1.7.6.1Copyright © 2003-2014 University of Illinois at Urbana-Champaign. All Rights Reserved.
LLVM API Documentation
00001 //===-- DataFlowSanitizer.cpp - dynamic data flow analysis ----------------===// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 /// \file 00010 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow 00011 /// analysis. 00012 /// 00013 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific 00014 /// class of bugs on its own. Instead, it provides a generic dynamic data flow 00015 /// analysis framework to be used by clients to help detect application-specific 00016 /// issues within their own code. 00017 /// 00018 /// The analysis is based on automatic propagation of data flow labels (also 00019 /// known as taint labels) through a program as it performs computation. Each 00020 /// byte of application memory is backed by two bytes of shadow memory which 00021 /// hold the label. On Linux/x86_64, memory is laid out as follows: 00022 /// 00023 /// +--------------------+ 0x800000000000 (top of memory) 00024 /// | application memory | 00025 /// +--------------------+ 0x700000008000 (kAppAddr) 00026 /// | | 00027 /// | unused | 00028 /// | | 00029 /// +--------------------+ 0x200200000000 (kUnusedAddr) 00030 /// | union table | 00031 /// +--------------------+ 0x200000000000 (kUnionTableAddr) 00032 /// | shadow memory | 00033 /// +--------------------+ 0x000000010000 (kShadowAddr) 00034 /// | reserved by kernel | 00035 /// +--------------------+ 0x000000000000 00036 /// 00037 /// To derive a shadow memory address from an application memory address, 00038 /// bits 44-46 are cleared to bring the address into the range 00039 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to 00040 /// account for the double byte representation of shadow labels and move the 00041 /// address into the shadow memory range. See the function 00042 /// DataFlowSanitizer::getShadowAddress below. 00043 /// 00044 /// For more information, please refer to the design document: 00045 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html 00046 00047 #include "llvm/Transforms/Instrumentation.h" 00048 #include "llvm/ADT/DenseMap.h" 00049 #include "llvm/ADT/DenseSet.h" 00050 #include "llvm/ADT/DepthFirstIterator.h" 00051 #include "llvm/ADT/StringExtras.h" 00052 #include "llvm/Analysis/ValueTracking.h" 00053 #include "llvm/IR/Dominators.h" 00054 #include "llvm/IR/IRBuilder.h" 00055 #include "llvm/IR/InlineAsm.h" 00056 #include "llvm/IR/InstVisitor.h" 00057 #include "llvm/IR/LLVMContext.h" 00058 #include "llvm/IR/MDBuilder.h" 00059 #include "llvm/IR/Type.h" 00060 #include "llvm/IR/Value.h" 00061 #include "llvm/Pass.h" 00062 #include "llvm/Support/CommandLine.h" 00063 #include "llvm/Support/SpecialCaseList.h" 00064 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 00065 #include "llvm/Transforms/Utils/Local.h" 00066 #include <algorithm> 00067 #include <iterator> 00068 #include <set> 00069 #include <utility> 00070 00071 using namespace llvm; 00072 00073 // The -dfsan-preserve-alignment flag controls whether this pass assumes that 00074 // alignment requirements provided by the input IR are correct. For example, 00075 // if the input IR contains a load with alignment 8, this flag will cause 00076 // the shadow load to have alignment 16. This flag is disabled by default as 00077 // we have unfortunately encountered too much code (including Clang itself; 00078 // see PR14291) which performs misaligned access. 00079 static cl::opt<bool> ClPreserveAlignment( 00080 "dfsan-preserve-alignment", 00081 cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, 00082 cl::init(false)); 00083 00084 // The ABI list file controls how shadow parameters are passed. The pass treats 00085 // every function labelled "uninstrumented" in the ABI list file as conforming 00086 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains 00087 // additional annotations for those functions, a call to one of those functions 00088 // will produce a warning message, as the labelling behaviour of the function is 00089 // unknown. The other supported annotations are "functional" and "discard", 00090 // which are described below under DataFlowSanitizer::WrapperKind. 00091 static cl::opt<std::string> ClABIListFile( 00092 "dfsan-abilist", 00093 cl::desc("File listing native ABI functions and how the pass treats them"), 00094 cl::Hidden); 00095 00096 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented 00097 // functions (see DataFlowSanitizer::InstrumentedABI below). 00098 static cl::opt<bool> ClArgsABI( 00099 "dfsan-args-abi", 00100 cl::desc("Use the argument ABI rather than the TLS ABI"), 00101 cl::Hidden); 00102 00103 // Controls whether the pass includes or ignores the labels of pointers in load 00104 // instructions. 00105 static cl::opt<bool> ClCombinePointerLabelsOnLoad( 00106 "dfsan-combine-pointer-labels-on-load", 00107 cl::desc("Combine the label of the pointer with the label of the data when " 00108 "loading from memory."), 00109 cl::Hidden, cl::init(true)); 00110 00111 // Controls whether the pass includes or ignores the labels of pointers in 00112 // stores instructions. 00113 static cl::opt<bool> ClCombinePointerLabelsOnStore( 00114 "dfsan-combine-pointer-labels-on-store", 00115 cl::desc("Combine the label of the pointer with the label of the data when " 00116 "storing in memory."), 00117 cl::Hidden, cl::init(false)); 00118 00119 static cl::opt<bool> ClDebugNonzeroLabels( 00120 "dfsan-debug-nonzero-labels", 00121 cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " 00122 "load or return with a nonzero label"), 00123 cl::Hidden); 00124 00125 namespace { 00126 00127 StringRef GetGlobalTypeString(const GlobalValue &G) { 00128 // Types of GlobalVariables are always pointer types. 00129 Type *GType = G.getType()->getElementType(); 00130 // For now we support blacklisting struct types only. 00131 if (StructType *SGType = dyn_cast<StructType>(GType)) { 00132 if (!SGType->isLiteral()) 00133 return SGType->getName(); 00134 } 00135 return "<unknown type>"; 00136 } 00137 00138 class DFSanABIList { 00139 std::unique_ptr<SpecialCaseList> SCL; 00140 00141 public: 00142 DFSanABIList(std::unique_ptr<SpecialCaseList> SCL) : SCL(std::move(SCL)) {} 00143 00144 /// Returns whether either this function or its source file are listed in the 00145 /// given category. 00146 bool isIn(const Function &F, StringRef Category) const { 00147 return isIn(*F.getParent(), Category) || 00148 SCL->inSection("fun", F.getName(), Category); 00149 } 00150 00151 /// Returns whether this global alias is listed in the given category. 00152 /// 00153 /// If GA aliases a function, the alias's name is matched as a function name 00154 /// would be. Similarly, aliases of globals are matched like globals. 00155 bool isIn(const GlobalAlias &GA, StringRef Category) const { 00156 if (isIn(*GA.getParent(), Category)) 00157 return true; 00158 00159 if (isa<FunctionType>(GA.getType()->getElementType())) 00160 return SCL->inSection("fun", GA.getName(), Category); 00161 00162 return SCL->inSection("global", GA.getName(), Category) || 00163 SCL->inSection("type", GetGlobalTypeString(GA), Category); 00164 } 00165 00166 /// Returns whether this module is listed in the given category. 00167 bool isIn(const Module &M, StringRef Category) const { 00168 return SCL->inSection("src", M.getModuleIdentifier(), Category); 00169 } 00170 }; 00171 00172 class DataFlowSanitizer : public ModulePass { 00173 friend struct DFSanFunction; 00174 friend class DFSanVisitor; 00175 00176 enum { 00177 ShadowWidth = 16 00178 }; 00179 00180 /// Which ABI should be used for instrumented functions? 00181 enum InstrumentedABI { 00182 /// Argument and return value labels are passed through additional 00183 /// arguments and by modifying the return type. 00184 IA_Args, 00185 00186 /// Argument and return value labels are passed through TLS variables 00187 /// __dfsan_arg_tls and __dfsan_retval_tls. 00188 IA_TLS 00189 }; 00190 00191 /// How should calls to uninstrumented functions be handled? 00192 enum WrapperKind { 00193 /// This function is present in an uninstrumented form but we don't know 00194 /// how it should be handled. Print a warning and call the function anyway. 00195 /// Don't label the return value. 00196 WK_Warning, 00197 00198 /// This function does not write to (user-accessible) memory, and its return 00199 /// value is unlabelled. 00200 WK_Discard, 00201 00202 /// This function does not write to (user-accessible) memory, and the label 00203 /// of its return value is the union of the label of its arguments. 00204 WK_Functional, 00205 00206 /// Instead of calling the function, a custom wrapper __dfsw_F is called, 00207 /// where F is the name of the function. This function may wrap the 00208 /// original function or provide its own implementation. This is similar to 00209 /// the IA_Args ABI, except that IA_Args uses a struct return type to 00210 /// pass the return value shadow in a register, while WK_Custom uses an 00211 /// extra pointer argument to return the shadow. This allows the wrapped 00212 /// form of the function type to be expressed in C. 00213 WK_Custom 00214 }; 00215 00216 const DataLayout *DL; 00217 Module *Mod; 00218 LLVMContext *Ctx; 00219 IntegerType *ShadowTy; 00220 PointerType *ShadowPtrTy; 00221 IntegerType *IntptrTy; 00222 ConstantInt *ZeroShadow; 00223 ConstantInt *ShadowPtrMask; 00224 ConstantInt *ShadowPtrMul; 00225 Constant *ArgTLS; 00226 Constant *RetvalTLS; 00227 void *(*GetArgTLSPtr)(); 00228 void *(*GetRetvalTLSPtr)(); 00229 Constant *GetArgTLS; 00230 Constant *GetRetvalTLS; 00231 FunctionType *DFSanUnionFnTy; 00232 FunctionType *DFSanUnionLoadFnTy; 00233 FunctionType *DFSanUnimplementedFnTy; 00234 FunctionType *DFSanSetLabelFnTy; 00235 FunctionType *DFSanNonzeroLabelFnTy; 00236 Constant *DFSanUnionFn; 00237 Constant *DFSanCheckedUnionFn; 00238 Constant *DFSanUnionLoadFn; 00239 Constant *DFSanUnimplementedFn; 00240 Constant *DFSanSetLabelFn; 00241 Constant *DFSanNonzeroLabelFn; 00242 MDNode *ColdCallWeights; 00243 DFSanABIList ABIList; 00244 DenseMap<Value *, Function *> UnwrappedFnMap; 00245 AttributeSet ReadOnlyNoneAttrs; 00246 00247 Value *getShadowAddress(Value *Addr, Instruction *Pos); 00248 bool isInstrumented(const Function *F); 00249 bool isInstrumented(const GlobalAlias *GA); 00250 FunctionType *getArgsFunctionType(FunctionType *T); 00251 FunctionType *getTrampolineFunctionType(FunctionType *T); 00252 FunctionType *getCustomFunctionType(FunctionType *T); 00253 InstrumentedABI getInstrumentedABI(); 00254 WrapperKind getWrapperKind(Function *F); 00255 void addGlobalNamePrefix(GlobalValue *GV); 00256 Function *buildWrapperFunction(Function *F, StringRef NewFName, 00257 GlobalValue::LinkageTypes NewFLink, 00258 FunctionType *NewFT); 00259 Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName); 00260 00261 public: 00262 DataFlowSanitizer(StringRef ABIListFile = StringRef(), 00263 void *(*getArgTLS)() = nullptr, 00264 void *(*getRetValTLS)() = nullptr); 00265 static char ID; 00266 bool doInitialization(Module &M) override; 00267 bool runOnModule(Module &M) override; 00268 }; 00269 00270 struct DFSanFunction { 00271 DataFlowSanitizer &DFS; 00272 Function *F; 00273 DominatorTree DT; 00274 DataFlowSanitizer::InstrumentedABI IA; 00275 bool IsNativeABI; 00276 Value *ArgTLSPtr; 00277 Value *RetvalTLSPtr; 00278 AllocaInst *LabelReturnAlloca; 00279 DenseMap<Value *, Value *> ValShadowMap; 00280 DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; 00281 std::vector<std::pair<PHINode *, PHINode *> > PHIFixups; 00282 DenseSet<Instruction *> SkipInsts; 00283 std::vector<Value *> NonZeroChecks; 00284 bool AvoidNewBlocks; 00285 00286 struct CachedCombinedShadow { 00287 BasicBlock *Block; 00288 Value *Shadow; 00289 }; 00290 DenseMap<std::pair<Value *, Value *>, CachedCombinedShadow> 00291 CachedCombinedShadows; 00292 DenseMap<Value *, std::set<Value *>> ShadowElements; 00293 00294 DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI) 00295 : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), 00296 IsNativeABI(IsNativeABI), ArgTLSPtr(nullptr), RetvalTLSPtr(nullptr), 00297 LabelReturnAlloca(nullptr) { 00298 DT.recalculate(*F); 00299 // FIXME: Need to track down the register allocator issue which causes poor 00300 // performance in pathological cases with large numbers of basic blocks. 00301 AvoidNewBlocks = F->size() > 1000; 00302 } 00303 Value *getArgTLSPtr(); 00304 Value *getArgTLS(unsigned Index, Instruction *Pos); 00305 Value *getRetvalTLS(); 00306 Value *getShadow(Value *V); 00307 void setShadow(Instruction *I, Value *Shadow); 00308 Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); 00309 Value *combineOperandShadows(Instruction *Inst); 00310 Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align, 00311 Instruction *Pos); 00312 void storeShadow(Value *Addr, uint64_t Size, uint64_t Align, Value *Shadow, 00313 Instruction *Pos); 00314 }; 00315 00316 class DFSanVisitor : public InstVisitor<DFSanVisitor> { 00317 public: 00318 DFSanFunction &DFSF; 00319 DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {} 00320 00321 void visitOperandShadowInst(Instruction &I); 00322 00323 void visitBinaryOperator(BinaryOperator &BO); 00324 void visitCastInst(CastInst &CI); 00325 void visitCmpInst(CmpInst &CI); 00326 void visitGetElementPtrInst(GetElementPtrInst &GEPI); 00327 void visitLoadInst(LoadInst &LI); 00328 void visitStoreInst(StoreInst &SI); 00329 void visitReturnInst(ReturnInst &RI); 00330 void visitCallSite(CallSite CS); 00331 void visitPHINode(PHINode &PN); 00332 void visitExtractElementInst(ExtractElementInst &I); 00333 void visitInsertElementInst(InsertElementInst &I); 00334 void visitShuffleVectorInst(ShuffleVectorInst &I); 00335 void visitExtractValueInst(ExtractValueInst &I); 00336 void visitInsertValueInst(InsertValueInst &I); 00337 void visitAllocaInst(AllocaInst &I); 00338 void visitSelectInst(SelectInst &I); 00339 void visitMemSetInst(MemSetInst &I); 00340 void visitMemTransferInst(MemTransferInst &I); 00341 }; 00342 00343 } 00344 00345 char DataFlowSanitizer::ID; 00346 INITIALIZE_PASS(DataFlowSanitizer, "dfsan", 00347 "DataFlowSanitizer: dynamic data flow analysis.", false, false) 00348 00349 ModulePass *llvm::createDataFlowSanitizerPass(StringRef ABIListFile, 00350 void *(*getArgTLS)(), 00351 void *(*getRetValTLS)()) { 00352 return new DataFlowSanitizer(ABIListFile, getArgTLS, getRetValTLS); 00353 } 00354 00355 DataFlowSanitizer::DataFlowSanitizer(StringRef ABIListFile, 00356 void *(*getArgTLS)(), 00357 void *(*getRetValTLS)()) 00358 : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS), 00359 ABIList(SpecialCaseList::createOrDie(ABIListFile.empty() ? ClABIListFile 00360 : ABIListFile)) { 00361 } 00362 00363 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) { 00364 llvm::SmallVector<Type *, 4> ArgTypes; 00365 std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes)); 00366 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 00367 ArgTypes.push_back(ShadowTy); 00368 if (T->isVarArg()) 00369 ArgTypes.push_back(ShadowPtrTy); 00370 Type *RetType = T->getReturnType(); 00371 if (!RetType->isVoidTy()) 00372 RetType = StructType::get(RetType, ShadowTy, (Type *)nullptr); 00373 return FunctionType::get(RetType, ArgTypes, T->isVarArg()); 00374 } 00375 00376 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) { 00377 assert(!T->isVarArg()); 00378 llvm::SmallVector<Type *, 4> ArgTypes; 00379 ArgTypes.push_back(T->getPointerTo()); 00380 std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes)); 00381 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 00382 ArgTypes.push_back(ShadowTy); 00383 Type *RetType = T->getReturnType(); 00384 if (!RetType->isVoidTy()) 00385 ArgTypes.push_back(ShadowPtrTy); 00386 return FunctionType::get(T->getReturnType(), ArgTypes, false); 00387 } 00388 00389 FunctionType *DataFlowSanitizer::getCustomFunctionType(FunctionType *T) { 00390 assert(!T->isVarArg()); 00391 llvm::SmallVector<Type *, 4> ArgTypes; 00392 for (FunctionType::param_iterator i = T->param_begin(), e = T->param_end(); 00393 i != e; ++i) { 00394 FunctionType *FT; 00395 if (isa<PointerType>(*i) && (FT = dyn_cast<FunctionType>(cast<PointerType>( 00396 *i)->getElementType()))) { 00397 ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo()); 00398 ArgTypes.push_back(Type::getInt8PtrTy(*Ctx)); 00399 } else { 00400 ArgTypes.push_back(*i); 00401 } 00402 } 00403 for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) 00404 ArgTypes.push_back(ShadowTy); 00405 Type *RetType = T->getReturnType(); 00406 if (!RetType->isVoidTy()) 00407 ArgTypes.push_back(ShadowPtrTy); 00408 return FunctionType::get(T->getReturnType(), ArgTypes, false); 00409 } 00410 00411 bool DataFlowSanitizer::doInitialization(Module &M) { 00412 DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); 00413 if (!DLP) 00414 report_fatal_error("data layout missing"); 00415 DL = &DLP->getDataLayout(); 00416 00417 Mod = &M; 00418 Ctx = &M.getContext(); 00419 ShadowTy = IntegerType::get(*Ctx, ShadowWidth); 00420 ShadowPtrTy = PointerType::getUnqual(ShadowTy); 00421 IntptrTy = DL->getIntPtrType(*Ctx); 00422 ZeroShadow = ConstantInt::getSigned(ShadowTy, 0); 00423 ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL); 00424 ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidth / 8); 00425 00426 Type *DFSanUnionArgs[2] = { ShadowTy, ShadowTy }; 00427 DFSanUnionFnTy = 00428 FunctionType::get(ShadowTy, DFSanUnionArgs, /*isVarArg=*/ false); 00429 Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy }; 00430 DFSanUnionLoadFnTy = 00431 FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false); 00432 DFSanUnimplementedFnTy = FunctionType::get( 00433 Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false); 00434 Type *DFSanSetLabelArgs[3] = { ShadowTy, Type::getInt8PtrTy(*Ctx), IntptrTy }; 00435 DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx), 00436 DFSanSetLabelArgs, /*isVarArg=*/false); 00437 DFSanNonzeroLabelFnTy = FunctionType::get( 00438 Type::getVoidTy(*Ctx), None, /*isVarArg=*/false); 00439 00440 if (GetArgTLSPtr) { 00441 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 00442 ArgTLS = nullptr; 00443 GetArgTLS = ConstantExpr::getIntToPtr( 00444 ConstantInt::get(IntptrTy, uintptr_t(GetArgTLSPtr)), 00445 PointerType::getUnqual( 00446 FunctionType::get(PointerType::getUnqual(ArgTLSTy), 00447 (Type *)nullptr))); 00448 } 00449 if (GetRetvalTLSPtr) { 00450 RetvalTLS = nullptr; 00451 GetRetvalTLS = ConstantExpr::getIntToPtr( 00452 ConstantInt::get(IntptrTy, uintptr_t(GetRetvalTLSPtr)), 00453 PointerType::getUnqual( 00454 FunctionType::get(PointerType::getUnqual(ShadowTy), 00455 (Type *)nullptr))); 00456 } 00457 00458 ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000); 00459 return true; 00460 } 00461 00462 bool DataFlowSanitizer::isInstrumented(const Function *F) { 00463 return !ABIList.isIn(*F, "uninstrumented"); 00464 } 00465 00466 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) { 00467 return !ABIList.isIn(*GA, "uninstrumented"); 00468 } 00469 00470 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() { 00471 return ClArgsABI ? IA_Args : IA_TLS; 00472 } 00473 00474 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) { 00475 if (ABIList.isIn(*F, "functional")) 00476 return WK_Functional; 00477 if (ABIList.isIn(*F, "discard")) 00478 return WK_Discard; 00479 if (ABIList.isIn(*F, "custom") && !F->isVarArg()) 00480 return WK_Custom; 00481 00482 return WK_Warning; 00483 } 00484 00485 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) { 00486 std::string GVName = GV->getName(), Prefix = "dfs$"; 00487 GV->setName(Prefix + GVName); 00488 00489 // Try to change the name of the function in module inline asm. We only do 00490 // this for specific asm directives, currently only ".symver", to try to avoid 00491 // corrupting asm which happens to contain the symbol name as a substring. 00492 // Note that the substitution for .symver assumes that the versioned symbol 00493 // also has an instrumented name. 00494 std::string Asm = GV->getParent()->getModuleInlineAsm(); 00495 std::string SearchStr = ".symver " + GVName + ","; 00496 size_t Pos = Asm.find(SearchStr); 00497 if (Pos != std::string::npos) { 00498 Asm.replace(Pos, SearchStr.size(), 00499 ".symver " + Prefix + GVName + "," + Prefix); 00500 GV->getParent()->setModuleInlineAsm(Asm); 00501 } 00502 } 00503 00504 Function * 00505 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName, 00506 GlobalValue::LinkageTypes NewFLink, 00507 FunctionType *NewFT) { 00508 FunctionType *FT = F->getFunctionType(); 00509 Function *NewF = Function::Create(NewFT, NewFLink, NewFName, 00510 F->getParent()); 00511 NewF->copyAttributesFrom(F); 00512 NewF->removeAttributes( 00513 AttributeSet::ReturnIndex, 00514 AttributeFuncs::typeIncompatible(NewFT->getReturnType(), 00515 AttributeSet::ReturnIndex)); 00516 00517 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); 00518 std::vector<Value *> Args; 00519 unsigned n = FT->getNumParams(); 00520 for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n) 00521 Args.push_back(&*ai); 00522 CallInst *CI = CallInst::Create(F, Args, "", BB); 00523 if (FT->getReturnType()->isVoidTy()) 00524 ReturnInst::Create(*Ctx, BB); 00525 else 00526 ReturnInst::Create(*Ctx, CI, BB); 00527 00528 return NewF; 00529 } 00530 00531 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT, 00532 StringRef FName) { 00533 FunctionType *FTT = getTrampolineFunctionType(FT); 00534 Constant *C = Mod->getOrInsertFunction(FName, FTT); 00535 Function *F = dyn_cast<Function>(C); 00536 if (F && F->isDeclaration()) { 00537 F->setLinkage(GlobalValue::LinkOnceODRLinkage); 00538 BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F); 00539 std::vector<Value *> Args; 00540 Function::arg_iterator AI = F->arg_begin(); ++AI; 00541 for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N) 00542 Args.push_back(&*AI); 00543 CallInst *CI = 00544 CallInst::Create(&F->getArgumentList().front(), Args, "", BB); 00545 ReturnInst *RI; 00546 if (FT->getReturnType()->isVoidTy()) 00547 RI = ReturnInst::Create(*Ctx, BB); 00548 else 00549 RI = ReturnInst::Create(*Ctx, CI, BB); 00550 00551 DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true); 00552 Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; ++ValAI; 00553 for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N) 00554 DFSF.ValShadowMap[ValAI] = ShadowAI; 00555 DFSanVisitor(DFSF).visitCallInst(*CI); 00556 if (!FT->getReturnType()->isVoidTy()) 00557 new StoreInst(DFSF.getShadow(RI->getReturnValue()), 00558 &F->getArgumentList().back(), RI); 00559 } 00560 00561 return C; 00562 } 00563 00564 bool DataFlowSanitizer::runOnModule(Module &M) { 00565 if (!DL) 00566 return false; 00567 00568 if (ABIList.isIn(M, "skip")) 00569 return false; 00570 00571 if (!GetArgTLSPtr) { 00572 Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); 00573 ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy); 00574 if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS)) 00575 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 00576 } 00577 if (!GetRetvalTLSPtr) { 00578 RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", ShadowTy); 00579 if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS)) 00580 G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel); 00581 } 00582 00583 DFSanUnionFn = Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy); 00584 if (Function *F = dyn_cast<Function>(DFSanUnionFn)) { 00585 F->addAttribute(AttributeSet::FunctionIndex, Attribute::NoUnwind); 00586 F->addAttribute(AttributeSet::FunctionIndex, Attribute::ReadNone); 00587 F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 00588 F->addAttribute(1, Attribute::ZExt); 00589 F->addAttribute(2, Attribute::ZExt); 00590 } 00591 DFSanCheckedUnionFn = Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy); 00592 if (Function *F = dyn_cast<Function>(DFSanCheckedUnionFn)) { 00593 F->addAttribute(AttributeSet::FunctionIndex, Attribute::NoUnwind); 00594 F->addAttribute(AttributeSet::FunctionIndex, Attribute::ReadNone); 00595 F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 00596 F->addAttribute(1, Attribute::ZExt); 00597 F->addAttribute(2, Attribute::ZExt); 00598 } 00599 DFSanUnionLoadFn = 00600 Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy); 00601 if (Function *F = dyn_cast<Function>(DFSanUnionLoadFn)) { 00602 F->addAttribute(AttributeSet::FunctionIndex, Attribute::NoUnwind); 00603 F->addAttribute(AttributeSet::FunctionIndex, Attribute::ReadOnly); 00604 F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 00605 } 00606 DFSanUnimplementedFn = 00607 Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy); 00608 DFSanSetLabelFn = 00609 Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy); 00610 if (Function *F = dyn_cast<Function>(DFSanSetLabelFn)) { 00611 F->addAttribute(1, Attribute::ZExt); 00612 } 00613 DFSanNonzeroLabelFn = 00614 Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy); 00615 00616 std::vector<Function *> FnsToInstrument; 00617 llvm::SmallPtrSet<Function *, 2> FnsWithNativeABI; 00618 for (Module::iterator i = M.begin(), e = M.end(); i != e; ++i) { 00619 if (!i->isIntrinsic() && 00620 i != DFSanUnionFn && 00621 i != DFSanCheckedUnionFn && 00622 i != DFSanUnionLoadFn && 00623 i != DFSanUnimplementedFn && 00624 i != DFSanSetLabelFn && 00625 i != DFSanNonzeroLabelFn) 00626 FnsToInstrument.push_back(&*i); 00627 } 00628 00629 // Give function aliases prefixes when necessary, and build wrappers where the 00630 // instrumentedness is inconsistent. 00631 for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) { 00632 GlobalAlias *GA = &*i; 00633 ++i; 00634 // Don't stop on weak. We assume people aren't playing games with the 00635 // instrumentedness of overridden weak aliases. 00636 if (auto F = dyn_cast<Function>(GA->getBaseObject())) { 00637 bool GAInst = isInstrumented(GA), FInst = isInstrumented(F); 00638 if (GAInst && FInst) { 00639 addGlobalNamePrefix(GA); 00640 } else if (GAInst != FInst) { 00641 // Non-instrumented alias of an instrumented function, or vice versa. 00642 // Replace the alias with a native-ABI wrapper of the aliasee. The pass 00643 // below will take care of instrumenting it. 00644 Function *NewF = 00645 buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType()); 00646 GA->replaceAllUsesWith(ConstantExpr::getBitCast(NewF, GA->getType())); 00647 NewF->takeName(GA); 00648 GA->eraseFromParent(); 00649 FnsToInstrument.push_back(NewF); 00650 } 00651 } 00652 } 00653 00654 AttrBuilder B; 00655 B.addAttribute(Attribute::ReadOnly).addAttribute(Attribute::ReadNone); 00656 ReadOnlyNoneAttrs = AttributeSet::get(*Ctx, AttributeSet::FunctionIndex, B); 00657 00658 // First, change the ABI of every function in the module. ABI-listed 00659 // functions keep their original ABI and get a wrapper function. 00660 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 00661 e = FnsToInstrument.end(); 00662 i != e; ++i) { 00663 Function &F = **i; 00664 FunctionType *FT = F.getFunctionType(); 00665 00666 bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() && 00667 FT->getReturnType()->isVoidTy()); 00668 00669 if (isInstrumented(&F)) { 00670 // Instrumented functions get a 'dfs$' prefix. This allows us to more 00671 // easily identify cases of mismatching ABIs. 00672 if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) { 00673 FunctionType *NewFT = getArgsFunctionType(FT); 00674 Function *NewF = Function::Create(NewFT, F.getLinkage(), "", &M); 00675 NewF->copyAttributesFrom(&F); 00676 NewF->removeAttributes( 00677 AttributeSet::ReturnIndex, 00678 AttributeFuncs::typeIncompatible(NewFT->getReturnType(), 00679 AttributeSet::ReturnIndex)); 00680 for (Function::arg_iterator FArg = F.arg_begin(), 00681 NewFArg = NewF->arg_begin(), 00682 FArgEnd = F.arg_end(); 00683 FArg != FArgEnd; ++FArg, ++NewFArg) { 00684 FArg->replaceAllUsesWith(NewFArg); 00685 } 00686 NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList()); 00687 00688 for (Function::user_iterator UI = F.user_begin(), UE = F.user_end(); 00689 UI != UE;) { 00690 BlockAddress *BA = dyn_cast<BlockAddress>(*UI); 00691 ++UI; 00692 if (BA) { 00693 BA->replaceAllUsesWith( 00694 BlockAddress::get(NewF, BA->getBasicBlock())); 00695 delete BA; 00696 } 00697 } 00698 F.replaceAllUsesWith( 00699 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT))); 00700 NewF->takeName(&F); 00701 F.eraseFromParent(); 00702 *i = NewF; 00703 addGlobalNamePrefix(NewF); 00704 } else { 00705 addGlobalNamePrefix(&F); 00706 } 00707 // Hopefully, nobody will try to indirectly call a vararg 00708 // function... yet. 00709 } else if (FT->isVarArg()) { 00710 UnwrappedFnMap[&F] = &F; 00711 *i = nullptr; 00712 } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) { 00713 // Build a wrapper function for F. The wrapper simply calls F, and is 00714 // added to FnsToInstrument so that any instrumentation according to its 00715 // WrapperKind is done in the second pass below. 00716 FunctionType *NewFT = getInstrumentedABI() == IA_Args 00717 ? getArgsFunctionType(FT) 00718 : FT; 00719 Function *NewF = buildWrapperFunction( 00720 &F, std::string("dfsw$") + std::string(F.getName()), 00721 GlobalValue::LinkOnceODRLinkage, NewFT); 00722 if (getInstrumentedABI() == IA_TLS) 00723 NewF->removeAttributes(AttributeSet::FunctionIndex, ReadOnlyNoneAttrs); 00724 00725 Value *WrappedFnCst = 00726 ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); 00727 F.replaceAllUsesWith(WrappedFnCst); 00728 UnwrappedFnMap[WrappedFnCst] = &F; 00729 *i = NewF; 00730 00731 if (!F.isDeclaration()) { 00732 // This function is probably defining an interposition of an 00733 // uninstrumented function and hence needs to keep the original ABI. 00734 // But any functions it may call need to use the instrumented ABI, so 00735 // we instrument it in a mode which preserves the original ABI. 00736 FnsWithNativeABI.insert(&F); 00737 00738 // This code needs to rebuild the iterators, as they may be invalidated 00739 // by the push_back, taking care that the new range does not include 00740 // any functions added by this code. 00741 size_t N = i - FnsToInstrument.begin(), 00742 Count = e - FnsToInstrument.begin(); 00743 FnsToInstrument.push_back(&F); 00744 i = FnsToInstrument.begin() + N; 00745 e = FnsToInstrument.begin() + Count; 00746 } 00747 } 00748 } 00749 00750 for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), 00751 e = FnsToInstrument.end(); 00752 i != e; ++i) { 00753 if (!*i || (*i)->isDeclaration()) 00754 continue; 00755 00756 removeUnreachableBlocks(**i); 00757 00758 DFSanFunction DFSF(*this, *i, FnsWithNativeABI.count(*i)); 00759 00760 // DFSanVisitor may create new basic blocks, which confuses df_iterator. 00761 // Build a copy of the list before iterating over it. 00762 llvm::SmallVector<BasicBlock *, 4> BBList( 00763 depth_first(&(*i)->getEntryBlock())); 00764 00765 for (llvm::SmallVector<BasicBlock *, 4>::iterator i = BBList.begin(), 00766 e = BBList.end(); 00767 i != e; ++i) { 00768 Instruction *Inst = &(*i)->front(); 00769 while (1) { 00770 // DFSanVisitor may split the current basic block, changing the current 00771 // instruction's next pointer and moving the next instruction to the 00772 // tail block from which we should continue. 00773 Instruction *Next = Inst->getNextNode(); 00774 // DFSanVisitor may delete Inst, so keep track of whether it was a 00775 // terminator. 00776 bool IsTerminator = isa<TerminatorInst>(Inst); 00777 if (!DFSF.SkipInsts.count(Inst)) 00778 DFSanVisitor(DFSF).visit(Inst); 00779 if (IsTerminator) 00780 break; 00781 Inst = Next; 00782 } 00783 } 00784 00785 // We will not necessarily be able to compute the shadow for every phi node 00786 // until we have visited every block. Therefore, the code that handles phi 00787 // nodes adds them to the PHIFixups list so that they can be properly 00788 // handled here. 00789 for (std::vector<std::pair<PHINode *, PHINode *> >::iterator 00790 i = DFSF.PHIFixups.begin(), 00791 e = DFSF.PHIFixups.end(); 00792 i != e; ++i) { 00793 for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n; 00794 ++val) { 00795 i->second->setIncomingValue( 00796 val, DFSF.getShadow(i->first->getIncomingValue(val))); 00797 } 00798 } 00799 00800 // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy 00801 // places (i.e. instructions in basic blocks we haven't even begun visiting 00802 // yet). To make our life easier, do this work in a pass after the main 00803 // instrumentation. 00804 if (ClDebugNonzeroLabels) { 00805 for (Value *V : DFSF.NonZeroChecks) { 00806 Instruction *Pos; 00807 if (Instruction *I = dyn_cast<Instruction>(V)) 00808 Pos = I->getNextNode(); 00809 else 00810 Pos = DFSF.F->getEntryBlock().begin(); 00811 while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos)) 00812 Pos = Pos->getNextNode(); 00813 IRBuilder<> IRB(Pos); 00814 Value *Ne = IRB.CreateICmpNE(V, DFSF.DFS.ZeroShadow); 00815 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 00816 Ne, Pos, /*Unreachable=*/false, ColdCallWeights)); 00817 IRBuilder<> ThenIRB(BI); 00818 ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn); 00819 } 00820 } 00821 } 00822 00823 return false; 00824 } 00825 00826 Value *DFSanFunction::getArgTLSPtr() { 00827 if (ArgTLSPtr) 00828 return ArgTLSPtr; 00829 if (DFS.ArgTLS) 00830 return ArgTLSPtr = DFS.ArgTLS; 00831 00832 IRBuilder<> IRB(F->getEntryBlock().begin()); 00833 return ArgTLSPtr = IRB.CreateCall(DFS.GetArgTLS); 00834 } 00835 00836 Value *DFSanFunction::getRetvalTLS() { 00837 if (RetvalTLSPtr) 00838 return RetvalTLSPtr; 00839 if (DFS.RetvalTLS) 00840 return RetvalTLSPtr = DFS.RetvalTLS; 00841 00842 IRBuilder<> IRB(F->getEntryBlock().begin()); 00843 return RetvalTLSPtr = IRB.CreateCall(DFS.GetRetvalTLS); 00844 } 00845 00846 Value *DFSanFunction::getArgTLS(unsigned Idx, Instruction *Pos) { 00847 IRBuilder<> IRB(Pos); 00848 return IRB.CreateConstGEP2_64(getArgTLSPtr(), 0, Idx); 00849 } 00850 00851 Value *DFSanFunction::getShadow(Value *V) { 00852 if (!isa<Argument>(V) && !isa<Instruction>(V)) 00853 return DFS.ZeroShadow; 00854 Value *&Shadow = ValShadowMap[V]; 00855 if (!Shadow) { 00856 if (Argument *A = dyn_cast<Argument>(V)) { 00857 if (IsNativeABI) 00858 return DFS.ZeroShadow; 00859 switch (IA) { 00860 case DataFlowSanitizer::IA_TLS: { 00861 Value *ArgTLSPtr = getArgTLSPtr(); 00862 Instruction *ArgTLSPos = 00863 DFS.ArgTLS ? &*F->getEntryBlock().begin() 00864 : cast<Instruction>(ArgTLSPtr)->getNextNode(); 00865 IRBuilder<> IRB(ArgTLSPos); 00866 Shadow = IRB.CreateLoad(getArgTLS(A->getArgNo(), ArgTLSPos)); 00867 break; 00868 } 00869 case DataFlowSanitizer::IA_Args: { 00870 unsigned ArgIdx = A->getArgNo() + F->getArgumentList().size() / 2; 00871 Function::arg_iterator i = F->arg_begin(); 00872 while (ArgIdx--) 00873 ++i; 00874 Shadow = i; 00875 assert(Shadow->getType() == DFS.ShadowTy); 00876 break; 00877 } 00878 } 00879 NonZeroChecks.push_back(Shadow); 00880 } else { 00881 Shadow = DFS.ZeroShadow; 00882 } 00883 } 00884 return Shadow; 00885 } 00886 00887 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) { 00888 assert(!ValShadowMap.count(I)); 00889 assert(Shadow->getType() == DFS.ShadowTy); 00890 ValShadowMap[I] = Shadow; 00891 } 00892 00893 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) { 00894 assert(Addr != RetvalTLS && "Reinstrumenting?"); 00895 IRBuilder<> IRB(Pos); 00896 return IRB.CreateIntToPtr( 00897 IRB.CreateMul( 00898 IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy), ShadowPtrMask), 00899 ShadowPtrMul), 00900 ShadowPtrTy); 00901 } 00902 00903 // Generates IR to compute the union of the two given shadows, inserting it 00904 // before Pos. Returns the computed union Value. 00905 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) { 00906 if (V1 == DFS.ZeroShadow) 00907 return V2; 00908 if (V2 == DFS.ZeroShadow) 00909 return V1; 00910 if (V1 == V2) 00911 return V1; 00912 00913 auto V1Elems = ShadowElements.find(V1); 00914 auto V2Elems = ShadowElements.find(V2); 00915 if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) { 00916 if (std::includes(V1Elems->second.begin(), V1Elems->second.end(), 00917 V2Elems->second.begin(), V2Elems->second.end())) { 00918 return V1; 00919 } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(), 00920 V1Elems->second.begin(), V1Elems->second.end())) { 00921 return V2; 00922 } 00923 } else if (V1Elems != ShadowElements.end()) { 00924 if (V1Elems->second.count(V2)) 00925 return V1; 00926 } else if (V2Elems != ShadowElements.end()) { 00927 if (V2Elems->second.count(V1)) 00928 return V2; 00929 } 00930 00931 auto Key = std::make_pair(V1, V2); 00932 if (V1 > V2) 00933 std::swap(Key.first, Key.second); 00934 CachedCombinedShadow &CCS = CachedCombinedShadows[Key]; 00935 if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent())) 00936 return CCS.Shadow; 00937 00938 IRBuilder<> IRB(Pos); 00939 if (AvoidNewBlocks) { 00940 CallInst *Call = IRB.CreateCall2(DFS.DFSanCheckedUnionFn, V1, V2); 00941 Call->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 00942 Call->addAttribute(1, Attribute::ZExt); 00943 Call->addAttribute(2, Attribute::ZExt); 00944 00945 CCS.Block = Pos->getParent(); 00946 CCS.Shadow = Call; 00947 } else { 00948 BasicBlock *Head = Pos->getParent(); 00949 Value *Ne = IRB.CreateICmpNE(V1, V2); 00950 BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen( 00951 Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT)); 00952 IRBuilder<> ThenIRB(BI); 00953 CallInst *Call = ThenIRB.CreateCall2(DFS.DFSanUnionFn, V1, V2); 00954 Call->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 00955 Call->addAttribute(1, Attribute::ZExt); 00956 Call->addAttribute(2, Attribute::ZExt); 00957 00958 BasicBlock *Tail = BI->getSuccessor(0); 00959 PHINode *Phi = PHINode::Create(DFS.ShadowTy, 2, "", Tail->begin()); 00960 Phi->addIncoming(Call, Call->getParent()); 00961 Phi->addIncoming(V1, Head); 00962 00963 CCS.Block = Tail; 00964 CCS.Shadow = Phi; 00965 } 00966 00967 std::set<Value *> UnionElems; 00968 if (V1Elems != ShadowElements.end()) { 00969 UnionElems = V1Elems->second; 00970 } else { 00971 UnionElems.insert(V1); 00972 } 00973 if (V2Elems != ShadowElements.end()) { 00974 UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end()); 00975 } else { 00976 UnionElems.insert(V2); 00977 } 00978 ShadowElements[CCS.Shadow] = std::move(UnionElems); 00979 00980 return CCS.Shadow; 00981 } 00982 00983 // A convenience function which folds the shadows of each of the operands 00984 // of the provided instruction Inst, inserting the IR before Inst. Returns 00985 // the computed union Value. 00986 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) { 00987 if (Inst->getNumOperands() == 0) 00988 return DFS.ZeroShadow; 00989 00990 Value *Shadow = getShadow(Inst->getOperand(0)); 00991 for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) { 00992 Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst); 00993 } 00994 return Shadow; 00995 } 00996 00997 void DFSanVisitor::visitOperandShadowInst(Instruction &I) { 00998 Value *CombinedShadow = DFSF.combineOperandShadows(&I); 00999 DFSF.setShadow(&I, CombinedShadow); 01000 } 01001 01002 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where 01003 // Addr has alignment Align, and take the union of each of those shadows. 01004 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align, 01005 Instruction *Pos) { 01006 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 01007 llvm::DenseMap<AllocaInst *, AllocaInst *>::iterator i = 01008 AllocaShadowMap.find(AI); 01009 if (i != AllocaShadowMap.end()) { 01010 IRBuilder<> IRB(Pos); 01011 return IRB.CreateLoad(i->second); 01012 } 01013 } 01014 01015 uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8; 01016 SmallVector<Value *, 2> Objs; 01017 GetUnderlyingObjects(Addr, Objs, DFS.DL); 01018 bool AllConstants = true; 01019 for (SmallVector<Value *, 2>::iterator i = Objs.begin(), e = Objs.end(); 01020 i != e; ++i) { 01021 if (isa<Function>(*i) || isa<BlockAddress>(*i)) 01022 continue; 01023 if (isa<GlobalVariable>(*i) && cast<GlobalVariable>(*i)->isConstant()) 01024 continue; 01025 01026 AllConstants = false; 01027 break; 01028 } 01029 if (AllConstants) 01030 return DFS.ZeroShadow; 01031 01032 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 01033 switch (Size) { 01034 case 0: 01035 return DFS.ZeroShadow; 01036 case 1: { 01037 LoadInst *LI = new LoadInst(ShadowAddr, "", Pos); 01038 LI->setAlignment(ShadowAlign); 01039 return LI; 01040 } 01041 case 2: { 01042 IRBuilder<> IRB(Pos); 01043 Value *ShadowAddr1 = 01044 IRB.CreateGEP(ShadowAddr, ConstantInt::get(DFS.IntptrTy, 1)); 01045 return combineShadows(IRB.CreateAlignedLoad(ShadowAddr, ShadowAlign), 01046 IRB.CreateAlignedLoad(ShadowAddr1, ShadowAlign), Pos); 01047 } 01048 } 01049 if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidth) == 0) { 01050 // Fast path for the common case where each byte has identical shadow: load 01051 // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any 01052 // shadow is non-equal. 01053 BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F); 01054 IRBuilder<> FallbackIRB(FallbackBB); 01055 CallInst *FallbackCall = FallbackIRB.CreateCall2( 01056 DFS.DFSanUnionLoadFn, ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)); 01057 FallbackCall->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 01058 01059 // Compare each of the shadows stored in the loaded 64 bits to each other, 01060 // by computing (WideShadow rotl ShadowWidth) == WideShadow. 01061 IRBuilder<> IRB(Pos); 01062 Value *WideAddr = 01063 IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx)); 01064 Value *WideShadow = IRB.CreateAlignedLoad(WideAddr, ShadowAlign); 01065 Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.ShadowTy); 01066 Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidth); 01067 Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidth); 01068 Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow); 01069 Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow); 01070 01071 BasicBlock *Head = Pos->getParent(); 01072 BasicBlock *Tail = Head->splitBasicBlock(Pos); 01073 01074 if (DomTreeNode *OldNode = DT.getNode(Head)) { 01075 std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end()); 01076 01077 DomTreeNode *NewNode = DT.addNewBlock(Tail, Head); 01078 for (auto Child : Children) 01079 DT.changeImmediateDominator(Child, NewNode); 01080 } 01081 01082 // In the following code LastBr will refer to the previous basic block's 01083 // conditional branch instruction, whose true successor is fixed up to point 01084 // to the next block during the loop below or to the tail after the final 01085 // iteration. 01086 BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq); 01087 ReplaceInstWithInst(Head->getTerminator(), LastBr); 01088 DT.addNewBlock(FallbackBB, Head); 01089 01090 for (uint64_t Ofs = 64 / DFS.ShadowWidth; Ofs != Size; 01091 Ofs += 64 / DFS.ShadowWidth) { 01092 BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F); 01093 DT.addNewBlock(NextBB, LastBr->getParent()); 01094 IRBuilder<> NextIRB(NextBB); 01095 WideAddr = NextIRB.CreateGEP(WideAddr, ConstantInt::get(DFS.IntptrTy, 1)); 01096 Value *NextWideShadow = NextIRB.CreateAlignedLoad(WideAddr, ShadowAlign); 01097 ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow); 01098 LastBr->setSuccessor(0, NextBB); 01099 LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB); 01100 } 01101 01102 LastBr->setSuccessor(0, Tail); 01103 FallbackIRB.CreateBr(Tail); 01104 PHINode *Shadow = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front()); 01105 Shadow->addIncoming(FallbackCall, FallbackBB); 01106 Shadow->addIncoming(TruncShadow, LastBr->getParent()); 01107 return Shadow; 01108 } 01109 01110 IRBuilder<> IRB(Pos); 01111 CallInst *FallbackCall = IRB.CreateCall2( 01112 DFS.DFSanUnionLoadFn, ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)); 01113 FallbackCall->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); 01114 return FallbackCall; 01115 } 01116 01117 void DFSanVisitor::visitLoadInst(LoadInst &LI) { 01118 uint64_t Size = DFSF.DFS.DL->getTypeStoreSize(LI.getType()); 01119 if (Size == 0) { 01120 DFSF.setShadow(&LI, DFSF.DFS.ZeroShadow); 01121 return; 01122 } 01123 01124 uint64_t Align; 01125 if (ClPreserveAlignment) { 01126 Align = LI.getAlignment(); 01127 if (Align == 0) 01128 Align = DFSF.DFS.DL->getABITypeAlignment(LI.getType()); 01129 } else { 01130 Align = 1; 01131 } 01132 IRBuilder<> IRB(&LI); 01133 Value *Shadow = DFSF.loadShadow(LI.getPointerOperand(), Size, Align, &LI); 01134 if (ClCombinePointerLabelsOnLoad) { 01135 Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand()); 01136 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &LI); 01137 } 01138 if (Shadow != DFSF.DFS.ZeroShadow) 01139 DFSF.NonZeroChecks.push_back(Shadow); 01140 01141 DFSF.setShadow(&LI, Shadow); 01142 } 01143 01144 void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, uint64_t Align, 01145 Value *Shadow, Instruction *Pos) { 01146 if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) { 01147 llvm::DenseMap<AllocaInst *, AllocaInst *>::iterator i = 01148 AllocaShadowMap.find(AI); 01149 if (i != AllocaShadowMap.end()) { 01150 IRBuilder<> IRB(Pos); 01151 IRB.CreateStore(Shadow, i->second); 01152 return; 01153 } 01154 } 01155 01156 uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8; 01157 IRBuilder<> IRB(Pos); 01158 Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos); 01159 if (Shadow == DFS.ZeroShadow) { 01160 IntegerType *ShadowTy = IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidth); 01161 Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0); 01162 Value *ExtShadowAddr = 01163 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy)); 01164 IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign); 01165 return; 01166 } 01167 01168 const unsigned ShadowVecSize = 128 / DFS.ShadowWidth; 01169 uint64_t Offset = 0; 01170 if (Size >= ShadowVecSize) { 01171 VectorType *ShadowVecTy = VectorType::get(DFS.ShadowTy, ShadowVecSize); 01172 Value *ShadowVec = UndefValue::get(ShadowVecTy); 01173 for (unsigned i = 0; i != ShadowVecSize; ++i) { 01174 ShadowVec = IRB.CreateInsertElement( 01175 ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i)); 01176 } 01177 Value *ShadowVecAddr = 01178 IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy)); 01179 do { 01180 Value *CurShadowVecAddr = IRB.CreateConstGEP1_32(ShadowVecAddr, Offset); 01181 IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign); 01182 Size -= ShadowVecSize; 01183 ++Offset; 01184 } while (Size >= ShadowVecSize); 01185 Offset *= ShadowVecSize; 01186 } 01187 while (Size > 0) { 01188 Value *CurShadowAddr = IRB.CreateConstGEP1_32(ShadowAddr, Offset); 01189 IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign); 01190 --Size; 01191 ++Offset; 01192 } 01193 } 01194 01195 void DFSanVisitor::visitStoreInst(StoreInst &SI) { 01196 uint64_t Size = 01197 DFSF.DFS.DL->getTypeStoreSize(SI.getValueOperand()->getType()); 01198 if (Size == 0) 01199 return; 01200 01201 uint64_t Align; 01202 if (ClPreserveAlignment) { 01203 Align = SI.getAlignment(); 01204 if (Align == 0) 01205 Align = DFSF.DFS.DL->getABITypeAlignment(SI.getValueOperand()->getType()); 01206 } else { 01207 Align = 1; 01208 } 01209 01210 Value* Shadow = DFSF.getShadow(SI.getValueOperand()); 01211 if (ClCombinePointerLabelsOnStore) { 01212 Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand()); 01213 Shadow = DFSF.combineShadows(Shadow, PtrShadow, &SI); 01214 } 01215 DFSF.storeShadow(SI.getPointerOperand(), Size, Align, Shadow, &SI); 01216 } 01217 01218 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) { 01219 visitOperandShadowInst(BO); 01220 } 01221 01222 void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); } 01223 01224 void DFSanVisitor::visitCmpInst(CmpInst &CI) { visitOperandShadowInst(CI); } 01225 01226 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) { 01227 visitOperandShadowInst(GEPI); 01228 } 01229 01230 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) { 01231 visitOperandShadowInst(I); 01232 } 01233 01234 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) { 01235 visitOperandShadowInst(I); 01236 } 01237 01238 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) { 01239 visitOperandShadowInst(I); 01240 } 01241 01242 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) { 01243 visitOperandShadowInst(I); 01244 } 01245 01246 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) { 01247 visitOperandShadowInst(I); 01248 } 01249 01250 void DFSanVisitor::visitAllocaInst(AllocaInst &I) { 01251 bool AllLoadsStores = true; 01252 for (User *U : I.users()) { 01253 if (isa<LoadInst>(U)) 01254 continue; 01255 01256 if (StoreInst *SI = dyn_cast<StoreInst>(U)) { 01257 if (SI->getPointerOperand() == &I) 01258 continue; 01259 } 01260 01261 AllLoadsStores = false; 01262 break; 01263 } 01264 if (AllLoadsStores) { 01265 IRBuilder<> IRB(&I); 01266 DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.ShadowTy); 01267 } 01268 DFSF.setShadow(&I, DFSF.DFS.ZeroShadow); 01269 } 01270 01271 void DFSanVisitor::visitSelectInst(SelectInst &I) { 01272 Value *CondShadow = DFSF.getShadow(I.getCondition()); 01273 Value *TrueShadow = DFSF.getShadow(I.getTrueValue()); 01274 Value *FalseShadow = DFSF.getShadow(I.getFalseValue()); 01275 01276 if (isa<VectorType>(I.getCondition()->getType())) { 01277 DFSF.setShadow( 01278 &I, 01279 DFSF.combineShadows( 01280 CondShadow, DFSF.combineShadows(TrueShadow, FalseShadow, &I), &I)); 01281 } else { 01282 Value *ShadowSel; 01283 if (TrueShadow == FalseShadow) { 01284 ShadowSel = TrueShadow; 01285 } else { 01286 ShadowSel = 01287 SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I); 01288 } 01289 DFSF.setShadow(&I, DFSF.combineShadows(CondShadow, ShadowSel, &I)); 01290 } 01291 } 01292 01293 void DFSanVisitor::visitMemSetInst(MemSetInst &I) { 01294 IRBuilder<> IRB(&I); 01295 Value *ValShadow = DFSF.getShadow(I.getValue()); 01296 IRB.CreateCall3( 01297 DFSF.DFS.DFSanSetLabelFn, ValShadow, 01298 IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(*DFSF.DFS.Ctx)), 01299 IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)); 01300 } 01301 01302 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) { 01303 IRBuilder<> IRB(&I); 01304 Value *DestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I); 01305 Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I); 01306 Value *LenShadow = IRB.CreateMul( 01307 I.getLength(), 01308 ConstantInt::get(I.getLength()->getType(), DFSF.DFS.ShadowWidth / 8)); 01309 Value *AlignShadow; 01310 if (ClPreserveAlignment) { 01311 AlignShadow = IRB.CreateMul(I.getAlignmentCst(), 01312 ConstantInt::get(I.getAlignmentCst()->getType(), 01313 DFSF.DFS.ShadowWidth / 8)); 01314 } else { 01315 AlignShadow = ConstantInt::get(I.getAlignmentCst()->getType(), 01316 DFSF.DFS.ShadowWidth / 8); 01317 } 01318 Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx); 01319 DestShadow = IRB.CreateBitCast(DestShadow, Int8Ptr); 01320 SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr); 01321 IRB.CreateCall5(I.getCalledValue(), DestShadow, SrcShadow, LenShadow, 01322 AlignShadow, I.getVolatileCst()); 01323 } 01324 01325 void DFSanVisitor::visitReturnInst(ReturnInst &RI) { 01326 if (!DFSF.IsNativeABI && RI.getReturnValue()) { 01327 switch (DFSF.IA) { 01328 case DataFlowSanitizer::IA_TLS: { 01329 Value *S = DFSF.getShadow(RI.getReturnValue()); 01330 IRBuilder<> IRB(&RI); 01331 IRB.CreateStore(S, DFSF.getRetvalTLS()); 01332 break; 01333 } 01334 case DataFlowSanitizer::IA_Args: { 01335 IRBuilder<> IRB(&RI); 01336 Type *RT = DFSF.F->getFunctionType()->getReturnType(); 01337 Value *InsVal = 01338 IRB.CreateInsertValue(UndefValue::get(RT), RI.getReturnValue(), 0); 01339 Value *InsShadow = 01340 IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1); 01341 RI.setOperand(0, InsShadow); 01342 break; 01343 } 01344 } 01345 } 01346 } 01347 01348 void DFSanVisitor::visitCallSite(CallSite CS) { 01349 Function *F = CS.getCalledFunction(); 01350 if ((F && F->isIntrinsic()) || isa<InlineAsm>(CS.getCalledValue())) { 01351 visitOperandShadowInst(*CS.getInstruction()); 01352 return; 01353 } 01354 01355 IRBuilder<> IRB(CS.getInstruction()); 01356 01357 DenseMap<Value *, Function *>::iterator i = 01358 DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue()); 01359 if (i != DFSF.DFS.UnwrappedFnMap.end()) { 01360 Function *F = i->second; 01361 switch (DFSF.DFS.getWrapperKind(F)) { 01362 case DataFlowSanitizer::WK_Warning: { 01363 CS.setCalledFunction(F); 01364 IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn, 01365 IRB.CreateGlobalStringPtr(F->getName())); 01366 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 01367 return; 01368 } 01369 case DataFlowSanitizer::WK_Discard: { 01370 CS.setCalledFunction(F); 01371 DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); 01372 return; 01373 } 01374 case DataFlowSanitizer::WK_Functional: { 01375 CS.setCalledFunction(F); 01376 visitOperandShadowInst(*CS.getInstruction()); 01377 return; 01378 } 01379 case DataFlowSanitizer::WK_Custom: { 01380 // Don't try to handle invokes of custom functions, it's too complicated. 01381 // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_ 01382 // wrapper. 01383 if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) { 01384 FunctionType *FT = F->getFunctionType(); 01385 FunctionType *CustomFT = DFSF.DFS.getCustomFunctionType(FT); 01386 std::string CustomFName = "__dfsw_"; 01387 CustomFName += F->getName(); 01388 Constant *CustomF = 01389 DFSF.DFS.Mod->getOrInsertFunction(CustomFName, CustomFT); 01390 if (Function *CustomFn = dyn_cast<Function>(CustomF)) { 01391 CustomFn->copyAttributesFrom(F); 01392 01393 // Custom functions returning non-void will write to the return label. 01394 if (!FT->getReturnType()->isVoidTy()) { 01395 CustomFn->removeAttributes(AttributeSet::FunctionIndex, 01396 DFSF.DFS.ReadOnlyNoneAttrs); 01397 } 01398 } 01399 01400 std::vector<Value *> Args; 01401 01402 CallSite::arg_iterator i = CS.arg_begin(); 01403 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) { 01404 Type *T = (*i)->getType(); 01405 FunctionType *ParamFT; 01406 if (isa<PointerType>(T) && 01407 (ParamFT = dyn_cast<FunctionType>( 01408 cast<PointerType>(T)->getElementType()))) { 01409 std::string TName = "dfst"; 01410 TName += utostr(FT->getNumParams() - n); 01411 TName += "$"; 01412 TName += F->getName(); 01413 Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName); 01414 Args.push_back(T); 01415 Args.push_back( 01416 IRB.CreateBitCast(*i, Type::getInt8PtrTy(*DFSF.DFS.Ctx))); 01417 } else { 01418 Args.push_back(*i); 01419 } 01420 } 01421 01422 i = CS.arg_begin(); 01423 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 01424 Args.push_back(DFSF.getShadow(*i)); 01425 01426 if (!FT->getReturnType()->isVoidTy()) { 01427 if (!DFSF.LabelReturnAlloca) { 01428 DFSF.LabelReturnAlloca = 01429 new AllocaInst(DFSF.DFS.ShadowTy, "labelreturn", 01430 DFSF.F->getEntryBlock().begin()); 01431 } 01432 Args.push_back(DFSF.LabelReturnAlloca); 01433 } 01434 01435 CallInst *CustomCI = IRB.CreateCall(CustomF, Args); 01436 CustomCI->setCallingConv(CI->getCallingConv()); 01437 CustomCI->setAttributes(CI->getAttributes()); 01438 01439 if (!FT->getReturnType()->isVoidTy()) { 01440 LoadInst *LabelLoad = IRB.CreateLoad(DFSF.LabelReturnAlloca); 01441 DFSF.setShadow(CustomCI, LabelLoad); 01442 } 01443 01444 CI->replaceAllUsesWith(CustomCI); 01445 CI->eraseFromParent(); 01446 return; 01447 } 01448 break; 01449 } 01450 } 01451 } 01452 01453 FunctionType *FT = cast<FunctionType>( 01454 CS.getCalledValue()->getType()->getPointerElementType()); 01455 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 01456 for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) { 01457 IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)), 01458 DFSF.getArgTLS(i, CS.getInstruction())); 01459 } 01460 } 01461 01462 Instruction *Next = nullptr; 01463 if (!CS.getType()->isVoidTy()) { 01464 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 01465 if (II->getNormalDest()->getSinglePredecessor()) { 01466 Next = II->getNormalDest()->begin(); 01467 } else { 01468 BasicBlock *NewBB = 01469 SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DFS); 01470 Next = NewBB->begin(); 01471 } 01472 } else { 01473 Next = CS->getNextNode(); 01474 } 01475 01476 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) { 01477 IRBuilder<> NextIRB(Next); 01478 LoadInst *LI = NextIRB.CreateLoad(DFSF.getRetvalTLS()); 01479 DFSF.SkipInsts.insert(LI); 01480 DFSF.setShadow(CS.getInstruction(), LI); 01481 DFSF.NonZeroChecks.push_back(LI); 01482 } 01483 } 01484 01485 // Do all instrumentation for IA_Args down here to defer tampering with the 01486 // CFG in a way that SplitEdge may be able to detect. 01487 if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) { 01488 FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT); 01489 Value *Func = 01490 IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT)); 01491 std::vector<Value *> Args; 01492 01493 CallSite::arg_iterator i = CS.arg_begin(), e = CS.arg_end(); 01494 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 01495 Args.push_back(*i); 01496 01497 i = CS.arg_begin(); 01498 for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) 01499 Args.push_back(DFSF.getShadow(*i)); 01500 01501 if (FT->isVarArg()) { 01502 unsigned VarArgSize = CS.arg_size() - FT->getNumParams(); 01503 ArrayType *VarArgArrayTy = ArrayType::get(DFSF.DFS.ShadowTy, VarArgSize); 01504 AllocaInst *VarArgShadow = 01505 new AllocaInst(VarArgArrayTy, "", DFSF.F->getEntryBlock().begin()); 01506 Args.push_back(IRB.CreateConstGEP2_32(VarArgShadow, 0, 0)); 01507 for (unsigned n = 0; i != e; ++i, ++n) { 01508 IRB.CreateStore(DFSF.getShadow(*i), 01509 IRB.CreateConstGEP2_32(VarArgShadow, 0, n)); 01510 Args.push_back(*i); 01511 } 01512 } 01513 01514 CallSite NewCS; 01515 if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) { 01516 NewCS = IRB.CreateInvoke(Func, II->getNormalDest(), II->getUnwindDest(), 01517 Args); 01518 } else { 01519 NewCS = IRB.CreateCall(Func, Args); 01520 } 01521 NewCS.setCallingConv(CS.getCallingConv()); 01522 NewCS.setAttributes(CS.getAttributes().removeAttributes( 01523 *DFSF.DFS.Ctx, AttributeSet::ReturnIndex, 01524 AttributeFuncs::typeIncompatible(NewCS.getInstruction()->getType(), 01525 AttributeSet::ReturnIndex))); 01526 01527 if (Next) { 01528 ExtractValueInst *ExVal = 01529 ExtractValueInst::Create(NewCS.getInstruction(), 0, "", Next); 01530 DFSF.SkipInsts.insert(ExVal); 01531 ExtractValueInst *ExShadow = 01532 ExtractValueInst::Create(NewCS.getInstruction(), 1, "", Next); 01533 DFSF.SkipInsts.insert(ExShadow); 01534 DFSF.setShadow(ExVal, ExShadow); 01535 DFSF.NonZeroChecks.push_back(ExShadow); 01536 01537 CS.getInstruction()->replaceAllUsesWith(ExVal); 01538 } 01539 01540 CS.getInstruction()->eraseFromParent(); 01541 } 01542 } 01543 01544 void DFSanVisitor::visitPHINode(PHINode &PN) { 01545 PHINode *ShadowPN = 01546 PHINode::Create(DFSF.DFS.ShadowTy, PN.getNumIncomingValues(), "", &PN); 01547 01548 // Give the shadow phi node valid predecessors to fool SplitEdge into working. 01549 Value *UndefShadow = UndefValue::get(DFSF.DFS.ShadowTy); 01550 for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e; 01551 ++i) { 01552 ShadowPN->addIncoming(UndefShadow, *i); 01553 } 01554 01555 DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN)); 01556 DFSF.setShadow(&PN, ShadowPN); 01557 }
Generated on Thu Sep 18 2014 02:48:36 for LLVM by
1.7.6.1
Copyright © 2003-2014 University of Illinois at Urbana-Champaign.
All Rights Reserved.