1.7.6.1Copyright © 2003-2014 University of Illinois at Urbana-Champaign. All Rights Reserved.
LLVM API Documentation
00001 //===-- StackProtector.cpp - Stack Protector Insertion --------------------===// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // This pass inserts stack protectors into functions which need them. A variable 00011 // with a random value in it is stored onto the stack before the local variables 00012 // are allocated. Upon exiting the block, the stored value is checked. If it's 00013 // changed, then there was some sort of violation and the program aborts. 00014 // 00015 //===----------------------------------------------------------------------===// 00016 00017 #include "llvm/CodeGen/StackProtector.h" 00018 #include "llvm/ADT/SmallPtrSet.h" 00019 #include "llvm/ADT/Statistic.h" 00020 #include "llvm/Analysis/ValueTracking.h" 00021 #include "llvm/CodeGen/Analysis.h" 00022 #include "llvm/CodeGen/Passes.h" 00023 #include "llvm/IR/Attributes.h" 00024 #include "llvm/IR/Constants.h" 00025 #include "llvm/IR/DataLayout.h" 00026 #include "llvm/IR/DerivedTypes.h" 00027 #include "llvm/IR/Function.h" 00028 #include "llvm/IR/GlobalValue.h" 00029 #include "llvm/IR/GlobalVariable.h" 00030 #include "llvm/IR/IRBuilder.h" 00031 #include "llvm/IR/Instructions.h" 00032 #include "llvm/IR/IntrinsicInst.h" 00033 #include "llvm/IR/Intrinsics.h" 00034 #include "llvm/IR/Module.h" 00035 #include "llvm/Support/CommandLine.h" 00036 #include "llvm/Target/TargetSubtargetInfo.h" 00037 #include <cstdlib> 00038 using namespace llvm; 00039 00040 #define DEBUG_TYPE "stack-protector" 00041 00042 STATISTIC(NumFunProtected, "Number of functions protected"); 00043 STATISTIC(NumAddrTaken, "Number of local variables that have their address" 00044 " taken."); 00045 00046 static cl::opt<bool> EnableSelectionDAGSP("enable-selectiondag-sp", 00047 cl::init(true), cl::Hidden); 00048 00049 char StackProtector::ID = 0; 00050 INITIALIZE_PASS(StackProtector, "stack-protector", "Insert stack protectors", 00051 false, true) 00052 00053 FunctionPass *llvm::createStackProtectorPass(const TargetMachine *TM) { 00054 return new StackProtector(TM); 00055 } 00056 00057 StackProtector::SSPLayoutKind 00058 StackProtector::getSSPLayout(const AllocaInst *AI) const { 00059 return AI ? Layout.lookup(AI) : SSPLK_None; 00060 } 00061 00062 void StackProtector::adjustForColoring(const AllocaInst *From, 00063 const AllocaInst *To) { 00064 // When coloring replaces one alloca with another, transfer the SSPLayoutKind 00065 // tag from the remapped to the target alloca. The remapped alloca should 00066 // have a size smaller than or equal to the replacement alloca. 00067 SSPLayoutMap::iterator I = Layout.find(From); 00068 if (I != Layout.end()) { 00069 SSPLayoutKind Kind = I->second; 00070 Layout.erase(I); 00071 00072 // Transfer the tag, but make sure that SSPLK_AddrOf does not overwrite 00073 // SSPLK_SmallArray or SSPLK_LargeArray, and make sure that 00074 // SSPLK_SmallArray does not overwrite SSPLK_LargeArray. 00075 I = Layout.find(To); 00076 if (I == Layout.end()) 00077 Layout.insert(std::make_pair(To, Kind)); 00078 else if (I->second != SSPLK_LargeArray && Kind != SSPLK_AddrOf) 00079 I->second = Kind; 00080 } 00081 } 00082 00083 bool StackProtector::runOnFunction(Function &Fn) { 00084 F = &Fn; 00085 M = F->getParent(); 00086 DominatorTreeWrapperPass *DTWP = 00087 getAnalysisIfAvailable<DominatorTreeWrapperPass>(); 00088 DT = DTWP ? &DTWP->getDomTree() : nullptr; 00089 TLI = TM->getSubtargetImpl()->getTargetLowering(); 00090 00091 Attribute Attr = Fn.getAttributes().getAttribute( 00092 AttributeSet::FunctionIndex, "stack-protector-buffer-size"); 00093 if (Attr.isStringAttribute() && 00094 Attr.getValueAsString().getAsInteger(10, SSPBufferSize)) 00095 return false; // Invalid integer string 00096 00097 if (!RequiresStackProtector()) 00098 return false; 00099 00100 ++NumFunProtected; 00101 return InsertStackProtectors(); 00102 } 00103 00104 /// \param [out] IsLarge is set to true if a protectable array is found and 00105 /// it is "large" ( >= ssp-buffer-size). In the case of a structure with 00106 /// multiple arrays, this gets set if any of them is large. 00107 bool StackProtector::ContainsProtectableArray(Type *Ty, bool &IsLarge, 00108 bool Strong, 00109 bool InStruct) const { 00110 if (!Ty) 00111 return false; 00112 if (ArrayType *AT = dyn_cast<ArrayType>(Ty)) { 00113 if (!AT->getElementType()->isIntegerTy(8)) { 00114 // If we're on a non-Darwin platform or we're inside of a structure, don't 00115 // add stack protectors unless the array is a character array. 00116 // However, in strong mode any array, regardless of type and size, 00117 // triggers a protector. 00118 if (!Strong && (InStruct || !Trip.isOSDarwin())) 00119 return false; 00120 } 00121 00122 // If an array has more than SSPBufferSize bytes of allocated space, then we 00123 // emit stack protectors. 00124 if (SSPBufferSize <= TLI->getDataLayout()->getTypeAllocSize(AT)) { 00125 IsLarge = true; 00126 return true; 00127 } 00128 00129 if (Strong) 00130 // Require a protector for all arrays in strong mode 00131 return true; 00132 } 00133 00134 const StructType *ST = dyn_cast<StructType>(Ty); 00135 if (!ST) 00136 return false; 00137 00138 bool NeedsProtector = false; 00139 for (StructType::element_iterator I = ST->element_begin(), 00140 E = ST->element_end(); 00141 I != E; ++I) 00142 if (ContainsProtectableArray(*I, IsLarge, Strong, true)) { 00143 // If the element is a protectable array and is large (>= SSPBufferSize) 00144 // then we are done. If the protectable array is not large, then 00145 // keep looking in case a subsequent element is a large array. 00146 if (IsLarge) 00147 return true; 00148 NeedsProtector = true; 00149 } 00150 00151 return NeedsProtector; 00152 } 00153 00154 bool StackProtector::HasAddressTaken(const Instruction *AI) { 00155 for (const User *U : AI->users()) { 00156 if (const StoreInst *SI = dyn_cast<StoreInst>(U)) { 00157 if (AI == SI->getValueOperand()) 00158 return true; 00159 } else if (const PtrToIntInst *SI = dyn_cast<PtrToIntInst>(U)) { 00160 if (AI == SI->getOperand(0)) 00161 return true; 00162 } else if (isa<CallInst>(U)) { 00163 return true; 00164 } else if (isa<InvokeInst>(U)) { 00165 return true; 00166 } else if (const SelectInst *SI = dyn_cast<SelectInst>(U)) { 00167 if (HasAddressTaken(SI)) 00168 return true; 00169 } else if (const PHINode *PN = dyn_cast<PHINode>(U)) { 00170 // Keep track of what PHI nodes we have already visited to ensure 00171 // they are only visited once. 00172 if (VisitedPHIs.insert(PN)) 00173 if (HasAddressTaken(PN)) 00174 return true; 00175 } else if (const GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(U)) { 00176 if (HasAddressTaken(GEP)) 00177 return true; 00178 } else if (const BitCastInst *BI = dyn_cast<BitCastInst>(U)) { 00179 if (HasAddressTaken(BI)) 00180 return true; 00181 } 00182 } 00183 return false; 00184 } 00185 00186 /// \brief Check whether or not this function needs a stack protector based 00187 /// upon the stack protector level. 00188 /// 00189 /// We use two heuristics: a standard (ssp) and strong (sspstrong). 00190 /// The standard heuristic which will add a guard variable to functions that 00191 /// call alloca with a either a variable size or a size >= SSPBufferSize, 00192 /// functions with character buffers larger than SSPBufferSize, and functions 00193 /// with aggregates containing character buffers larger than SSPBufferSize. The 00194 /// strong heuristic will add a guard variables to functions that call alloca 00195 /// regardless of size, functions with any buffer regardless of type and size, 00196 /// functions with aggregates that contain any buffer regardless of type and 00197 /// size, and functions that contain stack-based variables that have had their 00198 /// address taken. 00199 bool StackProtector::RequiresStackProtector() { 00200 bool Strong = false; 00201 bool NeedsProtector = false; 00202 if (F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 00203 Attribute::StackProtectReq)) { 00204 NeedsProtector = true; 00205 Strong = true; // Use the same heuristic as strong to determine SSPLayout 00206 } else if (F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 00207 Attribute::StackProtectStrong)) 00208 Strong = true; 00209 else if (!F->getAttributes().hasAttribute(AttributeSet::FunctionIndex, 00210 Attribute::StackProtect)) 00211 return false; 00212 00213 for (Function::iterator I = F->begin(), E = F->end(); I != E; ++I) { 00214 BasicBlock *BB = I; 00215 00216 for (BasicBlock::iterator II = BB->begin(), IE = BB->end(); II != IE; 00217 ++II) { 00218 if (AllocaInst *AI = dyn_cast<AllocaInst>(II)) { 00219 if (AI->isArrayAllocation()) { 00220 // SSP-Strong: Enable protectors for any call to alloca, regardless 00221 // of size. 00222 if (Strong) 00223 return true; 00224 00225 if (const ConstantInt *CI = 00226 dyn_cast<ConstantInt>(AI->getArraySize())) { 00227 if (CI->getLimitedValue(SSPBufferSize) >= SSPBufferSize) { 00228 // A call to alloca with size >= SSPBufferSize requires 00229 // stack protectors. 00230 Layout.insert(std::make_pair(AI, SSPLK_LargeArray)); 00231 NeedsProtector = true; 00232 } else if (Strong) { 00233 // Require protectors for all alloca calls in strong mode. 00234 Layout.insert(std::make_pair(AI, SSPLK_SmallArray)); 00235 NeedsProtector = true; 00236 } 00237 } else { 00238 // A call to alloca with a variable size requires protectors. 00239 Layout.insert(std::make_pair(AI, SSPLK_LargeArray)); 00240 NeedsProtector = true; 00241 } 00242 continue; 00243 } 00244 00245 bool IsLarge = false; 00246 if (ContainsProtectableArray(AI->getAllocatedType(), IsLarge, Strong)) { 00247 Layout.insert(std::make_pair(AI, IsLarge ? SSPLK_LargeArray 00248 : SSPLK_SmallArray)); 00249 NeedsProtector = true; 00250 continue; 00251 } 00252 00253 if (Strong && HasAddressTaken(AI)) { 00254 ++NumAddrTaken; 00255 Layout.insert(std::make_pair(AI, SSPLK_AddrOf)); 00256 NeedsProtector = true; 00257 } 00258 } 00259 } 00260 } 00261 00262 return NeedsProtector; 00263 } 00264 00265 static bool InstructionWillNotHaveChain(const Instruction *I) { 00266 return !I->mayHaveSideEffects() && !I->mayReadFromMemory() && 00267 isSafeToSpeculativelyExecute(I); 00268 } 00269 00270 /// Identify if RI has a previous instruction in the "Tail Position" and return 00271 /// it. Otherwise return 0. 00272 /// 00273 /// This is based off of the code in llvm::isInTailCallPosition. The difference 00274 /// is that it inverts the first part of llvm::isInTailCallPosition since 00275 /// isInTailCallPosition is checking if a call is in a tail call position, and 00276 /// we are searching for an unknown tail call that might be in the tail call 00277 /// position. Once we find the call though, the code uses the same refactored 00278 /// code, returnTypeIsEligibleForTailCall. 00279 static CallInst *FindPotentialTailCall(BasicBlock *BB, ReturnInst *RI, 00280 const TargetLoweringBase *TLI) { 00281 // Establish a reasonable upper bound on the maximum amount of instructions we 00282 // will look through to find a tail call. 00283 unsigned SearchCounter = 0; 00284 const unsigned MaxSearch = 4; 00285 bool NoInterposingChain = true; 00286 00287 for (BasicBlock::reverse_iterator I = std::next(BB->rbegin()), E = BB->rend(); 00288 I != E && SearchCounter < MaxSearch; ++I) { 00289 Instruction *Inst = &*I; 00290 00291 // Skip over debug intrinsics and do not allow them to affect our MaxSearch 00292 // counter. 00293 if (isa<DbgInfoIntrinsic>(Inst)) 00294 continue; 00295 00296 // If we find a call and the following conditions are satisifed, then we 00297 // have found a tail call that satisfies at least the target independent 00298 // requirements of a tail call: 00299 // 00300 // 1. The call site has the tail marker. 00301 // 00302 // 2. The call site either will not cause the creation of a chain or if a 00303 // chain is necessary there are no instructions in between the callsite and 00304 // the call which would create an interposing chain. 00305 // 00306 // 3. The return type of the function does not impede tail call 00307 // optimization. 00308 if (CallInst *CI = dyn_cast<CallInst>(Inst)) { 00309 if (CI->isTailCall() && 00310 (InstructionWillNotHaveChain(CI) || NoInterposingChain) && 00311 returnTypeIsEligibleForTailCall(BB->getParent(), CI, RI, *TLI)) 00312 return CI; 00313 } 00314 00315 // If we did not find a call see if we have an instruction that may create 00316 // an interposing chain. 00317 NoInterposingChain = 00318 NoInterposingChain && InstructionWillNotHaveChain(Inst); 00319 00320 // Increment max search. 00321 SearchCounter++; 00322 } 00323 00324 return nullptr; 00325 } 00326 00327 /// Insert code into the entry block that stores the __stack_chk_guard 00328 /// variable onto the stack: 00329 /// 00330 /// entry: 00331 /// StackGuardSlot = alloca i8* 00332 /// StackGuard = load __stack_chk_guard 00333 /// call void @llvm.stackprotect.create(StackGuard, StackGuardSlot) 00334 /// 00335 /// Returns true if the platform/triple supports the stackprotectorcreate pseudo 00336 /// node. 00337 static bool CreatePrologue(Function *F, Module *M, ReturnInst *RI, 00338 const TargetLoweringBase *TLI, const Triple &Trip, 00339 AllocaInst *&AI, Value *&StackGuardVar) { 00340 bool SupportsSelectionDAGSP = false; 00341 PointerType *PtrTy = Type::getInt8PtrTy(RI->getContext()); 00342 unsigned AddressSpace, Offset; 00343 if (TLI->getStackCookieLocation(AddressSpace, Offset)) { 00344 Constant *OffsetVal = 00345 ConstantInt::get(Type::getInt32Ty(RI->getContext()), Offset); 00346 00347 StackGuardVar = ConstantExpr::getIntToPtr( 00348 OffsetVal, PointerType::get(PtrTy, AddressSpace)); 00349 } else if (Trip.getOS() == llvm::Triple::OpenBSD) { 00350 StackGuardVar = M->getOrInsertGlobal("__guard_local", PtrTy); 00351 cast<GlobalValue>(StackGuardVar) 00352 ->setVisibility(GlobalValue::HiddenVisibility); 00353 } else { 00354 SupportsSelectionDAGSP = true; 00355 StackGuardVar = M->getOrInsertGlobal("__stack_chk_guard", PtrTy); 00356 } 00357 00358 IRBuilder<> B(&F->getEntryBlock().front()); 00359 AI = B.CreateAlloca(PtrTy, nullptr, "StackGuardSlot"); 00360 LoadInst *LI = B.CreateLoad(StackGuardVar, "StackGuard"); 00361 B.CreateCall2(Intrinsic::getDeclaration(M, Intrinsic::stackprotector), LI, 00362 AI); 00363 00364 return SupportsSelectionDAGSP; 00365 } 00366 00367 /// InsertStackProtectors - Insert code into the prologue and epilogue of the 00368 /// function. 00369 /// 00370 /// - The prologue code loads and stores the stack guard onto the stack. 00371 /// - The epilogue checks the value stored in the prologue against the original 00372 /// value. It calls __stack_chk_fail if they differ. 00373 bool StackProtector::InsertStackProtectors() { 00374 bool HasPrologue = false; 00375 bool SupportsSelectionDAGSP = 00376 EnableSelectionDAGSP && !TM->Options.EnableFastISel; 00377 AllocaInst *AI = nullptr; // Place on stack that stores the stack guard. 00378 Value *StackGuardVar = nullptr; // The stack guard variable. 00379 00380 for (Function::iterator I = F->begin(), E = F->end(); I != E;) { 00381 BasicBlock *BB = I++; 00382 ReturnInst *RI = dyn_cast<ReturnInst>(BB->getTerminator()); 00383 if (!RI) 00384 continue; 00385 00386 if (!HasPrologue) { 00387 HasPrologue = true; 00388 SupportsSelectionDAGSP &= 00389 CreatePrologue(F, M, RI, TLI, Trip, AI, StackGuardVar); 00390 } 00391 00392 if (SupportsSelectionDAGSP) { 00393 // Since we have a potential tail call, insert the special stack check 00394 // intrinsic. 00395 Instruction *InsertionPt = nullptr; 00396 if (CallInst *CI = FindPotentialTailCall(BB, RI, TLI)) { 00397 InsertionPt = CI; 00398 } else { 00399 InsertionPt = RI; 00400 // At this point we know that BB has a return statement so it *DOES* 00401 // have a terminator. 00402 assert(InsertionPt != nullptr && "BB must have a terminator instruction at " 00403 "this point."); 00404 } 00405 00406 Function *Intrinsic = 00407 Intrinsic::getDeclaration(M, Intrinsic::stackprotectorcheck); 00408 CallInst::Create(Intrinsic, StackGuardVar, "", InsertionPt); 00409 00410 } else { 00411 // If we do not support SelectionDAG based tail calls, generate IR level 00412 // tail calls. 00413 // 00414 // For each block with a return instruction, convert this: 00415 // 00416 // return: 00417 // ... 00418 // ret ... 00419 // 00420 // into this: 00421 // 00422 // return: 00423 // ... 00424 // %1 = load __stack_chk_guard 00425 // %2 = load StackGuardSlot 00426 // %3 = cmp i1 %1, %2 00427 // br i1 %3, label %SP_return, label %CallStackCheckFailBlk 00428 // 00429 // SP_return: 00430 // ret ... 00431 // 00432 // CallStackCheckFailBlk: 00433 // call void @__stack_chk_fail() 00434 // unreachable 00435 00436 // Create the FailBB. We duplicate the BB every time since the MI tail 00437 // merge pass will merge together all of the various BB into one including 00438 // fail BB generated by the stack protector pseudo instruction. 00439 BasicBlock *FailBB = CreateFailBB(); 00440 00441 // Split the basic block before the return instruction. 00442 BasicBlock *NewBB = BB->splitBasicBlock(RI, "SP_return"); 00443 00444 // Update the dominator tree if we need to. 00445 if (DT && DT->isReachableFromEntry(BB)) { 00446 DT->addNewBlock(NewBB, BB); 00447 DT->addNewBlock(FailBB, BB); 00448 } 00449 00450 // Remove default branch instruction to the new BB. 00451 BB->getTerminator()->eraseFromParent(); 00452 00453 // Move the newly created basic block to the point right after the old 00454 // basic block so that it's in the "fall through" position. 00455 NewBB->moveAfter(BB); 00456 00457 // Generate the stack protector instructions in the old basic block. 00458 IRBuilder<> B(BB); 00459 LoadInst *LI1 = B.CreateLoad(StackGuardVar); 00460 LoadInst *LI2 = B.CreateLoad(AI); 00461 Value *Cmp = B.CreateICmpEQ(LI1, LI2); 00462 B.CreateCondBr(Cmp, NewBB, FailBB); 00463 } 00464 } 00465 00466 // Return if we didn't modify any basic blocks. I.e., there are no return 00467 // statements in the function. 00468 if (!HasPrologue) 00469 return false; 00470 00471 return true; 00472 } 00473 00474 /// CreateFailBB - Create a basic block to jump to when the stack protector 00475 /// check fails. 00476 BasicBlock *StackProtector::CreateFailBB() { 00477 LLVMContext &Context = F->getContext(); 00478 BasicBlock *FailBB = BasicBlock::Create(Context, "CallStackCheckFailBlk", F); 00479 IRBuilder<> B(FailBB); 00480 if (Trip.getOS() == llvm::Triple::OpenBSD) { 00481 Constant *StackChkFail = M->getOrInsertFunction( 00482 "__stack_smash_handler", Type::getVoidTy(Context), 00483 Type::getInt8PtrTy(Context), NULL); 00484 00485 B.CreateCall(StackChkFail, B.CreateGlobalStringPtr(F->getName(), "SSH")); 00486 } else { 00487 Constant *StackChkFail = M->getOrInsertFunction( 00488 "__stack_chk_fail", Type::getVoidTy(Context), NULL); 00489 B.CreateCall(StackChkFail); 00490 } 00491 B.CreateUnreachable(); 00492 return FailBB; 00493 }
Generated on Thu Sep 18 2014 03:39:22 for LLVM by
1.7.6.1
Copyright © 2003-2014 University of Illinois at Urbana-Champaign.
All Rights Reserved.