1.7.6.1Copyright © 2003-2014 University of Illinois at Urbana-Champaign. All Rights Reserved.
LLVM API Documentation
00001 //===-- ShadowStackGC.cpp - GC support for uncooperative targets ----------===// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // This file implements lowering for the llvm.gc* intrinsics for targets that do 00011 // not natively support them (which includes the C backend). Note that the code 00012 // generated is not quite as efficient as algorithms which generate stack maps 00013 // to identify roots. 00014 // 00015 // This pass implements the code transformation described in this paper: 00016 // "Accurate Garbage Collection in an Uncooperative Environment" 00017 // Fergus Henderson, ISMM, 2002 00018 // 00019 // In runtime/GC/SemiSpace.cpp is a prototype runtime which is compatible with 00020 // ShadowStackGC. 00021 // 00022 // In order to support this particular transformation, all stack roots are 00023 // coallocated in the stack. This allows a fully target-independent stack map 00024 // while introducing only minor runtime overhead. 00025 // 00026 //===----------------------------------------------------------------------===// 00027 00028 #include "llvm/CodeGen/GCs.h" 00029 #include "llvm/ADT/StringExtras.h" 00030 #include "llvm/CodeGen/GCStrategy.h" 00031 #include "llvm/IR/CallSite.h" 00032 #include "llvm/IR/IRBuilder.h" 00033 #include "llvm/IR/IntrinsicInst.h" 00034 #include "llvm/IR/Module.h" 00035 00036 using namespace llvm; 00037 00038 #define DEBUG_TYPE "shadowstackgc" 00039 00040 namespace { 00041 00042 class ShadowStackGC : public GCStrategy { 00043 /// RootChain - This is the global linked-list that contains the chain of GC 00044 /// roots. 00045 GlobalVariable *Head; 00046 00047 /// StackEntryTy - Abstract type of a link in the shadow stack. 00048 /// 00049 StructType *StackEntryTy; 00050 StructType *FrameMapTy; 00051 00052 /// Roots - GC roots in the current function. Each is a pair of the 00053 /// intrinsic call and its corresponding alloca. 00054 std::vector<std::pair<CallInst*,AllocaInst*> > Roots; 00055 00056 public: 00057 ShadowStackGC(); 00058 00059 bool initializeCustomLowering(Module &M) override; 00060 bool performCustomLowering(Function &F) override; 00061 00062 private: 00063 bool IsNullValue(Value *V); 00064 Constant *GetFrameMap(Function &F); 00065 Type* GetConcreteStackEntryType(Function &F); 00066 void CollectRoots(Function &F); 00067 static GetElementPtrInst *CreateGEP(LLVMContext &Context, 00068 IRBuilder<> &B, Value *BasePtr, 00069 int Idx1, const char *Name); 00070 static GetElementPtrInst *CreateGEP(LLVMContext &Context, 00071 IRBuilder<> &B, Value *BasePtr, 00072 int Idx1, int Idx2, const char *Name); 00073 }; 00074 00075 } 00076 00077 static GCRegistry::Add<ShadowStackGC> 00078 X("shadow-stack", "Very portable GC for uncooperative code generators"); 00079 00080 namespace { 00081 /// EscapeEnumerator - This is a little algorithm to find all escape points 00082 /// from a function so that "finally"-style code can be inserted. In addition 00083 /// to finding the existing return and unwind instructions, it also (if 00084 /// necessary) transforms any call instructions into invokes and sends them to 00085 /// a landing pad. 00086 /// 00087 /// It's wrapped up in a state machine using the same transform C# uses for 00088 /// 'yield return' enumerators, This transform allows it to be non-allocating. 00089 class EscapeEnumerator { 00090 Function &F; 00091 const char *CleanupBBName; 00092 00093 // State. 00094 int State; 00095 Function::iterator StateBB, StateE; 00096 IRBuilder<> Builder; 00097 00098 public: 00099 EscapeEnumerator(Function &F, const char *N = "cleanup") 00100 : F(F), CleanupBBName(N), State(0), Builder(F.getContext()) {} 00101 00102 IRBuilder<> *Next() { 00103 switch (State) { 00104 default: 00105 return nullptr; 00106 00107 case 0: 00108 StateBB = F.begin(); 00109 StateE = F.end(); 00110 State = 1; 00111 00112 case 1: 00113 // Find all 'return', 'resume', and 'unwind' instructions. 00114 while (StateBB != StateE) { 00115 BasicBlock *CurBB = StateBB++; 00116 00117 // Branches and invokes do not escape, only unwind, resume, and return 00118 // do. 00119 TerminatorInst *TI = CurBB->getTerminator(); 00120 if (!isa<ReturnInst>(TI) && !isa<ResumeInst>(TI)) 00121 continue; 00122 00123 Builder.SetInsertPoint(TI->getParent(), TI); 00124 return &Builder; 00125 } 00126 00127 State = 2; 00128 00129 // Find all 'call' instructions. 00130 SmallVector<Instruction*,16> Calls; 00131 for (Function::iterator BB = F.begin(), 00132 E = F.end(); BB != E; ++BB) 00133 for (BasicBlock::iterator II = BB->begin(), 00134 EE = BB->end(); II != EE; ++II) 00135 if (CallInst *CI = dyn_cast<CallInst>(II)) 00136 if (!CI->getCalledFunction() || 00137 !CI->getCalledFunction()->getIntrinsicID()) 00138 Calls.push_back(CI); 00139 00140 if (Calls.empty()) 00141 return nullptr; 00142 00143 // Create a cleanup block. 00144 LLVMContext &C = F.getContext(); 00145 BasicBlock *CleanupBB = BasicBlock::Create(C, CleanupBBName, &F); 00146 Type *ExnTy = StructType::get(Type::getInt8PtrTy(C), 00147 Type::getInt32Ty(C), NULL); 00148 Constant *PersFn = 00149 F.getParent()-> 00150 getOrInsertFunction("__gcc_personality_v0", 00151 FunctionType::get(Type::getInt32Ty(C), true)); 00152 LandingPadInst *LPad = LandingPadInst::Create(ExnTy, PersFn, 1, 00153 "cleanup.lpad", 00154 CleanupBB); 00155 LPad->setCleanup(true); 00156 ResumeInst *RI = ResumeInst::Create(LPad, CleanupBB); 00157 00158 // Transform the 'call' instructions into 'invoke's branching to the 00159 // cleanup block. Go in reverse order to make prettier BB names. 00160 SmallVector<Value*,16> Args; 00161 for (unsigned I = Calls.size(); I != 0; ) { 00162 CallInst *CI = cast<CallInst>(Calls[--I]); 00163 00164 // Split the basic block containing the function call. 00165 BasicBlock *CallBB = CI->getParent(); 00166 BasicBlock *NewBB = 00167 CallBB->splitBasicBlock(CI, CallBB->getName() + ".cont"); 00168 00169 // Remove the unconditional branch inserted at the end of CallBB. 00170 CallBB->getInstList().pop_back(); 00171 NewBB->getInstList().remove(CI); 00172 00173 // Create a new invoke instruction. 00174 Args.clear(); 00175 CallSite CS(CI); 00176 Args.append(CS.arg_begin(), CS.arg_end()); 00177 00178 InvokeInst *II = InvokeInst::Create(CI->getCalledValue(), 00179 NewBB, CleanupBB, 00180 Args, CI->getName(), CallBB); 00181 II->setCallingConv(CI->getCallingConv()); 00182 II->setAttributes(CI->getAttributes()); 00183 CI->replaceAllUsesWith(II); 00184 delete CI; 00185 } 00186 00187 Builder.SetInsertPoint(RI->getParent(), RI); 00188 return &Builder; 00189 } 00190 } 00191 }; 00192 } 00193 00194 // ----------------------------------------------------------------------------- 00195 00196 void llvm::linkShadowStackGC() { } 00197 00198 ShadowStackGC::ShadowStackGC() : Head(nullptr), StackEntryTy(nullptr) { 00199 InitRoots = true; 00200 CustomRoots = true; 00201 } 00202 00203 Constant *ShadowStackGC::GetFrameMap(Function &F) { 00204 // doInitialization creates the abstract type of this value. 00205 Type *VoidPtr = Type::getInt8PtrTy(F.getContext()); 00206 00207 // Truncate the ShadowStackDescriptor if some metadata is null. 00208 unsigned NumMeta = 0; 00209 SmallVector<Constant*, 16> Metadata; 00210 for (unsigned I = 0; I != Roots.size(); ++I) { 00211 Constant *C = cast<Constant>(Roots[I].first->getArgOperand(1)); 00212 if (!C->isNullValue()) 00213 NumMeta = I + 1; 00214 Metadata.push_back(ConstantExpr::getBitCast(C, VoidPtr)); 00215 } 00216 Metadata.resize(NumMeta); 00217 00218 Type *Int32Ty = Type::getInt32Ty(F.getContext()); 00219 00220 Constant *BaseElts[] = { 00221 ConstantInt::get(Int32Ty, Roots.size(), false), 00222 ConstantInt::get(Int32Ty, NumMeta, false), 00223 }; 00224 00225 Constant *DescriptorElts[] = { 00226 ConstantStruct::get(FrameMapTy, BaseElts), 00227 ConstantArray::get(ArrayType::get(VoidPtr, NumMeta), Metadata) 00228 }; 00229 00230 Type *EltTys[] = { DescriptorElts[0]->getType(),DescriptorElts[1]->getType()}; 00231 StructType *STy = StructType::create(EltTys, "gc_map."+utostr(NumMeta)); 00232 00233 Constant *FrameMap = ConstantStruct::get(STy, DescriptorElts); 00234 00235 // FIXME: Is this actually dangerous as WritingAnLLVMPass.html claims? Seems 00236 // that, short of multithreaded LLVM, it should be safe; all that is 00237 // necessary is that a simple Module::iterator loop not be invalidated. 00238 // Appending to the GlobalVariable list is safe in that sense. 00239 // 00240 // All of the output passes emit globals last. The ExecutionEngine 00241 // explicitly supports adding globals to the module after 00242 // initialization. 00243 // 00244 // Still, if it isn't deemed acceptable, then this transformation needs 00245 // to be a ModulePass (which means it cannot be in the 'llc' pipeline 00246 // (which uses a FunctionPassManager (which segfaults (not asserts) if 00247 // provided a ModulePass))). 00248 Constant *GV = new GlobalVariable(*F.getParent(), FrameMap->getType(), true, 00249 GlobalVariable::InternalLinkage, 00250 FrameMap, "__gc_" + F.getName()); 00251 00252 Constant *GEPIndices[2] = { 00253 ConstantInt::get(Type::getInt32Ty(F.getContext()), 0), 00254 ConstantInt::get(Type::getInt32Ty(F.getContext()), 0) 00255 }; 00256 return ConstantExpr::getGetElementPtr(GV, GEPIndices); 00257 } 00258 00259 Type* ShadowStackGC::GetConcreteStackEntryType(Function &F) { 00260 // doInitialization creates the generic version of this type. 00261 std::vector<Type*> EltTys; 00262 EltTys.push_back(StackEntryTy); 00263 for (size_t I = 0; I != Roots.size(); I++) 00264 EltTys.push_back(Roots[I].second->getAllocatedType()); 00265 00266 return StructType::create(EltTys, "gc_stackentry."+F.getName().str()); 00267 } 00268 00269 /// doInitialization - If this module uses the GC intrinsics, find them now. If 00270 /// not, exit fast. 00271 bool ShadowStackGC::initializeCustomLowering(Module &M) { 00272 // struct FrameMap { 00273 // int32_t NumRoots; // Number of roots in stack frame. 00274 // int32_t NumMeta; // Number of metadata descriptors. May be < NumRoots. 00275 // void *Meta[]; // May be absent for roots without metadata. 00276 // }; 00277 std::vector<Type*> EltTys; 00278 // 32 bits is ok up to a 32GB stack frame. :) 00279 EltTys.push_back(Type::getInt32Ty(M.getContext())); 00280 // Specifies length of variable length array. 00281 EltTys.push_back(Type::getInt32Ty(M.getContext())); 00282 FrameMapTy = StructType::create(EltTys, "gc_map"); 00283 PointerType *FrameMapPtrTy = PointerType::getUnqual(FrameMapTy); 00284 00285 // struct StackEntry { 00286 // ShadowStackEntry *Next; // Caller's stack entry. 00287 // FrameMap *Map; // Pointer to constant FrameMap. 00288 // void *Roots[]; // Stack roots (in-place array, so we pretend). 00289 // }; 00290 00291 StackEntryTy = StructType::create(M.getContext(), "gc_stackentry"); 00292 00293 EltTys.clear(); 00294 EltTys.push_back(PointerType::getUnqual(StackEntryTy)); 00295 EltTys.push_back(FrameMapPtrTy); 00296 StackEntryTy->setBody(EltTys); 00297 PointerType *StackEntryPtrTy = PointerType::getUnqual(StackEntryTy); 00298 00299 // Get the root chain if it already exists. 00300 Head = M.getGlobalVariable("llvm_gc_root_chain"); 00301 if (!Head) { 00302 // If the root chain does not exist, insert a new one with linkonce 00303 // linkage! 00304 Head = new GlobalVariable(M, StackEntryPtrTy, false, 00305 GlobalValue::LinkOnceAnyLinkage, 00306 Constant::getNullValue(StackEntryPtrTy), 00307 "llvm_gc_root_chain"); 00308 } else if (Head->hasExternalLinkage() && Head->isDeclaration()) { 00309 Head->setInitializer(Constant::getNullValue(StackEntryPtrTy)); 00310 Head->setLinkage(GlobalValue::LinkOnceAnyLinkage); 00311 } 00312 00313 return true; 00314 } 00315 00316 bool ShadowStackGC::IsNullValue(Value *V) { 00317 if (Constant *C = dyn_cast<Constant>(V)) 00318 return C->isNullValue(); 00319 return false; 00320 } 00321 00322 void ShadowStackGC::CollectRoots(Function &F) { 00323 // FIXME: Account for original alignment. Could fragment the root array. 00324 // Approach 1: Null initialize empty slots at runtime. Yuck. 00325 // Approach 2: Emit a map of the array instead of just a count. 00326 00327 assert(Roots.empty() && "Not cleaned up?"); 00328 00329 SmallVector<std::pair<CallInst*, AllocaInst*>, 16> MetaRoots; 00330 00331 for (Function::iterator BB = F.begin(), E = F.end(); BB != E; ++BB) 00332 for (BasicBlock::iterator II = BB->begin(), E = BB->end(); II != E;) 00333 if (IntrinsicInst *CI = dyn_cast<IntrinsicInst>(II++)) 00334 if (Function *F = CI->getCalledFunction()) 00335 if (F->getIntrinsicID() == Intrinsic::gcroot) { 00336 std::pair<CallInst*, AllocaInst*> Pair = std::make_pair( 00337 CI, cast<AllocaInst>(CI->getArgOperand(0)->stripPointerCasts())); 00338 if (IsNullValue(CI->getArgOperand(1))) 00339 Roots.push_back(Pair); 00340 else 00341 MetaRoots.push_back(Pair); 00342 } 00343 00344 // Number roots with metadata (usually empty) at the beginning, so that the 00345 // FrameMap::Meta array can be elided. 00346 Roots.insert(Roots.begin(), MetaRoots.begin(), MetaRoots.end()); 00347 } 00348 00349 GetElementPtrInst * 00350 ShadowStackGC::CreateGEP(LLVMContext &Context, IRBuilder<> &B, Value *BasePtr, 00351 int Idx, int Idx2, const char *Name) { 00352 Value *Indices[] = { ConstantInt::get(Type::getInt32Ty(Context), 0), 00353 ConstantInt::get(Type::getInt32Ty(Context), Idx), 00354 ConstantInt::get(Type::getInt32Ty(Context), Idx2) }; 00355 Value* Val = B.CreateGEP(BasePtr, Indices, Name); 00356 00357 assert(isa<GetElementPtrInst>(Val) && "Unexpected folded constant"); 00358 00359 return dyn_cast<GetElementPtrInst>(Val); 00360 } 00361 00362 GetElementPtrInst * 00363 ShadowStackGC::CreateGEP(LLVMContext &Context, IRBuilder<> &B, Value *BasePtr, 00364 int Idx, const char *Name) { 00365 Value *Indices[] = { ConstantInt::get(Type::getInt32Ty(Context), 0), 00366 ConstantInt::get(Type::getInt32Ty(Context), Idx) }; 00367 Value *Val = B.CreateGEP(BasePtr, Indices, Name); 00368 00369 assert(isa<GetElementPtrInst>(Val) && "Unexpected folded constant"); 00370 00371 return dyn_cast<GetElementPtrInst>(Val); 00372 } 00373 00374 /// runOnFunction - Insert code to maintain the shadow stack. 00375 bool ShadowStackGC::performCustomLowering(Function &F) { 00376 LLVMContext &Context = F.getContext(); 00377 00378 // Find calls to llvm.gcroot. 00379 CollectRoots(F); 00380 00381 // If there are no roots in this function, then there is no need to add a 00382 // stack map entry for it. 00383 if (Roots.empty()) 00384 return false; 00385 00386 // Build the constant map and figure the type of the shadow stack entry. 00387 Value *FrameMap = GetFrameMap(F); 00388 Type *ConcreteStackEntryTy = GetConcreteStackEntryType(F); 00389 00390 // Build the shadow stack entry at the very start of the function. 00391 BasicBlock::iterator IP = F.getEntryBlock().begin(); 00392 IRBuilder<> AtEntry(IP->getParent(), IP); 00393 00394 Instruction *StackEntry = AtEntry.CreateAlloca(ConcreteStackEntryTy, nullptr, 00395 "gc_frame"); 00396 00397 while (isa<AllocaInst>(IP)) ++IP; 00398 AtEntry.SetInsertPoint(IP->getParent(), IP); 00399 00400 // Initialize the map pointer and load the current head of the shadow stack. 00401 Instruction *CurrentHead = AtEntry.CreateLoad(Head, "gc_currhead"); 00402 Instruction *EntryMapPtr = CreateGEP(Context, AtEntry, StackEntry, 00403 0,1,"gc_frame.map"); 00404 AtEntry.CreateStore(FrameMap, EntryMapPtr); 00405 00406 // After all the allocas... 00407 for (unsigned I = 0, E = Roots.size(); I != E; ++I) { 00408 // For each root, find the corresponding slot in the aggregate... 00409 Value *SlotPtr = CreateGEP(Context, AtEntry, StackEntry, 1 + I, "gc_root"); 00410 00411 // And use it in lieu of the alloca. 00412 AllocaInst *OriginalAlloca = Roots[I].second; 00413 SlotPtr->takeName(OriginalAlloca); 00414 OriginalAlloca->replaceAllUsesWith(SlotPtr); 00415 } 00416 00417 // Move past the original stores inserted by GCStrategy::InitRoots. This isn't 00418 // really necessary (the collector would never see the intermediate state at 00419 // runtime), but it's nicer not to push the half-initialized entry onto the 00420 // shadow stack. 00421 while (isa<StoreInst>(IP)) ++IP; 00422 AtEntry.SetInsertPoint(IP->getParent(), IP); 00423 00424 // Push the entry onto the shadow stack. 00425 Instruction *EntryNextPtr = CreateGEP(Context, AtEntry, 00426 StackEntry,0,0,"gc_frame.next"); 00427 Instruction *NewHeadVal = CreateGEP(Context, AtEntry, 00428 StackEntry, 0, "gc_newhead"); 00429 AtEntry.CreateStore(CurrentHead, EntryNextPtr); 00430 AtEntry.CreateStore(NewHeadVal, Head); 00431 00432 // For each instruction that escapes... 00433 EscapeEnumerator EE(F, "gc_cleanup"); 00434 while (IRBuilder<> *AtExit = EE.Next()) { 00435 // Pop the entry from the shadow stack. Don't reuse CurrentHead from 00436 // AtEntry, since that would make the value live for the entire function. 00437 Instruction *EntryNextPtr2 = CreateGEP(Context, *AtExit, StackEntry, 0, 0, 00438 "gc_frame.next"); 00439 Value *SavedHead = AtExit->CreateLoad(EntryNextPtr2, "gc_savedhead"); 00440 AtExit->CreateStore(SavedHead, Head); 00441 } 00442 00443 // Delete the original allocas (which are no longer used) and the intrinsic 00444 // calls (which are no longer valid). Doing this last avoids invalidating 00445 // iterators. 00446 for (unsigned I = 0, E = Roots.size(); I != E; ++I) { 00447 Roots[I].first->eraseFromParent(); 00448 Roots[I].second->eraseFromParent(); 00449 } 00450 00451 Roots.clear(); 00452 return true; 00453 }
Generated on Thu Sep 18 2014 03:31:43 for LLVM by
1.7.6.1
Copyright © 2003-2014 University of Illinois at Urbana-Champaign.
All Rights Reserved.