringRef.h"
58 #include "llvm/ADT/Triple.h"
59 #include "llvm/Analysis/ValueTracking.h"
60 #include "llvm/IR/Argument.h"
61 #include "llvm/IR/Attributes.h"
62 #include "llvm/IR/BasicBlock.h"
63 #include "llvm/IR/Constant.h"
64 #include "llvm/IR/Constants.h"
65 #include "llvm/IR/DataLayout.h"
66 #include "llvm/IR/DerivedTypes.h"
67 #include "llvm/IR/Dominators.h"
68 #include "llvm/IR/Function.h"
69 #include "llvm/IR/GlobalAlias.h"
70 #include "llvm/IR/GlobalValue.h"
71 #include "llvm/IR/GlobalVariable.h"
72 #include "llvm/IR/IRBuilder.h"
73 #include "llvm/IR/InlineAsm.h"
74 #include "llvm/IR/InstVisitor.h"
75 #include "llvm/IR/InstrTypes.h"
76 #include "llvm/IR/Instruction.h"
77 #include "llvm/IR/Instructions.h"
78 #include "llvm/IR/IntrinsicInst.h"
79 #include "llvm/IR/LLVMContext.h"
80 #include "llvm/IR/MDBuilder.h"
81 #include "llvm/IR/Module.h"
82 #include "llvm/IR/PassManager.h"
83 #include "llvm/IR/Type.h"
84 #include "llvm/IR/User.h"
85 #include "llvm/IR/Value.h"
86 #include "llvm/InitializePasses.h"
87 #include "llvm/Pass.h"
88 #include "llvm/Support/Casting.h"
89 #include "llvm/Support/CommandLine.h"
90 #include "llvm/Support/ErrorHandling.h"
91 #include "llvm/Support/SpecialCaseList.h"
92 #include "llvm/Support/VirtualFileSystem.h"
93 #include "llvm/Transforms/Instrumentation.h"
94 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
95 #include "llvm/Transforms/Utils/Local.h"
96 #include <algorithm>
97 #include <cassert>
98 #include <cstddef>
99 #include <cstdint>
100 #include <iterator>
101 #include <memory>
102 #include <set>
103 #include <string>
104 #include <utility>
105 #include <vector>
106
107 using namespace llvm;
108
109 // This must be consistent with ShadowWidthBits.
110 static const Align kShadowTLSAlignment = Align(2);
111
112 // The size of TLS variables. These constants must be kept in sync with the ones
113 // in dfsan.cpp.
114 static const unsigned kArgTLSSize = 800;
115 static const unsigned kRetvalTLSSize = 800;
116
117 // External symbol to be used when generating the shadow address for
118 // architectures with multiple VMAs. Instead of using a constant integer
119 // the runtime will set the external mask based on the VMA range.
120 const char kDFSanExternShadowPtrMask[] = "__dfsan_shadow_ptr_mask";
121
122 // The -dfsan-preserve-alignment flag controls whether this pass assumes that
123 // alignment requirements provided by the input IR are correct. For example,
124 // if the input IR contains a load with alignment 8, this flag will cause
125 // the shadow load to have alignment 16. This flag is disabled by default as
126 // we have unfortunately encountered too much code (including Clang itself;
127 // see PR14291) which performs misaligned access.
128 static cl::opt<bool> ClPreserveAlignment(
129 "dfsan-preserve-alignment",
130 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden,
131 cl::init(false));
132
133 // The ABI list files control how shadow parameters are passed. The pass treats
134 // every function labelled "uninstrumented" in the ABI list file as conforming
135 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains
136 // additional annotations for those functions, a call to one of those functions
137 // will produce a warning message, as the labelling behaviour of the function is
138 // unknown. The other supported annotations are "functional" and "discard",
139 // which are described below under DataFlowSanitizer::WrapperKind.
140 static cl::list<std::string> ClABIListFiles(
141 "dfsan-abilist",
142 cl::desc("File listing native ABI functions and how the pass treats them"),
143 cl::Hidden);
144
145 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented
146 // functions (see DataFlowSanitizer::InstrumentedABI below).
147 static cl::opt<bool> ClArgsABI(
148 "dfsan-args-abi",
149 cl::desc("Use the argument ABI rather than the TLS ABI"),
150 cl::Hidden);
151
152 // Controls whether the pass includes or ignores the labels of pointers in load
153 // instructions.
154 static cl::opt<bool> ClCombinePointerLabelsOnLoad(
155 "dfsan-combine-pointer-labels-on-load",
156 cl::desc("Combine the label of the pointer with the label of the data when "
157 "loading from memory."),
158 cl::Hidden, cl::init(true));
159
160 // Controls whether the pass includes or ignores the labels of pointers in
161 // stores instructions.
162 static cl::opt<bool> ClCombinePointerLabelsOnStore(
163 "dfsan-combine-pointer-labels-on-store",
164 cl::desc("Combine the label of the pointer with the label of the data when "
165 "storing in memory."),
166 cl::Hidden, cl::init(false));
167
168 static cl::opt<bool> ClDebugNonzeroLabels(
169 "dfsan-debug-nonzero-labels",
170 cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, "
171 "load or return with a nonzero label"),
172 cl::Hidden);
173
174 // Experimental feature that inserts callbacks for certain data events.
175 // Currently callbacks are only inserted for loads, stores, memory transfers
176 // (i.e. memcpy and memmove), and comparisons.
177 //
178 // If this flag is set to true, the user must provide definitions for the
179 // following callback functions:
180 // void __dfsan_load_callback(dfsan_label Label, void* addr);
181 // void __dfsan_store_callback(dfsan_label Label, void* addr);
182 // void __dfsan_mem_transfer_callback(dfsan_label *Start, size_t Len);
183 // void __dfsan_cmp_callback(dfsan_label CombinedLabel);
184 static cl::opt<bool> ClEventCallbacks(
185 "dfsan-event-callbacks",
186 cl::desc("Insert calls to __dfsan_*_callback functions on data events."),
187 cl::Hidden, cl::init(false));
188
189 // Use a distinct bit for each base label, enabling faster unions with less
190 // instrumentation. Limits the max number of base labels to 16.
191 static cl::opt<bool> ClFast16Labels(
192 "dfsan-fast-16-labels",
193 cl::desc("Use more efficient instrumentation, limiting the number of "
194 "labels to 16."),
195 cl::Hidden, cl::init(false));
196
197 // Controls whether the pass tracks the control flow of select instructions.
198 static cl::opt<bool> ClTrackSelectControlFlow(
199 "dfsan-track-select-control-flow",
200 cl::desc("Propagate labels from condition values of select instructions "
201 "to results."),
202 cl::Hidden, cl::init(true));
203
GetGlobalTypeString(const GlobalValue & G)204 static StringRef GetGlobalTypeString(const GlobalValue &G) {
205 // Types of GlobalVariables are always pointer types.
206 Type *GType = G.getValueType();
207 // For now we support excluding struct types only.
208 if (StructType *SGType = dyn_cast<StructType>(GType)) {
209 if (!SGType->isLiteral())
210 return SGType->getName();
211 }
212 return "<unknown type>";
213 }
214
215 namespace {
216
217 class DFSanABIList {
218 std::unique_ptr<SpecialCaseList> SCL;
219
220 public:
221 DFSanABIList() = default;
222
set(std::unique_ptr<SpecialCaseList> List)223 void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); }
224
225 /// Returns whether either this function or its source file are listed in the
226 /// given category.
isIn(const Function & F,StringRef Category) const227 bool isIn(const Function &F, StringRef Category) const {
228 return isIn(*F.getParent(), Category) ||
229 SCL->inSection("dataflow", "fun", F.getName(), Category);
230 }
231
232 /// Returns whether this global alias is listed in the given category.
233 ///
234 /// If GA aliases a function, the alias's name is matched as a function name
235 /// would be. Similarly, aliases of globals are matched like globals.
isIn(const GlobalAlias & GA,StringRef Category) const236 bool isIn(const GlobalAlias &GA, StringRef Category) const {
237 if (isIn(*GA.getParent(), Category))
238 return true;
239
240 if (isa<FunctionType>(GA.getValueType()))
241 return SCL->inSection("dataflow", "fun", GA.getName(), Category);
242
243 return SCL->inSection("dataflow", "global", GA.getName(), Category) ||
244 SCL->inSection("dataflow", "type", GetGlobalTypeString(GA),
245 Category);
246 }
247
248 /// Returns whether this module is listed in the given category.
isIn(const Module & M,StringRef Category) const249 bool isIn(const Module &M, StringRef Category) const {
250 return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category);
251 }
252 };
253
254 /// TransformedFunction is used to express the result of transforming one
255 /// function type into another. This struct is immutable. It holds metadata
256 /// useful for updating calls of the old function to the new type.
257 struct TransformedFunction {
TransformedFunction__anon1813b44c0111::TransformedFunction258 TransformedFunction(FunctionType* OriginalType,
259 FunctionType* TransformedType,
260 std::vector<unsigned> ArgumentIndexMapping)
261 : OriginalType(OriginalType),
262 TransformedType(TransformedType),
263 ArgumentIndexMapping(ArgumentIndexMapping) {}
264
265 // Disallow copies.
266 TransformedFunction(const TransformedFunction&) = delete;
267 TransformedFunction& operator=(const TransformedFunction&) = delete;
268
269 // Allow moves.
270 TransformedFunction(TransformedFunction&&) = default;
271 TransformedFunction& operator=(TransformedFunction&&) = default;
272
273 /// Type of the function before the transformation.
274 FunctionType *OriginalType;
275
276 /// Type of the function after the transformation.
277 FunctionType *TransformedType;
278
279 /// Transforming a function may change the position of arguments. This
280 /// member records the mapping from each argument's old position to its new
281 /// position. Argument positions are zero-indexed. If the transformation
282 /// from F to F' made the first argument of F into the third argument of F',
283 /// then ArgumentIndexMapping[0] will equal 2.
284 std::vector<unsigned> ArgumentIndexMapping;
285 };
286
287 /// Given function attributes from a call site for the original function,
288 /// return function attributes appropriate for a call to the transformed
289 /// function.
TransformFunctionAttributes(const TransformedFunction & TransformedFunction,LLVMContext & Ctx,AttributeList CallSiteAttrs)290 AttributeList TransformFunctionAttributes(
291 const TransformedFunction& TransformedFunction,
292 LLVMContext& Ctx, AttributeList CallSiteAttrs) {
293
294 // Construct a vector of AttributeSet for each function argument.
295 std::vector<llvm::AttributeSet> ArgumentAttributes(
296 TransformedFunction.TransformedType->getNumParams());
297
298 // Copy attributes from the parameter of the original function to the
299 // transformed version. 'ArgumentIndexMapping' holds the mapping from
300 // old argument position to new.
301 for (unsigned i=0, ie = TransformedFunction.ArgumentIndexMapping.size();
302 i < ie; ++i) {
303 unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[i];
304 ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttributes(i);
305 }
306
307 // Copy annotations on varargs arguments.
308 for (unsigned i = TransformedFunction.OriginalType->getNumParams(),
309 ie = CallSiteAttrs.getNumAttrSets(); i<ie; ++i) {
310 ArgumentAttributes.push_back(CallSiteAttrs.getParamAttributes(i));
311 }
312
313 return AttributeList::get(
314 Ctx,
315 CallSiteAttrs.getFnAttributes(),
316 CallSiteAttrs.getRetAttributes(),
317 llvm::makeArrayRef(ArgumentAttributes));
318 }
319
320 class DataFlowSanitizer {
321 friend struct DFSanFunction;
322 friend class DFSanVisitor;
323
324 enum { ShadowWidthBits = 16, ShadowWidthBytes = ShadowWidthBits / 8 };
325
326 /// Which ABI should be used for instrumented functions?
327 enum InstrumentedABI {
328 /// Argument and return value labels are passed through additional
329 /// arguments and by modifying the return type.
330 IA_Args,
331
332 /// Argument and return value labels are passed through TLS variables
333 /// __dfsan_arg_tls and __dfsan_retval_tls.
334 IA_TLS
335 };
336
337 /// How should calls to uninstrumented functions be handled?
338 enum WrapperKind {
339 /// This function is present in an uninstrumented form but we don't know
340 /// how it should be handled. Print a warning and call the function anyway.
341 /// Don't label the return value.
342 WK_Warning,
343
344 /// This function does not write to (user-accessible) memory, and its return
345 /// value is unlabelled.
346 WK_Discard,
347
348 /// This function does not write to (user-accessible) memory, and the label
349 /// of its return value is the union of the label of its arguments.
350 WK_Functional,
351
352 /// Instead of calling the function, a custom wrapper __dfsw_F is called,
353 /// where F is the name of the function. This function may wrap the
354 /// original function or provide its own implementation. This is similar to
355 /// the IA_Args ABI, except that IA_Args uses a struct return type to
356 /// pass the return value shadow in a register, while WK_Custom uses an
357 /// extra pointer argument to return the shadow. This allows the wrapped
358 /// form of the function type to be expressed in C.
359 WK_Custom
360 };
361
362 Module *Mod;
363 LLVMContext *Ctx;
364 Type *Int8Ptr;
365 /// The shadow type for all primitive types. Until we support field/index
366 /// level shadow values, aggregate and vector types also use this shadow
367 /// type.
368 IntegerType *PrimitiveShadowTy;
369 PointerType *PrimitiveShadowPtrTy;
370 IntegerType *IntptrTy;
371 ConstantInt *ZeroPrimitiveShadow;
372 ConstantInt *ShadowPtrMask;
373 ConstantInt *ShadowPtrMul;
374 Constant *ArgTLS;
375 Constant *RetvalTLS;
376 Constant *ExternalShadowMask;
377 FunctionType *DFSanUnionFnTy;
378 FunctionType *DFSanUnionLoadFnTy;
379 FunctionType *DFSanUnimplementedFnTy;
380 FunctionType *DFSanSetLabelFnTy;
381 FunctionType *DFSanNonzeroLabelFnTy;
382 FunctionType *DFSanVarargWrapperFnTy;
383 FunctionType *DFSanCmpCallbackFnTy;
384 FunctionType *DFSanLoadStoreCallbackFnTy;
385 FunctionType *DFSanMemTransferCallbackFnTy;
386 FunctionCallee DFSanUnionFn;
387 FunctionCallee DFSanCheckedUnionFn;
388 FunctionCallee DFSanUnionLoadFn;
389 FunctionCallee DFSanUnionLoadFast16LabelsFn;
390 FunctionCallee DFSanUnimplementedFn;
391 FunctionCallee DFSanSetLabelFn;
392 FunctionCallee DFSanNonzeroLabelFn;
393 FunctionCallee DFSanVarargWrapperFn;
394 FunctionCallee DFSanLoadCallbackFn;
395 FunctionCallee DFSanStoreCallbackFn;
396 FunctionCallee DFSanMemTransferCallbackFn;
397 FunctionCallee DFSanCmpCallbackFn;
398 MDNode *ColdCallWeights;
399 DFSanABIList ABIList;
400 DenseMap<Value *, Function *> UnwrappedFnMap;
401 AttrBuilder ReadOnlyNoneAttrs;
402 bool DFSanRuntimeShadowMask = false;
403
404 Value *getShadowAddress(Value *Addr, Instruction *Pos);
405 bool isInstrumented(const Function *F);
406 bool isInstrumented(const GlobalAlias *GA);
407 FunctionType *getArgsFunctionType(FunctionType *T);
408 FunctionType *getTrampolineFunctionType(FunctionType *T);
409 TransformedFunction getCustomFunctionType(FunctionType *T);
410 InstrumentedABI getInstrumentedABI();
411 WrapperKind getWrapperKind(Function *F);
412 void addGlobalNamePrefix(GlobalValue *GV);
413 Function *buildWrapperFunction(Function *F, StringRef NewFName,
414 GlobalValue::LinkageTypes NewFLink,
415 FunctionType *NewFT);
416 Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName);
417 void initializeCallbackFunctions(Module &M);
418 void initializeRuntimeFunctions(Module &M);
419
420 bool init(Module &M);
421
422 /// Returns a zero constant with the shadow type of V's type. Until we support
423 /// field/index level shadow values, the following methods always return
424 /// primitive types, values or zero constants.
425 Constant *getZeroShadow(Value *V);
426 /// Checks if V is a zero shadow.
427 bool isZeroShadow(Value *V);
428 /// Returns the shadow type of OrigTy.
429 Type *getShadowTy(Type *OrigTy);
430 /// Returns the shadow type of of V's type.
431 Type *getShadowTy(Value *V);
432
433 public:
434 DataFlowSanitizer(const std::vector<std::string> &ABIListFiles);
435
436 bool runImpl(Module &M);
437 };
438
439 struct DFSanFunction {
440 DataFlowSanitizer &DFS;
441 Function *F;
442 DominatorTree DT;
443 DataFlowSanitizer::InstrumentedABI IA;
444 bool IsNativeABI;
445 AllocaInst *LabelReturnAlloca = nullptr;
446 DenseMap<Value *, Value *> ValShadowMap;
447 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap;
448 std::vector<std::pair<PHINode *, PHINode *>> PHIFixups;
449 DenseSet<Instruction *> SkipInsts;
450 std::vector<Value *> NonZeroChecks;
451 bool AvoidNewBlocks;
452
453 struct CachedShadow {
454 BasicBlock *Block; // The block where Shadow is defined.
455 Value *Shadow;
456 };
457 /// Maps a value to its latest shadow value in terms of domination tree.
458 DenseMap<std::pair<Value *, Value *>, CachedShadow> CachedShadows;
459 DenseMap<Value *, std::set<Value *>> ShadowElements;
460
DFSanFunction__anon1813b44c0111::DFSanFunction461 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI)
462 : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) {
463 DT.recalculate(*F);
464 // FIXME: Need to track down the register allocator issue which causes poor
465 // performance in pathological cases with large numbers of basic blocks.
466 AvoidNewBlocks = F->size() > 1000;
467 }
468
469 /// Computes the shadow address for a given function argument.
470 ///
471 /// Shadow = ArgTLS+ArgOffset.
472 Value *getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB);
473
474 /// Computes the shadow address for a retval.
475 Value *getRetvalTLS(Type *T, IRBuilder<> &IRB);
476
477 Value *getShadow(Value *V);
478 void setShadow(Instruction *I, Value *Shadow);
479 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos);
480 Value *combineOperandShadows(Instruction *Inst);
481 Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align,
482 Instruction *Pos);
483 void storeShadow(Value *Addr, uint64_t Size, Align Alignment, Value *Shadow,
484 Instruction *Pos);
485
486 private:
487 /// Returns the shadow value of an argument A.
488 Value *getShadowForTLSArgument(Argument *A);
489 };
490
491 class DFSanVisitor : public InstVisitor<DFSanVisitor> {
492 public:
493 DFSanFunction &DFSF;
494
DFSanVisitor(DFSanFunction & DFSF)495 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {}
496
getDataLayout() const497 const DataLayout &getDataLayout() const {
498 return DFSF.F->getParent()->getDataLayout();
499 }
500
501 // Combines shadow values for all of I's operands. Returns the combined shadow
502 // value.
503 Value *visitOperandShadowInst(Instruction &I);
504
505 void visitUnaryOperator(UnaryOperator &UO);
506 void visitBinaryOperator(BinaryOperator &BO);
507 void visitCastInst(CastInst &CI);
508 void visitCmpInst(CmpInst &CI);
509 void visitGetElementPtrInst(GetElementPtrInst &GEPI);
510 void visitLoadInst(LoadInst &LI);
511 void visitStoreInst(StoreInst &SI);
512 void visitReturnInst(ReturnInst &RI);
513 void visitCallBase(CallBase &CB);
514 void visitPHINode(PHINode &PN);
515 void visitExtractElementInst(ExtractElementInst &I);
516 void visitInsertElementInst(InsertElementInst &I);
517 void visitShuffleVectorInst(ShuffleVectorInst &I);
518 void visitExtractValueInst(ExtractValueInst &I);
519 void visitInsertValueInst(InsertValueInst &I);
520 void visitAllocaInst(AllocaInst &I);
521 void visitSelectInst(SelectInst &I);
522 void visitMemSetInst(MemSetInst &I);
523 void visitMemTransferInst(MemTransferInst &I);
524 };
525
526 } // end anonymous namespace
527
DataFlowSanitizer(const std::vector<std::string> & ABIListFiles)528 DataFlowSanitizer::DataFlowSanitizer(
529 const std::vector<std::string> &ABIListFiles) {
530 std::vector<std::string> AllABIListFiles(std::move(ABIListFiles));
531 AllABIListFiles.insert(AllABIListFiles.end(), ClABIListFiles.begin(),
532 ClABIListFiles.end());
533 // FIXME: should we propagate vfs::FileSystem to this constructor?
534 ABIList.set(
535 SpecialCaseList::createOrDie(AllABIListFiles, *vfs::getRealFileSystem()));
536 }
537
getArgsFunctionType(FunctionType * T)538 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) {
539 SmallVector<Type *, 4> ArgTypes(T->param_begin(), T->param_end());
540 ArgTypes.append(T->getNumParams(), PrimitiveShadowTy);
541 if (T->isVarArg())
542 ArgTypes.push_back(PrimitiveShadowPtrTy);
543 Type *RetType = T->getReturnType();
544 if (!RetType->isVoidTy())
545 RetType = StructType::get(RetType, PrimitiveShadowTy);
546 return FunctionType::get(RetType, ArgTypes, T->isVarArg());
547 }
548
getTrampolineFunctionType(FunctionType * T)549 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) {
550 assert(!T->isVarArg());
551 SmallVector<Type *, 4> ArgTypes;
552 ArgTypes.push_back(T->getPointerTo());
553 ArgTypes.append(T->param_begin(), T->param_end());
554 ArgTypes.append(T->getNumParams(), PrimitiveShadowTy);
555 Type *RetType = T->getReturnType();
556 if (!RetType->isVoidTy())
557 ArgTypes.push_back(PrimitiveShadowPtrTy);
558 return FunctionType::get(T->getReturnType(), ArgTypes, false);
559 }
560
getCustomFunctionType(FunctionType * T)561 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) {
562 SmallVector<Type *, 4> ArgTypes;
563
564 // Some parameters of the custom function being constructed are
565 // parameters of T. Record the mapping from parameters of T to
566 // parameters of the custom function, so that parameter attributes
567 // at call sites can be updated.
568 std::vector<unsigned> ArgumentIndexMapping;
569 for (unsigned i = 0, ie = T->getNumParams(); i != ie; ++i) {
570 Type* param_type = T->getParamType(i);
571 FunctionType *FT;
572 if (isa<PointerType>(param_type) && (FT = dyn_cast<FunctionType>(
573 cast<PointerType>(param_type)->getElementType()))) {
574 ArgumentIndexMapping.push_back(ArgTypes.size());
575 ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo());
576 ArgTypes.push_back(Type::getInt8PtrTy(*Ctx));
577 } else {
578 ArgumentIndexMapping.push_back(ArgTypes.size());
579 ArgTypes.push_back(param_type);
580 }
581 }
582 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i)
583 ArgTypes.push_back(PrimitiveShadowTy);
584 if (T->isVarArg())
585 ArgTypes.push_back(PrimitiveShadowPtrTy);
586 Type *RetType = T->getReturnType();
587 if (!RetType->isVoidTy())
588 ArgTypes.push_back(PrimitiveShadowPtrTy);
589 return TransformedFunction(
590 T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()),
591 ArgumentIndexMapping);
592 }
593
isZeroShadow(Value * V)594 bool DataFlowSanitizer::isZeroShadow(Value *V) {
595 return ZeroPrimitiveShadow == V;
596 }
597
getZeroShadow(Value * V)598 Constant *DataFlowSanitizer::getZeroShadow(Value *V) {
599 return ZeroPrimitiveShadow;
600 }
601
getShadowTy(Type * OrigTy)602 Type *DataFlowSanitizer::getShadowTy(Type *OrigTy) { return PrimitiveShadowTy; }
603
getShadowTy(Value * V)604 Type *DataFlowSanitizer::getShadowTy(Value *V) {
605 return getShadowTy(V->getType());
606 }
607
init(Module & M)608 bool DataFlowSanitizer::init(Module &M) {
609 Triple TargetTriple(M.getTargetTriple());
610 bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
611 bool IsMIPS64 = TargetTriple.isMIPS64();
612 bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 ||
613 TargetTriple.getArch() == Triple::aarch64_be;
614
615 const DataLayout &DL = M.getDataLayout();
616
617 Mod = &M;
618 Ctx = &M.getContext();
619 Int8Ptr = Type::getInt8PtrTy(*Ctx);
620 PrimitiveShadowTy = IntegerType::get(*Ctx, ShadowWidthBits);
621 PrimitiveShadowPtrTy = PointerType::getUnqual(PrimitiveShadowTy);
622 IntptrTy = DL.getIntPtrType(*Ctx);
623 ZeroPrimitiveShadow = ConstantInt::getSigned(PrimitiveShadowTy, 0);
624 ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidthBytes);
625 if (IsX86_64)
626 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL);
627 else if (IsMIPS64)
628 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL);
629 // AArch64 supports multiple VMAs and the shadow mask is set at runtime.
630 else if (IsAArch64)
631 DFSanRuntimeShadowMask = true;
632 else
633 report_fatal_error("unsupported triple");
634
635 Type *DFSanUnionArgs[2] = {PrimitiveShadowTy, PrimitiveShadowTy};
636 DFSanUnionFnTy =
637 FunctionType::get(PrimitiveShadowTy, DFSanUnionArgs, /*isVarArg=*/false);
638 Type *DFSanUnionLoadArgs[2] = {PrimitiveShadowPtrTy, IntptrTy};
639 DFSanUnionLoadFnTy = FunctionType::get(PrimitiveShadowTy, DFSanUnionLoadArgs,
640 /*isVarArg=*/false);
641 DFSanUnimplementedFnTy = FunctionType::get(
642 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
643 Type *DFSanSetLabelArgs[3] = {PrimitiveShadowTy, Type::getInt8PtrTy(*Ctx),
644 IntptrTy};
645 DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx),
646 DFSanSetLabelArgs, /*isVarArg=*/false);
647 DFSanNonzeroLabelFnTy =
648 FunctionType::get(Type::getVoidTy(*Ctx), None, /*isVarArg=*/false);
649 DFSanVarargWrapperFnTy = FunctionType::get(
650 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
651 DFSanCmpCallbackFnTy =
652 FunctionType::get(Type::getVoidTy(*Ctx), PrimitiveShadowTy,
653 /*isVarArg=*/false);
654 Type *DFSanLoadStoreCallbackArgs[2] = {PrimitiveShadowTy, Int8Ptr};
655 DFSanLoadStoreCallbackFnTy =
656 FunctionType::get(Type::getVoidTy(*Ctx), DFSanLoadStoreCallbackArgs,
657 /*isVarArg=*/false);
658 Type *DFSanMemTransferCallbackArgs[2] = {PrimitiveShadowPtrTy, IntptrTy};
659 DFSanMemTransferCallbackFnTy =
660 FunctionType::get(Type::getVoidTy(*Ctx), DFSanMemTransferCallbackArgs,
661 /*isVarArg=*/false);
662
663 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000);
664 return true;
665 }
666
isInstrumented(const Function * F)667 bool DataFlowSanitizer::isInstrumented(const Function *F) {
668 return !ABIList.isIn(*F, "uninstrumented");
669 }
670
isInstrumented(const GlobalAlias * GA)671 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) {
672 return !ABIList.isIn(*GA, "uninstrumented");
673 }
674
getInstrumentedABI()675 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() {
676 return ClArgsABI ? IA_Args : IA_TLS;
677 }
678
getWrapperKind(Function * F)679 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) {
680 if (ABIList.isIn(*F, "functional"))
681 return WK_Functional;
682 if (ABIList.isIn(*F, "discard"))
683 return WK_Discard;
684 if (ABIList.isIn(*F, "custom"))
685 return WK_Custom;
686
687 return WK_Warning;
688 }
689
addGlobalNamePrefix(GlobalValue * GV)690 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) {
691 std::string GVName = std::string(GV->getName()), Prefix = "dfs$";
692 GV->setName(Prefix + GVName);
693
694 // Try to change the name of the function in module inline asm. We only do
695 // this for specific asm directives, currently only ".symver", to try to avoid
696 // corrupting asm which happens to contain the symbol name as a substring.
697 // Note that the substitution for .symver assumes that the versioned symbol
698 // also has an instrumented name.
699 std::string Asm = GV->getParent()->getModuleInlineAsm();
700 std::string SearchStr = ".symver " + GVName + ",";
701 size_t Pos = Asm.find(SearchStr);
702 if (Pos != std::string::npos) {
703 Asm.replace(Pos, SearchStr.size(),
704 ".symver " + Prefix + GVName + "," + Prefix);
705 GV->getParent()->setModuleInlineAsm(Asm);
706 }
707 }
708
709 Function *
buildWrapperFunction(Function * F,StringRef NewFName,GlobalValue::LinkageTypes NewFLink,FunctionType * NewFT)710 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName,
711 GlobalValue::LinkageTypes NewFLink,
712 FunctionType *NewFT) {
713 FunctionType *FT = F->getFunctionType();
714 Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(),
715 NewFName, F->getParent());
716 NewF->copyAttributesFrom(F);
717 NewF->removeAttributes(
718 AttributeList::ReturnIndex,
719 AttributeFuncs::typeIncompatible(NewFT->getReturnType()));
720
721 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF);
722 if (F->isVarArg()) {
723 NewF->removeAttributes(AttributeList::FunctionIndex,
724 AttrBuilder().addAttribute("split-stack"));
725 CallInst::Create(DFSanVarargWrapperFn,
726 IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "",
727 BB);
728 new UnreachableInst(*Ctx, BB);
729 } else {
730 std::vector<Value *> Args;
731 unsigned n = FT->getNumParams();
732 for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n)
733 Args.push_back(&*ai);
734 CallInst *CI = CallInst::Create(F, Args, "", BB);
735 if (FT->getReturnType()->isVoidTy())
736 ReturnInst::Create(*Ctx, BB);
737 else
738 ReturnInst::Create(*Ctx, CI, BB);
739 }
740
741 return NewF;
742 }
743
getOrBuildTrampolineFunction(FunctionType * FT,StringRef FName)744 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT,
745 StringRef FName) {
746 FunctionType *FTT = getTrampolineFunctionType(FT);
747 FunctionCallee C = Mod->getOrInsertFunction(FName, FTT);
748 Function *F = dyn_cast<Function>(C.getCallee());
749 if (F && F->isDeclaration()) {
750 F->setLinkage(GlobalValue::LinkOnceODRLinkage);
751 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F);
752 std::vector<Value *> Args;
753 Function::arg_iterator AI = F->arg_begin(); ++AI;
754 for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N)
755 Args.push_back(&*AI);
756 CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB);
757 ReturnInst *RI;
758 if (FT->getReturnType()->isVoidTy())
759 RI = ReturnInst::Create(*Ctx, BB);
760 else
761 RI = ReturnInst::Create(*Ctx, CI, BB);
762
763 DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true);
764 Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; ++ValAI;
765 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N)
766 DFSF.ValShadowMap[&*ValAI] = &*ShadowAI;
767 DFSanVisitor(DFSF).visitCallInst(*CI);
768 if (!FT->getReturnType()->isVoidTy())
769 new StoreInst(DFSF.getShadow(RI->getReturnValue()),
770 &*std::prev(F->arg_end()), RI);
771 }
772
773 return cast<Constant>(C.getCallee());
774 }
775
776 // Initialize DataFlowSanitizer runtime functions and declare them in the module
initializeRuntimeFunctions(Module & M)777 void DataFlowSanitizer::initializeRuntimeFunctions(Module &M) {
778 {
779 AttributeList AL;
780 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
781 Attribute::NoUnwind);
782 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
783 Attribute::ReadNone);
784 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex,
785 Attribute::ZExt);
786 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
787 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt);
788 DFSanUnionFn =
789 Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy, AL);
790 }
791 {
792 AttributeList AL;
793 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
794 Attribute::NoUnwind);
795 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
796 Attribute::ReadNone);
797 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex,
798 Attribute::ZExt);
799 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
800 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt);
801 DFSanCheckedUnionFn =
802 Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy, AL);
803 }
804 {
805 AttributeList AL;
806 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
807 Attribute::NoUnwind);
808 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
809 Attribute::ReadOnly);
810 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex,
811 Attribute::ZExt);
812 DFSanUnionLoadFn =
813 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy, AL);
814 }
815 {
816 AttributeList AL;
817 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
818 Attribute::NoUnwind);
819 AL = AL.addAttribute(M.getContext(), AttributeList::FunctionIndex,
820 Attribute::ReadOnly);
821 AL = AL.addAttribute(M.getContext(), AttributeList::ReturnIndex,
822 Attribute::ZExt);
823 DFSanUnionLoadFast16LabelsFn = Mod->getOrInsertFunction(
824 "__dfsan_union_load_fast16labels", DFSanUnionLoadFnTy, AL);
825 }
826 DFSanUnimplementedFn =
827 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy);
828 {
829 AttributeList AL;
830 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
831 DFSanSetLabelFn =
832 Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy, AL);
833 }
834 DFSanNonzeroLabelFn =
835 Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy);
836 DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper",
837 DFSanVarargWrapperFnTy);
838 }
839
840 // Initializes event callback functions and declare them in the module
initializeCallbackFunctions(Module & M)841 void DataFlowSanitizer::initializeCallbackFunctions(Module &M) {
842 DFSanLoadCallbackFn = Mod->getOrInsertFunction("__dfsan_load_callback",
843 DFSanLoadStoreCallbackFnTy);
844 DFSanStoreCallbackFn = Mod->getOrInsertFunction("__dfsan_store_callback",
845 DFSanLoadStoreCallbackFnTy);
846 DFSanMemTransferCallbackFn = Mod->getOrInsertFunction(
847 "__dfsan_mem_transfer_callback", DFSanMemTransferCallbackFnTy);
848 DFSanCmpCallbackFn =
849 Mod->getOrInsertFunction("__dfsan_cmp_callback", DFSanCmpCallbackFnTy);
850 }
851
runImpl(Module & M)852 bool DataFlowSanitizer::runImpl(Module &M) {
853 init(M);
854
855 if (ABIList.isIn(M, "skip"))
856 return false;
857
858 const unsigned InitialGlobalSize = M.global_size();
859 const unsigned InitialModuleSize = M.size();
860
861 bool Changed = false;
862
863 Type *ArgTLSTy = ArrayType::get(Type::getInt64Ty(*Ctx), kArgTLSSize / 8);
864 ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy);
865 if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS)) {
866 Changed |= G->getThreadLocalMode() != GlobalVariable::InitialExecTLSModel;
867 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
868 }
869 Type *RetvalTLSTy =
870 ArrayType::get(Type::getInt64Ty(*Ctx), kRetvalTLSSize / 8);
871 RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", RetvalTLSTy);
872 if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS)) {
873 Changed |= G->getThreadLocalMode() != GlobalVariable::InitialExecTLSModel;
874 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
875 }
876
877 ExternalShadowMask =
878 Mod->getOrInsertGlobal(kDFSanExternShadowPtrMask, IntptrTy);
879
880 initializeCallbackFunctions(M);
881 initializeRuntimeFunctions(M);
882
883 std::vector<Function *> FnsToInstrument;
884 SmallPtrSet<Function *, 2> FnsWithNativeABI;
885 for (Function &i : M) {
886 if (!i.isIntrinsic() &&
887 &i != DFSanUnionFn.getCallee()->stripPointerCasts() &&
888 &i != DFSanCheckedUnionFn.getCallee()->stripPointerCasts() &&
889 &i != DFSanUnionLoadFn.getCallee()->stripPointerCasts() &&
890 &i != DFSanUnionLoadFast16LabelsFn.getCallee()->stripPointerCasts() &&
891 &i != DFSanUnimplementedFn.getCallee()->stripPointerCasts() &&
892 &i != DFSanSetLabelFn.getCallee()->stripPointerCasts() &&
893 &i != DFSanNonzeroLabelFn.getCallee()->stripPointerCasts() &&
894 &i != DFSanVarargWrapperFn.getCallee()->stripPointerCasts() &&
895 &i != DFSanLoadCallbackFn.getCallee()->stripPointerCasts() &&
896 &i != DFSanStoreCallbackFn.getCallee()->stripPointerCasts() &&
897 &i != DFSanMemTransferCallbackFn.getCallee()->stripPointerCasts() &&
898 &i != DFSanCmpCallbackFn.getCallee()->stripPointerCasts())
899 FnsToInstrument.push_back(&i);
900 }
901
902 // Give function aliases prefixes when necessary, and build wrappers where the
903 // instrumentedness is inconsistent.
904 for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) {
905 GlobalAlias *GA = &*i;
906 ++i;
907 // Don't stop on weak. We assume people aren't playing games with the
908 // instrumentedness of overridden weak aliases.
909 if (auto F = dyn_cast<Function>(GA->getBaseObject())) {
910 bool GAInst = isInstrumented(GA), FInst = isInstrumented(F);
911 if (GAInst && FInst) {
912 addGlobalNamePrefix(GA);
913 } else if (GAInst != FInst) {
914 // Non-instrumented alias of an instrumented function, or vice versa.
915 // Replace the alias with a native-ABI wrapper of the aliasee. The pass
916 // below will take care of instrumenting it.
917 Function *NewF =
918 buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType());
919 GA->replaceAllUsesWith(ConstantExpr::getBitCast(NewF, GA->getType()));
920 NewF->takeName(GA);
921 GA->eraseFromParent();
922 FnsToInstrument.push_back(NewF);
923 }
924 }
925 }
926
927 ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly)
928 .addAttribute(Attribute::ReadNone);
929
930 // First, change the ABI of every function in the module. ABI-listed
931 // functions keep their original ABI and get a wrapper function.
932 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(),
933 e = FnsToInstrument.end();
934 i != e; ++i) {
935 Function &F = **i;
936 FunctionType *FT = F.getFunctionType();
937
938 bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() &&
939 FT->getReturnType()->isVoidTy());
940
941 if (isInstrumented(&F)) {
942 // Instrumented functions get a 'dfs$' prefix. This allows us to more
943 // easily identify cases of mismatching ABIs.
944 if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) {
945 FunctionType *NewFT = getArgsFunctionType(FT);
946 Function *NewF = Function::Create(NewFT, F.getLinkage(),
947 F.getAddressSpace(), "", &M);
948 NewF->copyAttributesFrom(&F);
949 NewF->removeAttributes(
950 AttributeList::ReturnIndex,
951 AttributeFuncs::typeIncompatible(NewFT->getReturnType()));
952 for (Function::arg_iterator FArg = F.arg_begin(),
953 NewFArg = NewF->arg_begin(),
954 FArgEnd = F.arg_end();
955 FArg != FArgEnd; ++FArg, ++NewFArg) {
956 FArg->replaceAllUsesWith(&*NewFArg);
957 }
958 NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList());
959
960 for (Function::user_iterator UI = F.user_begin(), UE = F.user_end();
961 UI != UE;) {
962 BlockAddress *BA = dyn_cast<BlockAddress>(*UI);
963 ++UI;
964 if (BA) {
965 BA->replaceAllUsesWith(
966 BlockAddress::get(NewF, BA->getBasicBlock()));
967 delete BA;
968 }
969 }
970 F.replaceAllUsesWith(
971 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)));
972 NewF->takeName(&F);
973 F.eraseFromParent();
974 *i = NewF;
975 addGlobalNamePrefix(NewF);
976 } else {
977 addGlobalNamePrefix(&F);
978 }
979 } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) {
980 // Build a wrapper function for F. The wrapper simply calls F, and is
981 // added to FnsToInstrument so that any instrumentation according to its
982 // WrapperKind is done in the second pass below.
983 FunctionType *NewFT = getInstrumentedABI() == IA_Args
984 ? getArgsFunctionType(FT)
985 : FT;
986
987 // If the function being wrapped has local linkage, then preserve the
988 // function's linkage in the wrapper function.
989 GlobalValue::LinkageTypes wrapperLinkage =
990 F.hasLocalLinkage()
991 ? F.getLinkage()
992 : GlobalValue::LinkOnceODRLinkage;
993
994 Function *NewF = buildWrapperFunction(
995 &F, std::string("dfsw$") + std::string(F.getName()),
996 wrapperLinkage, NewFT);
997 if (getInstrumentedABI() == IA_TLS)
998 NewF->removeAttributes(AttributeList::FunctionIndex, ReadOnlyNoneAttrs);
999
1000 Value *WrappedFnCst =
1001 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT));
1002 F.replaceAllUsesWith(WrappedFnCst);
1003
1004 UnwrappedFnMap[WrappedFnCst] = &F;
1005 *i = NewF;
1006
1007 if (!F.isDeclaration()) {
1008 // This function is probably defining an interposition of an
1009 // uninstrumented function and hence needs to keep the original ABI.
1010 // But any functions it may call need to use the instrumented ABI, so
1011 // we instrument it in a mode which preserves the original ABI.
1012 FnsWithNativeABI.insert(&F);
1013
1014 // This code needs to rebuild the iterators, as they may be invalidated
1015 // by the push_back, taking care that the new range does not include
1016 // any functions added by this code.
1017 size_t N = i - FnsToInstrument.begin(),
1018 Count = e - FnsToInstrument.begin();
1019 FnsToInstrument.push_back(&F);
1020 i = FnsToInstrument.begin() + N;
1021 e = FnsToInstrument.begin() + Count;
1022 }
1023 // Hopefully, nobody will try to indirectly call a vararg
1024 // function... yet.
1025 } else if (FT->isVarArg()) {
1026 UnwrappedFnMap[&F] = &F;
1027 *i = nullptr;
1028 }
1029 }
1030
1031 for (Function *i : FnsToInstrument) {
1032 if (!i || i->isDeclaration())
1033 continue;
1034
1035 removeUnreachableBlocks(*i);
1036
1037 DFSanFunction DFSF(*this, i, FnsWithNativeABI.count(i));
1038
1039 // DFSanVisitor may create new basic blocks, which confuses df_iterator.
1040 // Build a copy of the list before iterating over it.
1041 SmallVector<BasicBlock *, 4> BBList(depth_first(&i->getEntryBlock()));
1042
1043 for (BasicBlock *i : BBList) {
1044 Instruction *Inst = &i->front();
1045 while (true) {
1046 // DFSanVisitor may split the current basic block, changing the current
1047 // instruction's next pointer and moving the next instruction to the
1048 // tail block from which we should continue.
1049 Instruction *Next = Inst->getNextNode();
1050 // DFSanVisitor may delete Inst, so keep track of whether it was a
1051 // terminator.
1052 bool IsTerminator = Inst->isTerminator();
1053 if (!DFSF.SkipInsts.count(Inst))
1054 DFSanVisitor(DFSF).visit(Inst);
1055 if (IsTerminator)
1056 break;
1057 Inst = Next;
1058 }
1059 }
1060
1061 // We will not necessarily be able to compute the shadow for every phi node
1062 // until we have visited every block. Therefore, the code that handles phi
1063 // nodes adds them to the PHIFixups list so that they can be properly
1064 // handled here.
1065 for (std::vector<std::pair<PHINode *, PHINode *>>::iterator
1066 i = DFSF.PHIFixups.begin(),
1067 e = DFSF.PHIFixups.end();
1068 i != e; ++i) {
1069 for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n;
1070 ++val) {
1071 i->second->setIncomingValue(
1072 val, DFSF.getShadow(i->first->getIncomingValue(val)));
1073 }
1074 }
1075
1076 // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy
1077 // places (i.e. instructions in basic blocks we haven't even begun visiting
1078 // yet). To make our life easier, do this work in a pass after the main
1079 // instrumentation.
1080 if (ClDebugNonzeroLabels) {
1081 for (Value *V : DFSF.NonZeroChecks) {
1082 Instruction *Pos;
1083 if (Instruction *I = dyn_cast<Instruction>(V))
1084 Pos = I->getNextNode();
1085 else
1086 Pos = &DFSF.F->getEntryBlock().front();
1087 while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos))
1088 Pos = Pos->getNextNode();
1089 IRBuilder<> IRB(Pos);
1090 Value *Ne = IRB.CreateICmpNE(V, DFSF.DFS.ZeroPrimitiveShadow);
1091 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
1092 Ne, Pos, /*Unreachable=*/false, ColdCallWeights));
1093 IRBuilder<> ThenIRB(BI);
1094 ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {});
1095 }
1096 }
1097 }
1098
1099 return Changed || !FnsToInstrument.empty() ||
1100 M.global_size() != InitialGlobalSize || M.size() != InitialModuleSize;
1101 }
1102
getArgTLS(Type * T,unsigned ArgOffset,IRBuilder<> & IRB)1103 Value *DFSanFunction::getArgTLS(Type *T, unsigned ArgOffset, IRBuilder<> &IRB) {
1104 Value *Base = IRB.CreatePointerCast(DFS.ArgTLS, DFS.IntptrTy);
1105 if (ArgOffset)
1106 Base = IRB.CreateAdd(Base, ConstantInt::get(DFS.IntptrTy, ArgOffset));
1107 return IRB.CreateIntToPtr(Base, PointerType::get(DFS.getShadowTy(T), 0),
1108 "_dfsarg");
1109 }
1110
getRetvalTLS(Type * T,IRBuilder<> & IRB)1111 Value *DFSanFunction::getRetvalTLS(Type *T, IRBuilder<> &IRB) {
1112 return IRB.CreatePointerCast(
1113 DFS.RetvalTLS, PointerType::get(DFS.getShadowTy(T), 0), "_dfsret");
1114 }
1115
getShadowForTLSArgument(Argument * A)1116 Value *DFSanFunction::getShadowForTLSArgument(Argument *A) {
1117 unsigned ArgOffset = 0;
1118 const DataLayout &DL = F->getParent()->getDataLayout();
1119 for (auto &FArg : F->args()) {
1120 if (!FArg.getType()->isSized()) {
1121 if (A == &FArg)
1122 break;
1123 continue;
1124 }
1125
1126 unsigned Size = DL.getTypeAllocSize(DFS.getShadowTy(&FArg));
1127 if (A != &FArg) {
1128 ArgOffset += alignTo(Size, kShadowTLSAlignment);
1129 if (ArgOffset > kArgTLSSize)
1130 break; // ArgTLS overflows, uses a zero shadow.
1131 continue;
1132 }
1133
1134 if (ArgOffset + Size > kArgTLSSize)
1135 break; // ArgTLS overflows, uses a zero shadow.
1136
1137 Instruction *ArgTLSPos = &*F->getEntryBlock().begin();
1138 IRBuilder<> IRB(ArgTLSPos);
1139 Value *ArgShadowPtr = getArgTLS(FArg.getType(), ArgOffset, IRB);
1140 return IRB.CreateAlignedLoad(DFS.getShadowTy(&FArg), ArgShadowPtr,
1141 kShadowTLSAlignment);
1142 }
1143
1144 return DFS.getZeroShadow(A);
1145 }
1146
getShadow(Value * V)1147 Value *DFSanFunction::getShadow(Value *V) {
1148 if (!isa<Argument>(V) && !isa<Instruction>(V))
1149 return DFS.getZeroShadow(V);
1150 Value *&Shadow = ValShadowMap[V];
1151 if (!Shadow) {
1152 if (Argument *A = dyn_cast<Argument>(V)) {
1153 if (IsNativeABI)
1154 return DFS.getZeroShadow(V);
1155 switch (IA) {
1156 case DataFlowSanitizer::IA_TLS: {
1157 Shadow = getShadowForTLSArgument(A);
1158 break;
1159 }
1160 case DataFlowSanitizer::IA_Args: {
1161 unsigned ArgIdx = A->getArgNo() + F->arg_size() / 2;
1162 Function::arg_iterator i = F->arg_begin();
1163 while (ArgIdx--)
1164 ++i;
1165 Shadow = &*i;
1166 assert(Shadow->getType() == DFS.PrimitiveShadowTy);
1167 break;
1168 }
1169 }
1170 NonZeroChecks.push_back(Shadow);
1171 } else {
1172 Shadow = DFS.getZeroShadow(V);
1173 }
1174 }
1175 return Shadow;
1176 }
1177
setShadow(Instruction * I,Value * Shadow)1178 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) {
1179 assert(!ValShadowMap.count(I));
1180 assert(Shadow->getType() == DFS.PrimitiveShadowTy);
1181 ValShadowMap[I] = Shadow;
1182 }
1183
getShadowAddress(Value * Addr,Instruction * Pos)1184 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) {
1185 assert(Addr != RetvalTLS && "Reinstrumenting?");
1186 IRBuilder<> IRB(Pos);
1187 Value *ShadowPtrMaskValue;
1188 if (DFSanRuntimeShadowMask)
1189 ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask);
1190 else
1191 ShadowPtrMaskValue = ShadowPtrMask;
1192 return IRB.CreateIntToPtr(
1193 IRB.CreateMul(
1194 IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy),
1195 IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)),
1196 ShadowPtrMul),
1197 PrimitiveShadowPtrTy);
1198 }
1199
1200 // Generates IR to compute the union of the two given shadows, inserting it
1201 // before Pos. Returns the computed union Value.
combineShadows(Value * V1,Value * V2,Instruction * Pos)1202 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) {
1203 if (DFS.isZeroShadow(V1))
1204 return V2;
1205 if (DFS.isZeroShadow(V2))
1206 return V1;
1207 if (V1 == V2)
1208 return V1;
1209
1210 auto V1Elems = ShadowElements.find(V1);
1211 auto V2Elems = ShadowElements.find(V2);
1212 if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) {
1213 if (std::includes(V1Elems->second.begin(), V1Elems->second.end(),
1214 V2Elems->second.begin(), V2Elems->second.end())) {
1215 return V1;
1216 } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(),
1217 V1Elems->second.begin(), V1Elems->second.end())) {
1218 return V2;
1219 }
1220 } else if (V1Elems != ShadowElements.end()) {
1221 if (V1Elems->second.count(V2))
1222 return V1;
1223 } else if (V2Elems != ShadowElements.end()) {
1224 if (V2Elems->second.count(V1))
1225 return V2;
1226 }
1227
1228 auto Key = std::make_pair(V1, V2);
1229 if (V1 > V2)
1230 std::swap(Key.first, Key.second);
1231 CachedShadow &CCS = CachedShadows[Key];
1232 if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent()))
1233 return CCS.Shadow;
1234
1235 IRBuilder<> IRB(Pos);
1236 if (ClFast16Labels) {
1237 CCS.Block = Pos->getParent();
1238 CCS.Shadow = IRB.CreateOr(V1, V2);
1239 } else if (AvoidNewBlocks) {
1240 CallInst *Call = IRB.CreateCall(DFS.DFSanCheckedUnionFn, {V1, V2});
1241 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1242 Call->addParamAttr(0, Attribute::ZExt);
1243 Call->addParamAttr(1, Attribute::ZExt);
1244
1245 CCS.Block = Pos->getParent();
1246 CCS.Shadow = Call;
1247 } else {
1248 BasicBlock *Head = Pos->getParent();
1249 Value *Ne = IRB.CreateICmpNE(V1, V2);
1250 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
1251 Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT));
1252 IRBuilder<> ThenIRB(BI);
1253 CallInst *Call = ThenIRB.CreateCall(DFS.DFSanUnionFn, {V1, V2});
1254 Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1255 Call->addParamAttr(0, Attribute::ZExt);
1256 Call->addParamAttr(1, Attribute::ZExt);
1257
1258 BasicBlock *Tail = BI->getSuccessor(0);
1259 PHINode *Phi =
1260 PHINode::Create(DFS.PrimitiveShadowTy, 2, "", &Tail->front());
1261 Phi->addIncoming(Call, Call->getParent());
1262 Phi->addIncoming(V1, Head);
1263
1264 CCS.Block = Tail;
1265 CCS.Shadow = Phi;
1266 }
1267
1268 std::set<Value *> UnionElems;
1269 if (V1Elems != ShadowElements.end()) {
1270 UnionElems = V1Elems->second;
1271 } else {
1272 UnionElems.insert(V1);
1273 }
1274 if (V2Elems != ShadowElements.end()) {
1275 UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end());
1276 } else {
1277 UnionElems.insert(V2);
1278 }
1279 ShadowElements[CCS.Shadow] = std::move(UnionElems);
1280
1281 return CCS.Shadow;
1282 }
1283
1284 // A convenience function which folds the shadows of each of the operands
1285 // of the provided instruction Inst, inserting the IR before Inst. Returns
1286 // the computed union Value.
combineOperandShadows(Instruction * Inst)1287 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) {
1288 if (Inst->getNumOperands() == 0)
1289 return DFS.getZeroShadow(Inst);
1290
1291 Value *Shadow = getShadow(Inst->getOperand(0));
1292 for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) {
1293 Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst);
1294 }
1295 return Shadow;
1296 }
1297
visitOperandShadowInst(Instruction & I)1298 Value *DFSanVisitor::visitOperandShadowInst(Instruction &I) {
1299 Value *CombinedShadow = DFSF.combineOperandShadows(&I);
1300 DFSF.setShadow(&I, CombinedShadow);
1301 return CombinedShadow;
1302 }
1303
1304 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where
1305 // Addr has alignment Align, and take the union of each of those shadows.
loadShadow(Value * Addr,uint64_t Size,uint64_t Align,Instruction * Pos)1306 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align,
1307 Instruction *Pos) {
1308 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1309 const auto i = AllocaShadowMap.find(AI);
1310 if (i != AllocaShadowMap.end()) {
1311 IRBuilder<> IRB(Pos);
1312 return IRB.CreateLoad(DFS.PrimitiveShadowTy, i->second);
1313 }
1314 }
1315
1316 const llvm::Align ShadowAlign(Align * DFS.ShadowWidthBytes);
1317 SmallVector<const Value *, 2> Objs;
1318 getUnderlyingObjects(Addr, Objs);
1319 bool AllConstants = true;
1320 for (const Value *Obj : Objs) {
1321 if (isa<Function>(Obj) || isa<BlockAddress>(Obj))
1322 continue;
1323 if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant())
1324 continue;
1325
1326 AllConstants = false;
1327 break;
1328 }
1329 if (AllConstants)
1330 return DFS.ZeroPrimitiveShadow;
1331
1332 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1333 switch (Size) {
1334 case 0:
1335 return DFS.ZeroPrimitiveShadow;
1336 case 1: {
1337 LoadInst *LI = new LoadInst(DFS.PrimitiveShadowTy, ShadowAddr, "", Pos);
1338 LI->setAlignment(ShadowAlign);
1339 return LI;
1340 }
1341 case 2: {
1342 IRBuilder<> IRB(Pos);
1343 Value *ShadowAddr1 = IRB.CreateGEP(DFS.PrimitiveShadowTy, ShadowAddr,
1344 ConstantInt::get(DFS.IntptrTy, 1));
1345 return combineShadows(
1346 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr, ShadowAlign),
1347 IRB.CreateAlignedLoad(DFS.PrimitiveShadowTy, ShadowAddr1, ShadowAlign),
1348 Pos);
1349 }
1350 }
1351
1352 if (ClFast16Labels && Size % (64 / DFS.ShadowWidthBits) == 0) {
1353 // First OR all the WideShadows, then OR individual shadows within the
1354 // combined WideShadow. This is fewer instructions than ORing shadows
1355 // individually.
1356 IRBuilder<> IRB(Pos);
1357 Value *WideAddr =
1358 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx));
1359 Value *CombinedWideShadow =
1360 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign);
1361 for (uint64_t Ofs = 64 / DFS.ShadowWidthBits; Ofs != Size;
1362 Ofs += 64 / DFS.ShadowWidthBits) {
1363 WideAddr = IRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr,
1364 ConstantInt::get(DFS.IntptrTy, 1));
1365 Value *NextWideShadow =
1366 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign);
1367 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, NextWideShadow);
1368 }
1369 for (unsigned Width = 32; Width >= DFS.ShadowWidthBits; Width >>= 1) {
1370 Value *ShrShadow = IRB.CreateLShr(CombinedWideShadow, Width);
1371 CombinedWideShadow = IRB.CreateOr(CombinedWideShadow, ShrShadow);
1372 }
1373 return IRB.CreateTrunc(CombinedWideShadow, DFS.PrimitiveShadowTy);
1374 }
1375 if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidthBits) == 0) {
1376 // Fast path for the common case where each byte has identical shadow: load
1377 // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any
1378 // shadow is non-equal.
1379 BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F);
1380 IRBuilder<> FallbackIRB(FallbackBB);
1381 CallInst *FallbackCall = FallbackIRB.CreateCall(
1382 DFS.DFSanUnionLoadFn,
1383 {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1384 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1385
1386 // Compare each of the shadows stored in the loaded 64 bits to each other,
1387 // by computing (WideShadow rotl ShadowWidthBits) == WideShadow.
1388 IRBuilder<> IRB(Pos);
1389 Value *WideAddr =
1390 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx));
1391 Value *WideShadow =
1392 IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign);
1393 Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.PrimitiveShadowTy);
1394 Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidthBits);
1395 Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidthBits);
1396 Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow);
1397 Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow);
1398
1399 BasicBlock *Head = Pos->getParent();
1400 BasicBlock *Tail = Head->splitBasicBlock(Pos->getIterator());
1401
1402 if (DomTreeNode *OldNode = DT.getNode(Head)) {
1403 std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end());
1404
1405 DomTreeNode *NewNode = DT.addNewBlock(Tail, Head);
1406 for (auto Child : Children)
1407 DT.changeImmediateDominator(Child, NewNode);
1408 }
1409
1410 // In the following code LastBr will refer to the previous basic block's
1411 // conditional branch instruction, whose true successor is fixed up to point
1412 // to the next block during the loop below or to the tail after the final
1413 // iteration.
1414 BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq);
1415 ReplaceInstWithInst(Head->getTerminator(), LastBr);
1416 DT.addNewBlock(FallbackBB, Head);
1417
1418 for (uint64_t Ofs = 64 / DFS.ShadowWidthBits; Ofs != Size;
1419 Ofs += 64 / DFS.ShadowWidthBits) {
1420 BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F);
1421 DT.addNewBlock(NextBB, LastBr->getParent());
1422 IRBuilder<> NextIRB(NextBB);
1423 WideAddr = NextIRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr,
1424 ConstantInt::get(DFS.IntptrTy, 1));
1425 Value *NextWideShadow = NextIRB.CreateAlignedLoad(NextIRB.getInt64Ty(),
1426 WideAddr, ShadowAlign);
1427 ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow);
1428 LastBr->setSuccessor(0, NextBB);
1429 LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB);
1430 }
1431
1432 LastBr->setSuccessor(0, Tail);
1433 FallbackIRB.CreateBr(Tail);
1434 PHINode *Shadow =
1435 PHINode::Create(DFS.PrimitiveShadowTy, 2, "", &Tail->front());
1436 Shadow->addIncoming(FallbackCall, FallbackBB);
1437 Shadow->addIncoming(TruncShadow, LastBr->getParent());
1438 return Shadow;
1439 }
1440
1441 IRBuilder<> IRB(Pos);
1442 FunctionCallee &UnionLoadFn =
1443 ClFast16Labels ? DFS.DFSanUnionLoadFast16LabelsFn : DFS.DFSanUnionLoadFn;
1444 CallInst *FallbackCall = IRB.CreateCall(
1445 UnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1446 FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1447 return FallbackCall;
1448 }
1449
visitLoadInst(LoadInst & LI)1450 void DFSanVisitor::visitLoadInst(LoadInst &LI) {
1451 auto &DL = LI.getModule()->getDataLayout();
1452 uint64_t Size = DL.getTypeStoreSize(LI.getType());
1453 if (Size == 0) {
1454 DFSF.setShadow(&LI, DFSF.DFS.getZeroShadow(&LI));
1455 return;
1456 }
1457
1458 Align Alignment = ClPreserveAlignment ? LI.getAlign() : Align(1);
1459 Value *Shadow =
1460 DFSF.loadShadow(LI.getPointerOperand(), Size, Alignment.value(), &LI);
1461 if (ClCombinePointerLabelsOnLoad) {
1462 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand());
1463 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &LI);
1464 }
1465 if (!DFSF.DFS.isZeroShadow(Shadow))
1466 DFSF.NonZeroChecks.push_back(Shadow);
1467
1468 DFSF.setShadow(&LI, Shadow);
1469 if (ClEventCallbacks) {
1470 IRBuilder<> IRB(&LI);
1471 Value *Addr8 = IRB.CreateBitCast(LI.getPointerOperand(), DFSF.DFS.Int8Ptr);
1472 IRB.CreateCall(DFSF.DFS.DFSanLoadCallbackFn, {Shadow, Addr8});
1473 }
1474 }
1475
storeShadow(Value * Addr,uint64_t Size,Align Alignment,Value * Shadow,Instruction * Pos)1476 void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, Align Alignment,
1477 Value *Shadow, Instruction *Pos) {
1478 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1479 const auto i = AllocaShadowMap.find(AI);
1480 if (i != AllocaShadowMap.end()) {
1481 IRBuilder<> IRB(Pos);
1482 IRB.CreateStore(Shadow, i->second);
1483 return;
1484 }
1485 }
1486
1487 const Align ShadowAlign(Alignment.value() * DFS.ShadowWidthBytes);
1488 IRBuilder<> IRB(Pos);
1489 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1490 if (DFS.isZeroShadow(Shadow)) {
1491 IntegerType *ShadowTy =
1492 IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidthBits);
1493 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0);
1494 Value *ExtShadowAddr =
1495 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy));
1496 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign);
1497 return;
1498 }
1499
1500 const unsigned ShadowVecSize = 128 / DFS.ShadowWidthBits;
1501 uint64_t Offset = 0;
1502 if (Size >= ShadowVecSize) {
1503 auto *ShadowVecTy =
1504 FixedVectorType::get(DFS.PrimitiveShadowTy, ShadowVecSize);
1505 Value *ShadowVec = UndefValue::get(ShadowVecTy);
1506 for (unsigned i = 0; i != ShadowVecSize; ++i) {
1507 ShadowVec = IRB.CreateInsertElement(
1508 ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i));
1509 }
1510 Value *ShadowVecAddr =
1511 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy));
1512 do {
1513 Value *CurShadowVecAddr =
1514 IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset);
1515 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign);
1516 Size -= ShadowVecSize;
1517 ++Offset;
1518 } while (Size >= ShadowVecSize);
1519 Offset *= ShadowVecSize;
1520 }
1521 while (Size > 0) {
1522 Value *CurShadowAddr =
1523 IRB.CreateConstGEP1_32(DFS.PrimitiveShadowTy, ShadowAddr, Offset);
1524 IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign);
1525 --Size;
1526 ++Offset;
1527 }
1528 }
1529
visitStoreInst(StoreInst & SI)1530 void DFSanVisitor::visitStoreInst(StoreInst &SI) {
1531 auto &DL = SI.getModule()->getDataLayout();
1532 uint64_t Size = DL.getTypeStoreSize(SI.getValueOperand()->getType());
1533 if (Size == 0)
1534 return;
1535
1536 const Align Alignment = ClPreserveAlignment ? SI.getAlign() : Align(1);
1537
1538 Value* Shadow = DFSF.getShadow(SI.getValueOperand());
1539 if (ClCombinePointerLabelsOnStore) {
1540 Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand());
1541 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &SI);
1542 }
1543 DFSF.storeShadow(SI.getPointerOperand(), Size, Alignment, Shadow, &SI);
1544 if (ClEventCallbacks) {
1545 IRBuilder<> IRB(&SI);
1546 Value *Addr8 = IRB.CreateBitCast(SI.getPointerOperand(), DFSF.DFS.Int8Ptr);
1547 IRB.CreateCall(DFSF.DFS.DFSanStoreCallbackFn, {Shadow, Addr8});
1548 }
1549 }
1550
visitUnaryOperator(UnaryOperator & UO)1551 void DFSanVisitor::visitUnaryOperator(UnaryOperator &UO) {
1552 visitOperandShadowInst(UO);
1553 }
1554
visitBinaryOperator(BinaryOperator & BO)1555 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) {
1556 visitOperandShadowInst(BO);
1557 }
1558
visitCastInst(CastInst & CI)1559 void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); }
1560
visitCmpInst(CmpInst & CI)1561 void DFSanVisitor::visitCmpInst(CmpInst &CI) {
1562 Value *CombinedShadow = visitOperandShadowInst(CI);
1563 if (ClEventCallbacks) {
1564 IRBuilder<> IRB(&CI);
1565 IRB.CreateCall(DFSF.DFS.DFSanCmpCallbackFn, CombinedShadow);
1566 }
1567 }
1568
visitGetElementPtrInst(GetElementPtrInst & GEPI)1569 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) {
1570 visitOperandShadowInst(GEPI);
1571 }
1572
visitExtractElementInst(ExtractElementInst & I)1573 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) {
1574 visitOperandShadowInst(I);
1575 }
1576
visitInsertElementInst(InsertElementInst & I)1577 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) {
1578 visitOperandShadowInst(I);
1579 }
1580
visitShuffleVectorInst(ShuffleVectorInst & I)1581 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) {
1582 visitOperandShadowInst(I);
1583 }
1584
visitExtractValueInst(ExtractValueInst & I)1585 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) {
1586 visitOperandShadowInst(I);
1587 }
1588
visitInsertValueInst(InsertValueInst & I)1589 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) {
1590 visitOperandShadowInst(I);
1591 }
1592
visitAllocaInst(AllocaInst & I)1593 void DFSanVisitor::visitAllocaInst(AllocaInst &I) {
1594 bool AllLoadsStores = true;
1595 for (User *U : I.users()) {
1596 if (isa<LoadInst>(U))
1597 continue;
1598
1599 if (StoreInst *SI = dyn_cast<StoreInst>(U)) {
1600 if (SI->getPointerOperand() == &I)
1601 continue;
1602 }
1603
1604 AllLoadsStores = false;
1605 break;
1606 }
1607 if (AllLoadsStores) {
1608 IRBuilder<> IRB(&I);
1609 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.PrimitiveShadowTy);
1610 }
1611 DFSF.setShadow(&I, DFSF.DFS.ZeroPrimitiveShadow);
1612 }
1613
visitSelectInst(SelectInst & I)1614 void DFSanVisitor::visitSelectInst(SelectInst &I) {
1615 Value *CondShadow = DFSF.getShadow(I.getCondition());
1616 Value *TrueShadow = DFSF.getShadow(I.getTrueValue());
1617 Value *FalseShadow = DFSF.getShadow(I.getFalseValue());
1618 Value *ShadowSel = nullptr;
1619
1620 if (isa<VectorType>(I.getCondition()->getType())) {
1621 ShadowSel = DFSF.combineShadows(TrueShadow, FalseShadow, &I);
1622 } else {
1623 if (TrueShadow == FalseShadow) {
1624 ShadowSel = TrueShadow;
1625 } else {
1626 ShadowSel =
1627 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I);
1628 }
1629 }
1630 DFSF.setShadow(&I, ClTrackSelectControlFlow
1631 ? DFSF.combineShadows(CondShadow, ShadowSel, &I)
1632 : ShadowSel);
1633 }
1634
visitMemSetInst(MemSetInst & I)1635 void DFSanVisitor::visitMemSetInst(MemSetInst &I) {
1636 IRBuilder<> IRB(&I);
1637 Value *ValShadow = DFSF.getShadow(I.getValue());
1638 IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn,
1639 {ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(
1640 *DFSF.DFS.Ctx)),
1641 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)});
1642 }
1643
visitMemTransferInst(MemTransferInst & I)1644 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) {
1645 IRBuilder<> IRB(&I);
1646 Value *RawDestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I);
1647 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I);
1648 Value *LenShadow =
1649 IRB.CreateMul(I.getLength(), ConstantInt::get(I.getLength()->getType(),
1650 DFSF.DFS.ShadowWidthBytes));
1651 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx);
1652 Value *DestShadow = IRB.CreateBitCast(RawDestShadow, Int8Ptr);
1653 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr);
1654 auto *MTI = cast<MemTransferInst>(
1655 IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(),
1656 {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()}));
1657 if (ClPreserveAlignment) {
1658 MTI->setDestAlignment(I.getDestAlign() * DFSF.DFS.ShadowWidthBytes);
1659 MTI->setSourceAlignment(I.getSourceAlign() * DFSF.DFS.ShadowWidthBytes);
1660 } else {
1661 MTI->setDestAlignment(Align(DFSF.DFS.ShadowWidthBytes));
1662 MTI->setSourceAlignment(Align(DFSF.DFS.ShadowWidthBytes));
1663 }
1664 if (ClEventCallbacks) {
1665 IRB.CreateCall(DFSF.DFS.DFSanMemTransferCallbackFn,
1666 {RawDestShadow, I.getLength()});
1667 }
1668 }
1669
visitReturnInst(ReturnInst & RI)1670 void DFSanVisitor::visitReturnInst(ReturnInst &RI) {
1671 if (!DFSF.IsNativeABI && RI.getReturnValue()) {
1672 switch (DFSF.IA) {
1673 case DataFlowSanitizer::IA_TLS: {
1674 Value *S = DFSF.getShadow(RI.getReturnValue());
1675 IRBuilder<> IRB(&RI);
1676 Type *RT = DFSF.F->getFunctionType()->getReturnType();
1677 unsigned Size =
1678 getDataLayout().getTypeAllocSize(DFSF.DFS.getShadowTy(RT));
1679 if (Size <= kRetvalTLSSize) {
1680 // If the size overflows, stores nothing. At callsite, oversized return
1681 // shadows are set to zero.
1682 IRB.CreateAlignedStore(S, DFSF.getRetvalTLS(RT, IRB),
1683 kShadowTLSAlignment);
1684 }
1685 break;
1686 }
1687 case DataFlowSanitizer::IA_Args: {
1688 IRBuilder<> IRB(&RI);
1689 Type *RT = DFSF.F->getFunctionType()->getReturnType();
1690 Value *InsVal =
1691 IRB.CreateInsertValue(UndefValue::get(RT), RI.getReturnValue(), 0);
1692 Value *InsShadow =
1693 IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1);
1694 RI.setOperand(0, InsShadow);
1695 break;
1696 }
1697 }
1698 }
1699 }
1700
visitCallBase(CallBase & CB)1701 void DFSanVisitor::visitCallBase(CallBase &CB) {
1702 Function *F = CB.getCalledFunction();
1703 if ((F && F->isIntrinsic()) || CB.isInlineAsm()) {
1704 visitOperandShadowInst(CB);
1705 return;
1706 }
1707
1708 // Calls to this function are synthesized in wrappers, and we shouldn't
1709 // instrument them.
1710 if (F == DFSF.DFS.DFSanVarargWrapperFn.getCallee()->stripPointerCasts())
1711 return;
1712
1713 IRBuilder<> IRB(&CB);
1714
1715 DenseMap<Value *, Function *>::iterator i =
1716 DFSF.DFS.UnwrappedFnMap.find(CB.getCalledOperand());
1717 if (i != DFSF.DFS.UnwrappedFnMap.end()) {
1718 Function *F = i->second;
1719 switch (DFSF.DFS.getWrapperKind(F)) {
1720 case DataFlowSanitizer::WK_Warning:
1721 CB.setCalledFunction(F);
1722 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn,
1723 IRB.CreateGlobalStringPtr(F->getName()));
1724 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB));
1725 return;
1726 case DataFlowSanitizer::WK_Discard:
1727 CB.setCalledFunction(F);
1728 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB));
1729 return;
1730 case DataFlowSanitizer::WK_Functional:
1731 CB.setCalledFunction(F);
1732 visitOperandShadowInst(CB);
1733 return;
1734 case DataFlowSanitizer::WK_Custom:
1735 // Don't try to handle invokes of custom functions, it's too complicated.
1736 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_
1737 // wrapper.
1738 if (CallInst *CI = dyn_cast<CallInst>(&CB)) {
1739 FunctionType *FT = F->getFunctionType();
1740 TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT);
1741 std::string CustomFName = "__dfsw_";
1742 CustomFName += F->getName();
1743 FunctionCallee CustomF = DFSF.DFS.Mod->getOrInsertFunction(
1744 CustomFName, CustomFn.TransformedType);
1745 if (Function *CustomFn = dyn_cast<Function>(CustomF.getCallee())) {
1746 CustomFn->copyAttributesFrom(F);
1747
1748 // Custom functions returning non-void will write to the return label.
1749 if (!FT->getReturnType()->isVoidTy()) {
1750 CustomFn->removeAttributes(AttributeList::FunctionIndex,
1751 DFSF.DFS.ReadOnlyNoneAttrs);
1752 }
1753 }
1754
1755 std::vector<Value *> Args;
1756
1757 auto i = CB.arg_begin();
1758 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) {
1759 Type *T = (*i)->getType();
1760 FunctionType *ParamFT;
1761 if (isa<PointerType>(T) &&
1762 (ParamFT = dyn_cast<FunctionType>(
1763 cast<PointerType>(T)->getElementType()))) {
1764 std::string TName = "dfst";
1765 TName += utostr(FT->getNumParams() - n);
1766 TName += "$";
1767 TName += F->getName();
1768 Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName);
1769 Args.push_back(T);
1770 Args.push_back(
1771 IRB.CreateBitCast(*i, Type::getInt8PtrTy(*DFSF.DFS.Ctx)));
1772 } else {
1773 Args.push_back(*i);
1774 }
1775 }
1776
1777 i = CB.arg_begin();
1778 const unsigned ShadowArgStart = Args.size();
1779 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1780 Args.push_back(DFSF.getShadow(*i));
1781
1782 if (FT->isVarArg()) {
1783 auto *LabelVATy = ArrayType::get(DFSF.DFS.PrimitiveShadowTy,
1784 CB.arg_size() - FT->getNumParams());
1785 auto *LabelVAAlloca = new AllocaInst(
1786 LabelVATy, getDataLayout().getAllocaAddrSpace(),
1787 "labelva", &DFSF.F->getEntryBlock().front());
1788
1789 for (unsigned n = 0; i != CB.arg_end(); ++i, ++n) {
1790 auto LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, n);
1791 IRB.CreateStore(DFSF.getShadow(*i), LabelVAPtr);
1792 }
1793
1794 Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0));
1795 }
1796
1797 if (!FT->getReturnType()->isVoidTy()) {
1798 if (!DFSF.LabelReturnAlloca) {
1799 DFSF.LabelReturnAlloca =
1800 new AllocaInst(DFSF.DFS.PrimitiveShadowTy,
1801 getDataLayout().getAllocaAddrSpace(),
1802 "labelreturn", &DFSF.F->getEntryBlock().front());
1803 }
1804 Args.push_back(DFSF.LabelReturnAlloca);
1805 }
1806
1807 for (i = CB.arg_begin() + FT->getNumParams(); i != CB.arg_end(); ++i)
1808 Args.push_back(*i);
1809
1810 CallInst *CustomCI = IRB.CreateCall(CustomF, Args);
1811 CustomCI->setCallingConv(CI->getCallingConv());
1812 CustomCI->setAttributes(TransformFunctionAttributes(CustomFn,
1813 CI->getContext(), CI->getAttributes()));
1814
1815 // Update the parameter attributes of the custom call instruction to
1816 // zero extend the shadow parameters. This is required for targets
1817 // which consider PrimitiveShadowTy an illegal type.
1818 for (unsigned n = 0; n < FT->getNumParams(); n++) {
1819 const unsigned ArgNo = ShadowArgStart + n;
1820 if (CustomCI->getArgOperand(ArgNo)->getType() ==
1821 DFSF.DFS.PrimitiveShadowTy)
1822 CustomCI->addParamAttr(ArgNo, Attribute::ZExt);
1823 }
1824
1825 if (!FT->getReturnType()->isVoidTy()) {
1826 LoadInst *LabelLoad = IRB.CreateLoad(DFSF.DFS.PrimitiveShadowTy,
1827 DFSF.LabelReturnAlloca);
1828 DFSF.setShadow(CustomCI, LabelLoad);
1829 }
1830
1831 CI->replaceAllUsesWith(CustomCI);
1832 CI->eraseFromParent();
1833 return;
1834 }
1835 break;
1836 }
1837 }
1838
1839 FunctionType *FT = CB.getFunctionType();
1840 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1841 unsigned ArgOffset = 0;
1842 const DataLayout &DL = getDataLayout();
1843 for (unsigned I = 0, N = FT->getNumParams(); I != N; ++I) {
1844 unsigned Size =
1845 DL.getTypeAllocSize(DFSF.DFS.getShadowTy(FT->getParamType(I)));
1846 // Stop storing if arguments' size overflows. Inside a function, arguments
1847 // after overflow have zero shadow values.
1848 if (ArgOffset + Size > kArgTLSSize)
1849 break;
1850 IRB.CreateAlignedStore(
1851 DFSF.getShadow(CB.getArgOperand(I)),
1852 DFSF.getArgTLS(FT->getParamType(I), ArgOffset, IRB),
1853 kShadowTLSAlignment);
1854 ArgOffset += alignTo(Size, kShadowTLSAlignment);
1855 }
1856 }
1857
1858 Instruction *Next = nullptr;
1859 if (!CB.getType()->isVoidTy()) {
1860 if (InvokeInst *II = dyn_cast<InvokeInst>(&CB)) {
1861 if (II->getNormalDest()->getSinglePredecessor()) {
1862 Next = &II->getNormalDest()->front();
1863 } else {
1864 BasicBlock *NewBB =
1865 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT);
1866 Next = &NewBB->front();
1867 }
1868 } else {
1869 assert(CB.getIterator() != CB.getParent()->end());
1870 Next = CB.getNextNode();
1871 }
1872
1873 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1874 IRBuilder<> NextIRB(Next);
1875 const DataLayout &DL = getDataLayout();
1876 unsigned Size = DL.getTypeAllocSize(DFSF.DFS.getShadowTy(&CB));
1877 if (Size > kRetvalTLSSize) {
1878 // Set overflowed return shadow to be zero.
1879 DFSF.setShadow(&CB, DFSF.DFS.getZeroShadow(&CB));
1880 } else {
1881 LoadInst *LI = NextIRB.CreateAlignedLoad(
1882 DFSF.DFS.getShadowTy(&CB), DFSF.getRetvalTLS(CB.getType(), NextIRB),
1883 kShadowTLSAlignment, "_dfsret");
1884 DFSF.SkipInsts.insert(LI);
1885 DFSF.setShadow(&CB, LI);
1886 DFSF.NonZeroChecks.push_back(LI);
1887 }
1888 }
1889 }
1890
1891 // Do all instrumentation for IA_Args down here to defer tampering with the
1892 // CFG in a way that SplitEdge may be able to detect.
1893 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) {
1894 FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT);
1895 Value *Func =
1896 IRB.CreateBitCast(CB.getCalledOperand(), PointerType::getUnqual(NewFT));
1897 std::vector<Value *> Args;
1898
1899 auto i = CB.arg_begin(), E = CB.arg_end();
1900 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1901 Args.push_back(*i);
1902
1903 i = CB.arg_begin();
1904 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1905 Args.push_back(DFSF.getShadow(*i));
1906
1907 if (FT->isVarArg()) {
1908 unsigned VarArgSize = CB.arg_size() - FT->getNumParams();
1909 ArrayType *VarArgArrayTy =
1910 ArrayType::get(DFSF.DFS.PrimitiveShadowTy, VarArgSize);
1911 AllocaInst *VarArgShadow =
1912 new AllocaInst(VarArgArrayTy, getDataLayout().getAllocaAddrSpace(),
1913 "", &DFSF.F->getEntryBlock().front());
1914 Args.push_back(IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, 0));
1915 for (unsigned n = 0; i != E; ++i, ++n) {
1916 IRB.CreateStore(
1917 DFSF.getShadow(*i),
1918 IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, n));
1919 Args.push_back(*i);
1920 }
1921 }
1922
1923 CallBase *NewCB;
1924 if (InvokeInst *II = dyn_cast<InvokeInst>(&CB)) {
1925 NewCB = IRB.CreateInvoke(NewFT, Func, II->getNormalDest(),
1926 II->getUnwindDest(), Args);
1927 } else {
1928 NewCB = IRB.CreateCall(NewFT, Func, Args);
1929 }
1930 NewCB->setCallingConv(CB.getCallingConv());
1931 NewCB->setAttributes(CB.getAttributes().removeAttributes(
1932 *DFSF.DFS.Ctx, AttributeList::ReturnIndex,
1933 AttributeFuncs::typeIncompatible(NewCB->getType())));
1934
1935 if (Next) {
1936 ExtractValueInst *ExVal = ExtractValueInst::Create(NewCB, 0, "", Next);
1937 DFSF.SkipInsts.insert(ExVal);
1938 ExtractValueInst *ExShadow = ExtractValueInst::Create(NewCB, 1, "", Next);
1939 DFSF.SkipInsts.insert(ExShadow);
1940 DFSF.setShadow(ExVal, ExShadow);
1941 DFSF.NonZeroChecks.push_back(ExShadow);
1942
1943 CB.replaceAllUsesWith(ExVal);
1944 }
1945
1946 CB.eraseFromParent();
1947 }
1948 }
1949
visitPHINode(PHINode & PN)1950 void DFSanVisitor::visitPHINode(PHINode &PN) {
1951 Type *ShadowTy = DFSF.DFS.getShadowTy(&PN);
1952 PHINode *ShadowPN =
1953 PHINode::Create(ShadowTy, PN.getNumIncomingValues(), "", &PN);
1954
1955 // Give the shadow phi node valid predecessors to fool SplitEdge into working.
1956 Value *UndefShadow = UndefValue::get(ShadowTy);
1957 for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e;
1958 ++i) {
1959 ShadowPN->addIncoming(UndefShadow, *i);
1960 }
1961
1962 DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN));
1963 DFSF.setShadow(&PN, ShadowPN);
1964 }
1965
1966 namespace {
1967 class DataFlowSanitizerLegacyPass : public ModulePass {
1968 private:
1969 std::vector<std::string> ABIListFiles;
1970
1971 public:
1972 static char ID;
1973
DataFlowSanitizerLegacyPass(const std::vector<std::string> & ABIListFiles=std::vector<std::string> ())1974 DataFlowSanitizerLegacyPass(
1975 const std::vector<std::string> &ABIListFiles = std::vector<std::string>())
1976 : ModulePass(ID), ABIListFiles(ABIListFiles) {}
1977
runOnModule(Module & M)1978 bool runOnModule(Module &M) override {
1979 return DataFlowSanitizer(ABIListFiles).runImpl(M);
1980 }
1981 };
1982 } // namespace
1983
1984 char DataFlowSanitizerLegacyPass::ID;
1985
1986 INITIALIZE_PASS(DataFlowSanitizerLegacyPass, "dfsan",
1987 "DataFlowSanitizer: dynamic data flow analysis.", false, false)
1988
createDataFlowSanitizerLegacyPassPass(const std::vector<std::string> & ABIListFiles)1989 ModulePass *llvm::createDataFlowSanitizerLegacyPassPass(
1990 const std::vector<std::string> &ABIListFiles) {
1991 return new DataFlowSanitizerLegacyPass(ABIListFiles);
1992 }
1993
run(Module & M,ModuleAnalysisManager & AM)1994 PreservedAnalyses DataFlowSanitizerPass::run(Module &M,
1995 ModuleAnalysisManager &AM) {
1996 if (DataFlowSanitizer(ABIListFiles).runImpl(M)) {
1997 return PreservedAnalyses::none();
1998 }
1999 return PreservedAnalyses::all();
2000 }
2001