1 //===- MemorySanitizer.cpp - detector of uninitialized reads --------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 /// \file
11 /// This file is a part of MemorySanitizer, a detector of uninitialized
12 /// reads.
13 ///
14 /// The algorithm of the tool is similar to Memcheck
15 /// (http://goo.gl/QKbem). We associate a few shadow bits with every
16 /// byte of the application memory, poison the shadow of the malloc-ed
17 /// or alloca-ed memory, load the shadow bits on every memory read,
18 /// propagate the shadow bits through some of the arithmetic
19 /// instruction (including MOV), store the shadow bits on every memory
20 /// write, report a bug on some other instructions (e.g. JMP) if the
21 /// associated shadow is poisoned.
22 ///
23 /// But there are differences too. The first and the major one:
24 /// compiler instrumentation instead of binary instrumentation. This
25 /// gives us much better register allocation, possible compiler
26 /// optimizations and a fast start-up. But this brings the major issue
27 /// as well: msan needs to see all program events, including system
28 /// calls and reads/writes in system libraries, so we either need to
29 /// compile *everything* with msan or use a binary translation
30 /// component (e.g. DynamoRIO) to instrument pre-built libraries.
31 /// Another difference from Memcheck is that we use 8 shadow bits per
32 /// byte of application memory and use a direct shadow mapping. This
33 /// greatly simplifies the instrumentation code and avoids races on
34 /// shadow updates (Memcheck is single-threaded so races are not a
35 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
36 /// path storage that uses 8 bits per byte).
37 ///
38 /// The default value of shadow is 0, which means "clean" (not poisoned).
39 ///
40 /// Every module initializer should call __msan_init to ensure that the
41 /// shadow memory is ready. On error, __msan_warning is called. Since
42 /// parameters and return values may be passed via registers, we have a
43 /// specialized thread-local shadow for return values
44 /// (__msan_retval_tls) and parameters (__msan_param_tls).
45 ///
46 /// Origin tracking.
47 ///
48 /// MemorySanitizer can track origins (allocation points) of all uninitialized
49 /// values. This behavior is controlled with a flag (msan-track-origins) and is
50 /// disabled by default.
51 ///
52 /// Origins are 4-byte values created and interpreted by the runtime library.
53 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
54 /// of application memory. Propagation of origins is basically a bunch of
55 /// "select" instructions that pick the origin of a dirty argument, if an
56 /// instruction has one.
57 ///
58 /// Every 4 aligned, consecutive bytes of application memory have one origin
59 /// value associated with them. If these bytes contain uninitialized data
60 /// coming from 2 different allocations, the last store wins. Because of this,
61 /// MemorySanitizer reports can show unrelated origins, but this is unlikely in
62 /// practice.
63 ///
64 /// Origins are meaningless for fully initialized values, so MemorySanitizer
65 /// avoids storing origin to memory when a fully initialized value is stored.
66 /// This way it avoids needless overwritting origin of the 4-byte region on
67 /// a short (i.e. 1 byte) clean store, and it is also good for performance.
68 ///
69 /// Atomic handling.
70 ///
71 /// Ideally, every atomic store of application value should update the
72 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
73 /// of two disjoint locations can not be done without severe slowdown.
74 ///
75 /// Therefore, we implement an approximation that may err on the safe side.
76 /// In this implementation, every atomically accessed location in the program
77 /// may only change from (partially) uninitialized to fully initialized, but
78 /// not the other way around. We load the shadow _after_ the application load,
79 /// and we store the shadow _before_ the app store. Also, we always store clean
80 /// shadow (if the application store is atomic). This way, if the store-load
81 /// pair constitutes a happens-before arc, shadow store and load are correctly
82 /// ordered such that the load will get either the value that was stored, or
83 /// some later value (which is always clean).
84 ///
85 /// This does not work very well with Compare-And-Swap (CAS) and
86 /// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW
87 /// must store the new shadow before the app operation, and load the shadow
88 /// after the app operation. Computers don't work this way. Current
89 /// implementation ignores the load aspect of CAS/RMW, always returning a clean
90 /// value. It implements the store part as a simple atomic store by storing a
91 /// clean shadow.
92 ///
93 /// Instrumenting inline assembly.
94 ///
95 /// For inline assembly code LLVM has little idea about which memory locations
96 /// become initialized depending on the arguments. It can be possible to figure
97 /// out which arguments are meant to point to inputs and outputs, but the
98 /// actual semantics can be only visible at runtime. In the Linux kernel it's
99 /// also possible that the arguments only indicate the offset for a base taken
100 /// from a segment register, so it's dangerous to treat any asm() arguments as
101 /// pointers. We take a conservative approach generating calls to
102 /// __msan_instrument_asm_store(ptr, size)
103 /// , which defer the memory unpoisoning to the runtime library.
104 /// The latter can perform more complex address checks to figure out whether
105 /// it's safe to touch the shadow memory.
106 /// Like with atomic operations, we call __msan_instrument_asm_store() before
107 /// the assembly call, so that changes to the shadow memory will be seen by
108 /// other threads together with main memory initialization.
109 ///
110 /// KernelMemorySanitizer (KMSAN) implementation.
111 ///
112 /// The major differences between KMSAN and MSan instrumentation are:
113 /// - KMSAN always tracks the origins and implies msan-keep-going=true;
114 /// - KMSAN allocates shadow and origin memory for each page separately, so
115 /// there are no explicit accesses to shadow and origin in the
116 /// instrumentation.
117 /// Shadow and origin values for a particular X-byte memory location
118 /// (X=1,2,4,8) are accessed through pointers obtained via the
119 /// __msan_metadata_ptr_for_load_X(ptr)
120 /// __msan_metadata_ptr_for_store_X(ptr)
121 /// functions. The corresponding functions check that the X-byte accesses
122 /// are possible and returns the pointers to shadow and origin memory.
123 /// Arbitrary sized accesses are handled with:
124 /// __msan_metadata_ptr_for_load_n(ptr, size)
125 /// __msan_metadata_ptr_for_store_n(ptr, size);
126 /// - TLS variables are stored in a single per-task struct. A call to a
127 /// function __msan_get_context_state() returning a pointer to that struct
128 /// is inserted into every instrumented function before the entry block;
129 /// - __msan_warning() takes a 32-bit origin parameter;
130 /// - local variables are poisoned with __msan_poison_alloca() upon function
131 /// entry and unpoisoned with __msan_unpoison_alloca() before leaving the
132 /// function;
133 /// - the pass doesn't declare any global variables or add global constructors
134 /// to the translation unit.
135 ///
136 /// Also, KMSAN currently ignores uninitialized memory passed into inline asm
137 /// calls, making sure we're on the safe side wrt. possible false positives.
138 ///
139 /// KernelMemorySanitizer only supports X86_64 at the moment.
140 ///
141 //===----------------------------------------------------------------------===//
142
143 #include "llvm/Transforms/Instrumentation/MemorySanitizer.h"
144 #include "llvm/ADT/APInt.h"
145 #include "llvm/ADT/ArrayRef.h"
146 #include "llvm/ADT/DepthFirstIterator.h"
147 #include "llvm/ADT/SmallString.h"
148 #include "llvm/ADT/SmallVector.h"
149 #include "llvm/ADT/StringExtras.h"
150 #include "llvm/ADT/StringRef.h"
151 #include "llvm/ADT/Triple.h"
152 #include "llvm/Analysis/TargetLibraryInfo.h"
153 #include "llvm/IR/Argument.h"
154 #include "llvm/IR/Attributes.h"
155 #include "llvm/IR/BasicBlock.h"
156 #include "llvm/IR/CallSite.h"
157 #include "llvm/IR/CallingConv.h"
158 #include "llvm/IR/Constant.h"
159 #include "llvm/IR/Constants.h"
160 #include "llvm/IR/DataLayout.h"
161 #include "llvm/IR/DerivedTypes.h"
162 #include "llvm/IR/Function.h"
163 #include "llvm/IR/GlobalValue.h"
164 #include "llvm/IR/GlobalVariable.h"
165 #include "llvm/IR/IRBuilder.h"
166 #include "llvm/IR/InlineAsm.h"
167 #include "llvm/IR/InstVisitor.h"
168 #include "llvm/IR/InstrTypes.h"
169 #include "llvm/IR/Instruction.h"
170 #include "llvm/IR/Instructions.h"
171 #include "llvm/IR/IntrinsicInst.h"
172 #include "llvm/IR/Intrinsics.h"
173 #include "llvm/IR/LLVMContext.h"
174 #include "llvm/IR/MDBuilder.h"
175 #include "llvm/IR/Module.h"
176 #include "llvm/IR/Type.h"
177 #include "llvm/IR/Value.h"
178 #include "llvm/IR/ValueMap.h"
179 #include "llvm/Pass.h"
180 #include "llvm/Support/AtomicOrdering.h"
181 #include "llvm/Support/Casting.h"
182 #include "llvm/Support/CommandLine.h"
183 #include "llvm/Support/Compiler.h"
184 #include "llvm/Support/Debug.h"
185 #include "llvm/Support/ErrorHandling.h"
186 #include "llvm/Support/MathExtras.h"
187 #include "llvm/Support/raw_ostream.h"
188 #include "llvm/Transforms/Instrumentation.h"
189 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
190 #include "llvm/Transforms/Utils/Local.h"
191 #include "llvm/Transforms/Utils/ModuleUtils.h"
192 #include <algorithm>
193 #include <cassert>
194 #include <cstddef>
195 #include <cstdint>
196 #include <memory>
197 #include <string>
198 #include <tuple>
199
200 using namespace llvm;
201
202 #define DEBUG_TYPE "msan"
203
204 static const unsigned kOriginSize = 4;
205 static const unsigned kMinOriginAlignment = 4;
206 static const unsigned kShadowTLSAlignment = 8;
207
208 // These constants must be kept in sync with the ones in msan.h.
209 static const unsigned kParamTLSSize = 800;
210 static const unsigned kRetvalTLSSize = 800;
211
212 // Accesses sizes are powers of two: 1, 2, 4, 8.
213 static const size_t kNumberOfAccessSizes = 4;
214
215 /// Track origins of uninitialized values.
216 ///
217 /// Adds a section to MemorySanitizer report that points to the allocation
218 /// (stack or heap) the uninitialized bits came from originally.
219 static cl::opt<int> ClTrackOrigins("msan-track-origins",
220 cl::desc("Track origins (allocation sites) of poisoned memory"),
221 cl::Hidden, cl::init(0));
222
223 static cl::opt<bool> ClKeepGoing("msan-keep-going",
224 cl::desc("keep going after reporting a UMR"),
225 cl::Hidden, cl::init(false));
226
227 static cl::opt<bool> ClPoisonStack("msan-poison-stack",
228 cl::desc("poison uninitialized stack variables"),
229 cl::Hidden, cl::init(true));
230
231 static cl::opt<bool> ClPoisonStackWithCall("msan-poison-stack-with-call",
232 cl::desc("poison uninitialized stack variables with a call"),
233 cl::Hidden, cl::init(false));
234
235 static cl::opt<int> ClPoisonStackPattern("msan-poison-stack-pattern",
236 cl::desc("poison uninitialized stack variables with the given pattern"),
237 cl::Hidden, cl::init(0xff));
238
239 static cl::opt<bool> ClPoisonUndef("msan-poison-undef",
240 cl::desc("poison undef temps"),
241 cl::Hidden, cl::init(true));
242
243 static cl::opt<bool> ClHandleICmp("msan-handle-icmp",
244 cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
245 cl::Hidden, cl::init(true));
246
247 static cl::opt<bool> ClHandleICmpExact("msan-handle-icmp-exact",
248 cl::desc("exact handling of relational integer ICmp"),
249 cl::Hidden, cl::init(false));
250
251 // When compiling the Linux kernel, we sometimes see false positives related to
252 // MSan being unable to understand that inline assembly calls may initialize
253 // local variables.
254 // This flag makes the compiler conservatively unpoison every memory location
255 // passed into an assembly call. Note that this may cause false positives.
256 // Because it's impossible to figure out the array sizes, we can only unpoison
257 // the first sizeof(type) bytes for each type* pointer.
258 // The instrumentation is only enabled in KMSAN builds, and only if
259 // -msan-handle-asm-conservative is on. This is done because we may want to
260 // quickly disable assembly instrumentation when it breaks.
261 static cl::opt<bool> ClHandleAsmConservative(
262 "msan-handle-asm-conservative",
263 cl::desc("conservative handling of inline assembly"), cl::Hidden,
264 cl::init(true));
265
266 // This flag controls whether we check the shadow of the address
267 // operand of load or store. Such bugs are very rare, since load from
268 // a garbage address typically results in SEGV, but still happen
269 // (e.g. only lower bits of address are garbage, or the access happens
270 // early at program startup where malloc-ed memory is more likely to
271 // be zeroed. As of 2012-08-28 this flag adds 20% slowdown.
272 static cl::opt<bool> ClCheckAccessAddress("msan-check-access-address",
273 cl::desc("report accesses through a pointer which has poisoned shadow"),
274 cl::Hidden, cl::init(true));
275
276 static cl::opt<bool> ClDumpStrictInstructions("msan-dump-strict-instructions",
277 cl::desc("print out instructions with default strict semantics"),
278 cl::Hidden, cl::init(false));
279
280 static cl::opt<int> ClInstrumentationWithCallThreshold(
281 "msan-instrumentation-with-call-threshold",
282 cl::desc(
283 "If the function being instrumented requires more than "
284 "this number of checks and origin stores, use callbacks instead of "
285 "inline checks (-1 means never use callbacks)."),
286 cl::Hidden, cl::init(3500));
287
288 static cl::opt<bool>
289 ClEnableKmsan("msan-kernel",
290 cl::desc("Enable KernelMemorySanitizer instrumentation"),
291 cl::Hidden, cl::init(false));
292
293 // This is an experiment to enable handling of cases where shadow is a non-zero
294 // compile-time constant. For some unexplainable reason they were silently
295 // ignored in the instrumentation.
296 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
297 cl::desc("Insert checks for constant shadow values"),
298 cl::Hidden, cl::init(false));
299
300 // This is off by default because of a bug in gold:
301 // https://sourceware.org/bugzilla/show_bug.cgi?id=19002
302 static cl::opt<bool> ClWithComdat("msan-with-comdat",
303 cl::desc("Place MSan constructors in comdat sections"),
304 cl::Hidden, cl::init(false));
305
306 // These options allow to specify custom memory map parameters
307 // See MemoryMapParams for details.
308 static cl::opt<unsigned long long> ClAndMask("msan-and-mask",
309 cl::desc("Define custom MSan AndMask"),
310 cl::Hidden, cl::init(0));
311
312 static cl::opt<unsigned long long> ClXorMask("msan-xor-mask",
313 cl::desc("Define custom MSan XorMask"),
314 cl::Hidden, cl::init(0));
315
316 static cl::opt<unsigned long long> ClShadowBase("msan-shadow-base",
317 cl::desc("Define custom MSan ShadowBase"),
318 cl::Hidden, cl::init(0));
319
320 static cl::opt<unsigned long long> ClOriginBase("msan-origin-base",
321 cl::desc("Define custom MSan OriginBase"),
322 cl::Hidden, cl::init(0));
323
324 static const char *const kMsanModuleCtorName = "msan.module_ctor";
325 static const char *const kMsanInitName = "__msan_init";
326
327 namespace {
328
329 // Memory map parameters used in application-to-shadow address calculation.
330 // Offset = (Addr & ~AndMask) ^ XorMask
331 // Shadow = ShadowBase + Offset
332 // Origin = OriginBase + Offset
333 struct MemoryMapParams {
334 uint64_t AndMask;
335 uint64_t XorMask;
336 uint64_t ShadowBase;
337 uint64_t OriginBase;
338 };
339
340 struct PlatformMemoryMapParams {
341 const MemoryMapParams *bits32;
342 const MemoryMapParams *bits64;
343 };
344
345 } // end anonymous namespace
346
347 // i386 Linux
348 static const MemoryMapParams Linux_I386_MemoryMapParams = {
349 0x000080000000, // AndMask
350 0, // XorMask (not used)
351 0, // ShadowBase (not used)
352 0x000040000000, // OriginBase
353 };
354
355 // x86_64 Linux
356 static const MemoryMapParams Linux_X86_64_MemoryMapParams = {
357 #ifdef MSAN_LINUX_X86_64_OLD_MAPPING
358 0x400000000000, // AndMask
359 0, // XorMask (not used)
360 0, // ShadowBase (not used)
361 0x200000000000, // OriginBase
362 #else
363 0, // AndMask (not used)
364 0x500000000000, // XorMask
365 0, // ShadowBase (not used)
366 0x100000000000, // OriginBase
367 #endif
368 };
369
370 // mips64 Linux
371 static const MemoryMapParams Linux_MIPS64_MemoryMapParams = {
372 0, // AndMask (not used)
373 0x008000000000, // XorMask
374 0, // ShadowBase (not used)
375 0x002000000000, // OriginBase
376 };
377
378 // ppc64 Linux
379 static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = {
380 0xE00000000000, // AndMask
381 0x100000000000, // XorMask
382 0x080000000000, // ShadowBase
383 0x1C0000000000, // OriginBase
384 };
385
386 // aarch64 Linux
387 static const MemoryMapParams Linux_AArch64_MemoryMapParams = {
388 0, // AndMask (not used)
389 0x06000000000, // XorMask
390 0, // ShadowBase (not used)
391 0x01000000000, // OriginBase
392 };
393
394 // i386 FreeBSD
395 static const MemoryMapParams FreeBSD_I386_MemoryMapParams = {
396 0x000180000000, // AndMask
397 0x000040000000, // XorMask
398 0x000020000000, // ShadowBase
399 0x000700000000, // OriginBase
400 };
401
402 // x86_64 FreeBSD
403 static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = {
404 0xc00000000000, // AndMask
405 0x200000000000, // XorMask
406 0x100000000000, // ShadowBase
407 0x380000000000, // OriginBase
408 };
409
410 // x86_64 NetBSD
411 static const MemoryMapParams NetBSD_X86_64_MemoryMapParams = {
412 0, // AndMask
413 0x500000000000, // XorMask
414 0, // ShadowBase
415 0x100000000000, // OriginBase
416 };
417
418 static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = {
419 &Linux_I386_MemoryMapParams,
420 &Linux_X86_64_MemoryMapParams,
421 };
422
423 static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = {
424 nullptr,
425 &Linux_MIPS64_MemoryMapParams,
426 };
427
428 static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = {
429 nullptr,
430 &Linux_PowerPC64_MemoryMapParams,
431 };
432
433 static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = {
434 nullptr,
435 &Linux_AArch64_MemoryMapParams,
436 };
437
438 static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = {
439 &FreeBSD_I386_MemoryMapParams,
440 &FreeBSD_X86_64_MemoryMapParams,
441 };
442
443 static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams = {
444 nullptr,
445 &NetBSD_X86_64_MemoryMapParams,
446 };
447
448 namespace {
449
450 /// Instrument functions of a module to detect uninitialized reads.
451 ///
452 /// Instantiating MemorySanitizer inserts the msan runtime library API function
453 /// declarations into the module if they don't exist already. Instantiating
454 /// ensures the __msan_init function is in the list of global constructors for
455 /// the module.
456 class MemorySanitizer {
457 public:
MemorySanitizer(Module & M,int TrackOrigins=0,bool Recover=false,bool EnableKmsan=false)458 MemorySanitizer(Module &M, int TrackOrigins = 0, bool Recover = false,
459 bool EnableKmsan = false) {
460 this->CompileKernel =
461 ClEnableKmsan.getNumOccurrences() > 0 ? ClEnableKmsan : EnableKmsan;
462 if (ClTrackOrigins.getNumOccurrences() > 0)
463 this->TrackOrigins = ClTrackOrigins;
464 else
465 this->TrackOrigins = this->CompileKernel ? 2 : TrackOrigins;
466 this->Recover = ClKeepGoing.getNumOccurrences() > 0
467 ? ClKeepGoing
468 : (this->CompileKernel | Recover);
469 initializeModule(M);
470 }
471
472 // MSan cannot be moved or copied because of MapParams.
473 MemorySanitizer(MemorySanitizer &&) = delete;
474 MemorySanitizer &operator=(MemorySanitizer &&) = delete;
475 MemorySanitizer(const MemorySanitizer &) = delete;
476 MemorySanitizer &operator=(const MemorySanitizer &) = delete;
477
478 bool sanitizeFunction(Function &F, TargetLibraryInfo &TLI);
479
480 private:
481 friend struct MemorySanitizerVisitor;
482 friend struct VarArgAMD64Helper;
483 friend struct VarArgMIPS64Helper;
484 friend struct VarArgAArch64Helper;
485 friend struct VarArgPowerPC64Helper;
486
487 void initializeModule(Module &M);
488 void initializeCallbacks(Module &M);
489 void createKernelApi(Module &M);
490 void createUserspaceApi(Module &M);
491
492 /// True if we're compiling the Linux kernel.
493 bool CompileKernel;
494 /// Track origins (allocation points) of uninitialized values.
495 int TrackOrigins;
496 bool Recover;
497
498 LLVMContext *C;
499 Type *IntptrTy;
500 Type *OriginTy;
501
502 // XxxTLS variables represent the per-thread state in MSan and per-task state
503 // in KMSAN.
504 // For the userspace these point to thread-local globals. In the kernel land
505 // they point to the members of a per-task struct obtained via a call to
506 // __msan_get_context_state().
507
508 /// Thread-local shadow storage for function parameters.
509 Value *ParamTLS;
510
511 /// Thread-local origin storage for function parameters.
512 Value *ParamOriginTLS;
513
514 /// Thread-local shadow storage for function return value.
515 Value *RetvalTLS;
516
517 /// Thread-local origin storage for function return value.
518 Value *RetvalOriginTLS;
519
520 /// Thread-local shadow storage for in-register va_arg function
521 /// parameters (x86_64-specific).
522 Value *VAArgTLS;
523
524 /// Thread-local shadow storage for in-register va_arg function
525 /// parameters (x86_64-specific).
526 Value *VAArgOriginTLS;
527
528 /// Thread-local shadow storage for va_arg overflow area
529 /// (x86_64-specific).
530 Value *VAArgOverflowSizeTLS;
531
532 /// Thread-local space used to pass origin value to the UMR reporting
533 /// function.
534 Value *OriginTLS;
535
536 /// Are the instrumentation callbacks set up?
537 bool CallbacksInitialized = false;
538
539 /// The run-time callback to print a warning.
540 Value *WarningFn;
541
542 // These arrays are indexed by log2(AccessSize).
543 Value *MaybeWarningFn[kNumberOfAccessSizes];
544 Value *MaybeStoreOriginFn[kNumberOfAccessSizes];
545
546 /// Run-time helper that generates a new origin value for a stack
547 /// allocation.
548 Value *MsanSetAllocaOrigin4Fn;
549
550 /// Run-time helper that poisons stack on function entry.
551 Value *MsanPoisonStackFn;
552
553 /// Run-time helper that records a store (or any event) of an
554 /// uninitialized value and returns an updated origin id encoding this info.
555 Value *MsanChainOriginFn;
556
557 /// MSan runtime replacements for memmove, memcpy and memset.
558 Value *MemmoveFn, *MemcpyFn, *MemsetFn;
559
560 /// KMSAN callback for task-local function argument shadow.
561 Value *MsanGetContextStateFn;
562
563 /// Functions for poisoning/unpoisoning local variables
564 Value *MsanPoisonAllocaFn, *MsanUnpoisonAllocaFn;
565
566 /// Each of the MsanMetadataPtrXxx functions returns a pair of shadow/origin
567 /// pointers.
568 Value *MsanMetadataPtrForLoadN, *MsanMetadataPtrForStoreN;
569 Value *MsanMetadataPtrForLoad_1_8[4];
570 Value *MsanMetadataPtrForStore_1_8[4];
571 Value *MsanInstrumentAsmStoreFn;
572
573 /// Helper to choose between different MsanMetadataPtrXxx().
574 Value *getKmsanShadowOriginAccessFn(bool isStore, int size);
575
576 /// Memory map parameters used in application-to-shadow calculation.
577 const MemoryMapParams *MapParams;
578
579 /// Custom memory map parameters used when -msan-shadow-base or
580 // -msan-origin-base is provided.
581 MemoryMapParams CustomMapParams;
582
583 MDNode *ColdCallWeights;
584
585 /// Branch weights for origin store.
586 MDNode *OriginStoreWeights;
587
588 /// An empty volatile inline asm that prevents callback merge.
589 InlineAsm *EmptyAsm;
590
591 Function *MsanCtorFunction;
592 };
593
594 /// A legacy function pass for msan instrumentation.
595 ///
596 /// Instruments functions to detect unitialized reads.
597 struct MemorySanitizerLegacyPass : public FunctionPass {
598 // Pass identification, replacement for typeid.
599 static char ID;
600
MemorySanitizerLegacyPass__anonfe2889270211::MemorySanitizerLegacyPass601 MemorySanitizerLegacyPass(int TrackOrigins = 0, bool Recover = false,
602 bool EnableKmsan = false)
603 : FunctionPass(ID), TrackOrigins(TrackOrigins), Recover(Recover),
604 EnableKmsan(EnableKmsan) {}
getPassName__anonfe2889270211::MemorySanitizerLegacyPass605 StringRef getPassName() const override { return "MemorySanitizerLegacyPass"; }
606
getAnalysisUsage__anonfe2889270211::MemorySanitizerLegacyPass607 void getAnalysisUsage(AnalysisUsage &AU) const override {
608 AU.addRequired<TargetLibraryInfoWrapperPass>();
609 }
610
runOnFunction__anonfe2889270211::MemorySanitizerLegacyPass611 bool runOnFunction(Function &F) override {
612 return MSan->sanitizeFunction(
613 F, getAnalysis<TargetLibraryInfoWrapperPass>().getTLI());
614 }
615 bool doInitialization(Module &M) override;
616
617 Optional<MemorySanitizer> MSan;
618 int TrackOrigins;
619 bool Recover;
620 bool EnableKmsan;
621 };
622
623 } // end anonymous namespace
624
run(Function & F,FunctionAnalysisManager & FAM)625 PreservedAnalyses MemorySanitizerPass::run(Function &F,
626 FunctionAnalysisManager &FAM) {
627 MemorySanitizer Msan(*F.getParent(), TrackOrigins, Recover, EnableKmsan);
628 if (Msan.sanitizeFunction(F, FAM.getResult<TargetLibraryAnalysis>(F)))
629 return PreservedAnalyses::none();
630 return PreservedAnalyses::all();
631 }
632
633 char MemorySanitizerLegacyPass::ID = 0;
634
635 INITIALIZE_PASS_BEGIN(MemorySanitizerLegacyPass, "msan",
636 "MemorySanitizer: detects uninitialized reads.", false,
637 false)
INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)638 INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
639 INITIALIZE_PASS_END(MemorySanitizerLegacyPass, "msan",
640 "MemorySanitizer: detects uninitialized reads.", false,
641 false)
642
643 FunctionPass *llvm::createMemorySanitizerLegacyPassPass(int TrackOrigins,
644 bool Recover,
645 bool CompileKernel) {
646 return new MemorySanitizerLegacyPass(TrackOrigins, Recover, CompileKernel);
647 }
648
649 /// Create a non-const global initialized with the given string.
650 ///
651 /// Creates a writable global for Str so that we can pass it to the
652 /// run-time lib. Runtime uses first 4 bytes of the string to store the
653 /// frame ID, so the string needs to be mutable.
createPrivateNonConstGlobalForString(Module & M,StringRef Str)654 static GlobalVariable *createPrivateNonConstGlobalForString(Module &M,
655 StringRef Str) {
656 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
657 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/false,
658 GlobalValue::PrivateLinkage, StrConst, "");
659 }
660
661 /// Create KMSAN API callbacks.
createKernelApi(Module & M)662 void MemorySanitizer::createKernelApi(Module &M) {
663 IRBuilder<> IRB(*C);
664
665 // These will be initialized in insertKmsanPrologue().
666 RetvalTLS = nullptr;
667 RetvalOriginTLS = nullptr;
668 ParamTLS = nullptr;
669 ParamOriginTLS = nullptr;
670 VAArgTLS = nullptr;
671 VAArgOriginTLS = nullptr;
672 VAArgOverflowSizeTLS = nullptr;
673 // OriginTLS is unused in the kernel.
674 OriginTLS = nullptr;
675
676 // __msan_warning() in the kernel takes an origin.
677 WarningFn = M.getOrInsertFunction("__msan_warning", IRB.getVoidTy(),
678 IRB.getInt32Ty());
679 // Requests the per-task context state (kmsan_context_state*) from the
680 // runtime library.
681 MsanGetContextStateFn = M.getOrInsertFunction(
682 "__msan_get_context_state",
683 PointerType::get(
684 StructType::get(ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
685 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8),
686 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
687 ArrayType::get(IRB.getInt64Ty(),
688 kParamTLSSize / 8), /* va_arg_origin */
689 IRB.getInt64Ty(),
690 ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy,
691 OriginTy),
692 0));
693
694 Type *RetTy = StructType::get(PointerType::get(IRB.getInt8Ty(), 0),
695 PointerType::get(IRB.getInt32Ty(), 0));
696
697 for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) {
698 std::string name_load =
699 "__msan_metadata_ptr_for_load_" + std::to_string(size);
700 std::string name_store =
701 "__msan_metadata_ptr_for_store_" + std::to_string(size);
702 MsanMetadataPtrForLoad_1_8[ind] = M.getOrInsertFunction(
703 name_load, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
704 MsanMetadataPtrForStore_1_8[ind] = M.getOrInsertFunction(
705 name_store, RetTy, PointerType::get(IRB.getInt8Ty(), 0));
706 }
707
708 MsanMetadataPtrForLoadN = M.getOrInsertFunction(
709 "__msan_metadata_ptr_for_load_n", RetTy,
710 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
711 MsanMetadataPtrForStoreN = M.getOrInsertFunction(
712 "__msan_metadata_ptr_for_store_n", RetTy,
713 PointerType::get(IRB.getInt8Ty(), 0), IRB.getInt64Ty());
714
715 // Functions for poisoning and unpoisoning memory.
716 MsanPoisonAllocaFn =
717 M.getOrInsertFunction("__msan_poison_alloca", IRB.getVoidTy(),
718 IRB.getInt8PtrTy(), IntptrTy, IRB.getInt8PtrTy());
719 MsanUnpoisonAllocaFn = M.getOrInsertFunction(
720 "__msan_unpoison_alloca", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy);
721 }
722
getOrInsertGlobal(Module & M,StringRef Name,Type * Ty)723 static Constant *getOrInsertGlobal(Module &M, StringRef Name, Type *Ty) {
724 return M.getOrInsertGlobal(Name, Ty, [&] {
725 return new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
726 nullptr, Name, nullptr,
727 GlobalVariable::InitialExecTLSModel);
728 });
729 }
730
731 /// Insert declarations for userspace-specific functions and globals.
createUserspaceApi(Module & M)732 void MemorySanitizer::createUserspaceApi(Module &M) {
733 IRBuilder<> IRB(*C);
734 // Create the callback.
735 // FIXME: this function should have "Cold" calling conv,
736 // which is not yet implemented.
737 StringRef WarningFnName = Recover ? "__msan_warning"
738 : "__msan_warning_noreturn";
739 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy());
740
741 // Create the global TLS variables.
742 RetvalTLS =
743 getOrInsertGlobal(M, "__msan_retval_tls",
744 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8));
745
746 RetvalOriginTLS = getOrInsertGlobal(M, "__msan_retval_origin_tls", OriginTy);
747
748 ParamTLS =
749 getOrInsertGlobal(M, "__msan_param_tls",
750 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
751
752 ParamOriginTLS =
753 getOrInsertGlobal(M, "__msan_param_origin_tls",
754 ArrayType::get(OriginTy, kParamTLSSize / 4));
755
756 VAArgTLS =
757 getOrInsertGlobal(M, "__msan_va_arg_tls",
758 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
759
760 VAArgOriginTLS =
761 getOrInsertGlobal(M, "__msan_va_arg_origin_tls",
762 ArrayType::get(OriginTy, kParamTLSSize / 4));
763
764 VAArgOverflowSizeTLS =
765 getOrInsertGlobal(M, "__msan_va_arg_overflow_size_tls", IRB.getInt64Ty());
766 OriginTLS = getOrInsertGlobal(M, "__msan_origin_tls", IRB.getInt32Ty());
767
768 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
769 AccessSizeIndex++) {
770 unsigned AccessSize = 1 << AccessSizeIndex;
771 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize);
772 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction(
773 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8),
774 IRB.getInt32Ty());
775
776 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize);
777 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction(
778 FunctionName, IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8),
779 IRB.getInt8PtrTy(), IRB.getInt32Ty());
780 }
781
782 MsanSetAllocaOrigin4Fn = M.getOrInsertFunction(
783 "__msan_set_alloca_origin4", IRB.getVoidTy(), IRB.getInt8PtrTy(), IntptrTy,
784 IRB.getInt8PtrTy(), IntptrTy);
785 MsanPoisonStackFn =
786 M.getOrInsertFunction("__msan_poison_stack", IRB.getVoidTy(),
787 IRB.getInt8PtrTy(), IntptrTy);
788 }
789
790 /// Insert extern declaration of runtime-provided functions and globals.
initializeCallbacks(Module & M)791 void MemorySanitizer::initializeCallbacks(Module &M) {
792 // Only do this once.
793 if (CallbacksInitialized)
794 return;
795
796 IRBuilder<> IRB(*C);
797 // Initialize callbacks that are common for kernel and userspace
798 // instrumentation.
799 MsanChainOriginFn = M.getOrInsertFunction(
800 "__msan_chain_origin", IRB.getInt32Ty(), IRB.getInt32Ty());
801 MemmoveFn = M.getOrInsertFunction(
802 "__msan_memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
803 IRB.getInt8PtrTy(), IntptrTy);
804 MemcpyFn = M.getOrInsertFunction(
805 "__msan_memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(),
806 IntptrTy);
807 MemsetFn = M.getOrInsertFunction(
808 "__msan_memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(),
809 IntptrTy);
810 // We insert an empty inline asm after __msan_report* to avoid callback merge.
811 EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
812 StringRef(""), StringRef(""),
813 /*hasSideEffects=*/true);
814
815 MsanInstrumentAsmStoreFn =
816 M.getOrInsertFunction("__msan_instrument_asm_store", IRB.getVoidTy(),
817 PointerType::get(IRB.getInt8Ty(), 0), IntptrTy);
818
819 if (CompileKernel) {
820 createKernelApi(M);
821 } else {
822 createUserspaceApi(M);
823 }
824 CallbacksInitialized = true;
825 }
826
getKmsanShadowOriginAccessFn(bool isStore,int size)827 Value *MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore, int size) {
828 Value **Fns =
829 isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8;
830 switch (size) {
831 case 1:
832 return Fns[0];
833 case 2:
834 return Fns[1];
835 case 4:
836 return Fns[2];
837 case 8:
838 return Fns[3];
839 default:
840 return nullptr;
841 }
842 }
843
844 /// Module-level initialization.
845 ///
846 /// inserts a call to __msan_init to the module's constructor list.
initializeModule(Module & M)847 void MemorySanitizer::initializeModule(Module &M) {
848 auto &DL = M.getDataLayout();
849
850 bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0;
851 bool OriginPassed = ClOriginBase.getNumOccurrences() > 0;
852 // Check the overrides first
853 if (ShadowPassed || OriginPassed) {
854 CustomMapParams.AndMask = ClAndMask;
855 CustomMapParams.XorMask = ClXorMask;
856 CustomMapParams.ShadowBase = ClShadowBase;
857 CustomMapParams.OriginBase = ClOriginBase;
858 MapParams = &CustomMapParams;
859 } else {
860 Triple TargetTriple(M.getTargetTriple());
861 switch (TargetTriple.getOS()) {
862 case Triple::FreeBSD:
863 switch (TargetTriple.getArch()) {
864 case Triple::x86_64:
865 MapParams = FreeBSD_X86_MemoryMapParams.bits64;
866 break;
867 case Triple::x86:
868 MapParams = FreeBSD_X86_MemoryMapParams.bits32;
869 break;
870 default:
871 report_fatal_error("unsupported architecture");
872 }
873 break;
874 case Triple::NetBSD:
875 switch (TargetTriple.getArch()) {
876 case Triple::x86_64:
877 MapParams = NetBSD_X86_MemoryMapParams.bits64;
878 break;
879 default:
880 report_fatal_error("unsupported architecture");
881 }
882 break;
883 case Triple::Linux:
884 switch (TargetTriple.getArch()) {
885 case Triple::x86_64:
886 MapParams = Linux_X86_MemoryMapParams.bits64;
887 break;
888 case Triple::x86:
889 MapParams = Linux_X86_MemoryMapParams.bits32;
890 break;
891 case Triple::mips64:
892 case Triple::mips64el:
893 MapParams = Linux_MIPS_MemoryMapParams.bits64;
894 break;
895 case Triple::ppc64:
896 case Triple::ppc64le:
897 MapParams = Linux_PowerPC_MemoryMapParams.bits64;
898 break;
899 case Triple::aarch64:
900 case Triple::aarch64_be:
901 MapParams = Linux_ARM_MemoryMapParams.bits64;
902 break;
903 default:
904 report_fatal_error("unsupported architecture");
905 }
906 break;
907 default:
908 report_fatal_error("unsupported operating system");
909 }
910 }
911
912 C = &(M.getContext());
913 IRBuilder<> IRB(*C);
914 IntptrTy = IRB.getIntPtrTy(DL);
915 OriginTy = IRB.getInt32Ty();
916
917 ColdCallWeights = MDBuilder(*C).createBranchWeights(1, 1000);
918 OriginStoreWeights = MDBuilder(*C).createBranchWeights(1, 1000);
919
920 if (!CompileKernel) {
921 std::tie(MsanCtorFunction, std::ignore) =
922 getOrCreateSanitizerCtorAndInitFunctions(
923 M, kMsanModuleCtorName, kMsanInitName,
924 /*InitArgTypes=*/{},
925 /*InitArgs=*/{},
926 // This callback is invoked when the functions are created the first
927 // time. Hook them into the global ctors list in that case:
928 [&](Function *Ctor, Function *) {
929 if (!ClWithComdat) {
930 appendToGlobalCtors(M, Ctor, 0);
931 return;
932 }
933 Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName);
934 Ctor->setComdat(MsanCtorComdat);
935 appendToGlobalCtors(M, Ctor, 0, Ctor);
936 });
937
938 if (TrackOrigins)
939 M.getOrInsertGlobal("__msan_track_origins", IRB.getInt32Ty(), [&] {
940 return new GlobalVariable(
941 M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
942 IRB.getInt32(TrackOrigins), "__msan_track_origins");
943 });
944
945 if (Recover)
946 M.getOrInsertGlobal("__msan_keep_going", IRB.getInt32Ty(), [&] {
947 return new GlobalVariable(M, IRB.getInt32Ty(), true,
948 GlobalValue::WeakODRLinkage,
949 IRB.getInt32(Recover), "__msan_keep_going");
950 });
951 }
952 }
953
doInitialization(Module & M)954 bool MemorySanitizerLegacyPass::doInitialization(Module &M) {
955 MSan.emplace(M, TrackOrigins, Recover, EnableKmsan);
956 return true;
957 }
958
959 namespace {
960
961 /// A helper class that handles instrumentation of VarArg
962 /// functions on a particular platform.
963 ///
964 /// Implementations are expected to insert the instrumentation
965 /// necessary to propagate argument shadow through VarArg function
966 /// calls. Visit* methods are called during an InstVisitor pass over
967 /// the function, and should avoid creating new basic blocks. A new
968 /// instance of this class is created for each instrumented function.
969 struct VarArgHelper {
970 virtual ~VarArgHelper() = default;
971
972 /// Visit a CallSite.
973 virtual void visitCallSite(CallSite &CS, IRBuilder<> &IRB) = 0;
974
975 /// Visit a va_start call.
976 virtual void visitVAStartInst(VAStartInst &I) = 0;
977
978 /// Visit a va_copy call.
979 virtual void visitVACopyInst(VACopyInst &I) = 0;
980
981 /// Finalize function instrumentation.
982 ///
983 /// This method is called after visiting all interesting (see above)
984 /// instructions in a function.
985 virtual void finalizeInstrumentation() = 0;
986 };
987
988 struct MemorySanitizerVisitor;
989
990 } // end anonymous namespace
991
992 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
993 MemorySanitizerVisitor &Visitor);
994
TypeSizeToSizeIndex(unsigned TypeSize)995 static unsigned TypeSizeToSizeIndex(unsigned TypeSize) {
996 if (TypeSize <= 8) return 0;
997 return Log2_32_Ceil((TypeSize + 7) / 8);
998 }
999
1000 namespace {
1001
1002 /// This class does all the work for a given function. Store and Load
1003 /// instructions store and load corresponding shadow and origin
1004 /// values. Most instructions propagate shadow from arguments to their
1005 /// return values. Certain instructions (most importantly, BranchInst)
1006 /// test their argument shadow and print reports (with a runtime call) if it's
1007 /// non-zero.
1008 struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
1009 Function &F;
1010 MemorySanitizer &MS;
1011 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes;
1012 ValueMap<Value*, Value*> ShadowMap, OriginMap;
1013 std::unique_ptr<VarArgHelper> VAHelper;
1014 const TargetLibraryInfo *TLI;
1015 BasicBlock *ActualFnStart;
1016
1017 // The following flags disable parts of MSan instrumentation based on
1018 // blacklist contents and command-line options.
1019 bool InsertChecks;
1020 bool PropagateShadow;
1021 bool PoisonStack;
1022 bool PoisonUndef;
1023 bool CheckReturnValue;
1024
1025 struct ShadowOriginAndInsertPoint {
1026 Value *Shadow;
1027 Value *Origin;
1028 Instruction *OrigIns;
1029
ShadowOriginAndInsertPoint__anonfe2889270811::MemorySanitizerVisitor::ShadowOriginAndInsertPoint1030 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I)
1031 : Shadow(S), Origin(O), OrigIns(I) {}
1032 };
1033 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList;
1034 SmallVector<StoreInst *, 16> StoreList;
1035
MemorySanitizerVisitor__anonfe2889270811::MemorySanitizerVisitor1036 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
1037 const TargetLibraryInfo &TLI)
1038 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) {
1039 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeMemory);
1040 InsertChecks = SanitizeFunction;
1041 PropagateShadow = SanitizeFunction;
1042 PoisonStack = SanitizeFunction && ClPoisonStack;
1043 PoisonUndef = SanitizeFunction && ClPoisonUndef;
1044 // FIXME: Consider using SpecialCaseList to specify a list of functions that
1045 // must always return fully initialized values. For now, we hardcode "main".
1046 CheckReturnValue = SanitizeFunction && (F.getName() == "main");
1047
1048 MS.initializeCallbacks(*F.getParent());
1049 if (MS.CompileKernel)
1050 ActualFnStart = insertKmsanPrologue(F);
1051 else
1052 ActualFnStart = &F.getEntryBlock();
1053
1054 LLVM_DEBUG(if (!InsertChecks) dbgs()
1055 << "MemorySanitizer is not inserting checks into '"
1056 << F.getName() << "'\n");
1057 }
1058
updateOrigin__anonfe2889270811::MemorySanitizerVisitor1059 Value *updateOrigin(Value *V, IRBuilder<> &IRB) {
1060 if (MS.TrackOrigins <= 1) return V;
1061 return IRB.CreateCall(MS.MsanChainOriginFn, V);
1062 }
1063
originToIntptr__anonfe2889270811::MemorySanitizerVisitor1064 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) {
1065 const DataLayout &DL = F.getParent()->getDataLayout();
1066 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1067 if (IntptrSize == kOriginSize) return Origin;
1068 assert(IntptrSize == kOriginSize * 2);
1069 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false);
1070 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8));
1071 }
1072
1073 /// Fill memory range with the given origin value.
paintOrigin__anonfe2889270811::MemorySanitizerVisitor1074 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr,
1075 unsigned Size, unsigned Alignment) {
1076 const DataLayout &DL = F.getParent()->getDataLayout();
1077 unsigned IntptrAlignment = DL.getABITypeAlignment(MS.IntptrTy);
1078 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1079 assert(IntptrAlignment >= kMinOriginAlignment);
1080 assert(IntptrSize >= kOriginSize);
1081
1082 unsigned Ofs = 0;
1083 unsigned CurrentAlignment = Alignment;
1084 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) {
1085 Value *IntptrOrigin = originToIntptr(IRB, Origin);
1086 Value *IntptrOriginPtr =
1087 IRB.CreatePointerCast(OriginPtr, PointerType::get(MS.IntptrTy, 0));
1088 for (unsigned i = 0; i < Size / IntptrSize; ++i) {
1089 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i)
1090 : IntptrOriginPtr;
1091 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment);
1092 Ofs += IntptrSize / kOriginSize;
1093 CurrentAlignment = IntptrAlignment;
1094 }
1095 }
1096
1097 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) {
1098 Value *GEP =
1099 i ? IRB.CreateConstGEP1_32(nullptr, OriginPtr, i) : OriginPtr;
1100 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment);
1101 CurrentAlignment = kMinOriginAlignment;
1102 }
1103 }
1104
storeOrigin__anonfe2889270811::MemorySanitizerVisitor1105 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
1106 Value *OriginPtr, unsigned Alignment, bool AsCall) {
1107 const DataLayout &DL = F.getParent()->getDataLayout();
1108 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1109 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
1110 if (Shadow->getType()->isAggregateType()) {
1111 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
1112 OriginAlignment);
1113 } else {
1114 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
1115 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow);
1116 if (ConstantShadow) {
1117 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue())
1118 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
1119 OriginAlignment);
1120 return;
1121 }
1122
1123 unsigned TypeSizeInBits =
1124 DL.getTypeSizeInBits(ConvertedShadow->getType());
1125 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1126 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1127 Value *Fn = MS.MaybeStoreOriginFn[SizeIndex];
1128 Value *ConvertedShadow2 = IRB.CreateZExt(
1129 ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1130 IRB.CreateCall(Fn, {ConvertedShadow2,
1131 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()),
1132 Origin});
1133 } else {
1134 Value *Cmp = IRB.CreateICmpNE(
1135 ConvertedShadow, getCleanShadow(ConvertedShadow), "_mscmp");
1136 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1137 Cmp, &*IRB.GetInsertPoint(), false, MS.OriginStoreWeights);
1138 IRBuilder<> IRBNew(CheckTerm);
1139 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), OriginPtr, StoreSize,
1140 OriginAlignment);
1141 }
1142 }
1143 }
1144
materializeStores__anonfe2889270811::MemorySanitizerVisitor1145 void materializeStores(bool InstrumentWithCalls) {
1146 for (StoreInst *SI : StoreList) {
1147 IRBuilder<> IRB(SI);
1148 Value *Val = SI->getValueOperand();
1149 Value *Addr = SI->getPointerOperand();
1150 Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val);
1151 Value *ShadowPtr, *OriginPtr;
1152 Type *ShadowTy = Shadow->getType();
1153 unsigned Alignment = SI->getAlignment();
1154 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1155 std::tie(ShadowPtr, OriginPtr) =
1156 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true);
1157
1158 StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment);
1159 LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n");
1160 (void)NewSI;
1161
1162 if (SI->isAtomic())
1163 SI->setOrdering(addReleaseOrdering(SI->getOrdering()));
1164
1165 if (MS.TrackOrigins && !SI->isAtomic())
1166 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr,
1167 OriginAlignment, InstrumentWithCalls);
1168 }
1169 }
1170
1171 /// Helper function to insert a warning at IRB's current insert point.
insertWarningFn__anonfe2889270811::MemorySanitizerVisitor1172 void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
1173 if (!Origin)
1174 Origin = (Value *)IRB.getInt32(0);
1175 if (MS.CompileKernel) {
1176 IRB.CreateCall(MS.WarningFn, Origin);
1177 } else {
1178 if (MS.TrackOrigins) {
1179 IRB.CreateStore(Origin, MS.OriginTLS);
1180 }
1181 IRB.CreateCall(MS.WarningFn, {});
1182 }
1183 IRB.CreateCall(MS.EmptyAsm, {});
1184 // FIXME: Insert UnreachableInst if !MS.Recover?
1185 // This may invalidate some of the following checks and needs to be done
1186 // at the very end.
1187 }
1188
materializeOneCheck__anonfe2889270811::MemorySanitizerVisitor1189 void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
1190 bool AsCall) {
1191 IRBuilder<> IRB(OrigIns);
1192 LLVM_DEBUG(dbgs() << " SHAD0 : " << *Shadow << "\n");
1193 Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
1194 LLVM_DEBUG(dbgs() << " SHAD1 : " << *ConvertedShadow << "\n");
1195
1196 Constant *ConstantShadow = dyn_cast_or_null<Constant>(ConvertedShadow);
1197 if (ConstantShadow) {
1198 if (ClCheckConstantShadow && !ConstantShadow->isZeroValue()) {
1199 insertWarningFn(IRB, Origin);
1200 }
1201 return;
1202 }
1203
1204 const DataLayout &DL = OrigIns->getModule()->getDataLayout();
1205
1206 unsigned TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1207 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1208 if (AsCall && SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1209 Value *Fn = MS.MaybeWarningFn[SizeIndex];
1210 Value *ConvertedShadow2 =
1211 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1212 IRB.CreateCall(Fn, {ConvertedShadow2, MS.TrackOrigins && Origin
1213 ? Origin
1214 : (Value *)IRB.getInt32(0)});
1215 } else {
1216 Value *Cmp = IRB.CreateICmpNE(ConvertedShadow,
1217 getCleanShadow(ConvertedShadow), "_mscmp");
1218 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1219 Cmp, OrigIns,
1220 /* Unreachable */ !MS.Recover, MS.ColdCallWeights);
1221
1222 IRB.SetInsertPoint(CheckTerm);
1223 insertWarningFn(IRB, Origin);
1224 LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n");
1225 }
1226 }
1227
materializeChecks__anonfe2889270811::MemorySanitizerVisitor1228 void materializeChecks(bool InstrumentWithCalls) {
1229 for (const auto &ShadowData : InstrumentationList) {
1230 Instruction *OrigIns = ShadowData.OrigIns;
1231 Value *Shadow = ShadowData.Shadow;
1232 Value *Origin = ShadowData.Origin;
1233 materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
1234 }
1235 LLVM_DEBUG(dbgs() << "DONE:\n" << F);
1236 }
1237
insertKmsanPrologue__anonfe2889270811::MemorySanitizerVisitor1238 BasicBlock *insertKmsanPrologue(Function &F) {
1239 BasicBlock *ret =
1240 SplitBlock(&F.getEntryBlock(), F.getEntryBlock().getFirstNonPHI());
1241 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI());
1242 Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {});
1243 Constant *Zero = IRB.getInt32(0);
1244 MS.ParamTLS =
1245 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(0)}, "param_shadow");
1246 MS.RetvalTLS =
1247 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(1)}, "retval_shadow");
1248 MS.VAArgTLS =
1249 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(2)}, "va_arg_shadow");
1250 MS.VAArgOriginTLS =
1251 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(3)}, "va_arg_origin");
1252 MS.VAArgOverflowSizeTLS = IRB.CreateGEP(
1253 ContextState, {Zero, IRB.getInt32(4)}, "va_arg_overflow_size");
1254 MS.ParamOriginTLS =
1255 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(5)}, "param_origin");
1256 MS.RetvalOriginTLS =
1257 IRB.CreateGEP(ContextState, {Zero, IRB.getInt32(6)}, "retval_origin");
1258 return ret;
1259 }
1260
1261 /// Add MemorySanitizer instrumentation to a function.
runOnFunction__anonfe2889270811::MemorySanitizerVisitor1262 bool runOnFunction() {
1263 // In the presence of unreachable blocks, we may see Phi nodes with
1264 // incoming nodes from such blocks. Since InstVisitor skips unreachable
1265 // blocks, such nodes will not have any shadow value associated with them.
1266 // It's easier to remove unreachable blocks than deal with missing shadow.
1267 removeUnreachableBlocks(F);
1268
1269 // Iterate all BBs in depth-first order and create shadow instructions
1270 // for all instructions (where applicable).
1271 // For PHI nodes we create dummy shadow PHIs which will be finalized later.
1272 for (BasicBlock *BB : depth_first(ActualFnStart))
1273 visit(*BB);
1274
1275 // Finalize PHI nodes.
1276 for (PHINode *PN : ShadowPHINodes) {
1277 PHINode *PNS = cast<PHINode>(getShadow(PN));
1278 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr;
1279 size_t NumValues = PN->getNumIncomingValues();
1280 for (size_t v = 0; v < NumValues; v++) {
1281 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v));
1282 if (PNO) PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v));
1283 }
1284 }
1285
1286 VAHelper->finalizeInstrumentation();
1287
1288 bool InstrumentWithCalls = ClInstrumentationWithCallThreshold >= 0 &&
1289 InstrumentationList.size() + StoreList.size() >
1290 (unsigned)ClInstrumentationWithCallThreshold;
1291
1292 // Insert shadow value checks.
1293 materializeChecks(InstrumentWithCalls);
1294
1295 // Delayed instrumentation of StoreInst.
1296 // This may not add new address checks.
1297 materializeStores(InstrumentWithCalls);
1298
1299 return true;
1300 }
1301
1302 /// Compute the shadow type that corresponds to a given Value.
getShadowTy__anonfe2889270811::MemorySanitizerVisitor1303 Type *getShadowTy(Value *V) {
1304 return getShadowTy(V->getType());
1305 }
1306
1307 /// Compute the shadow type that corresponds to a given Type.
getShadowTy__anonfe2889270811::MemorySanitizerVisitor1308 Type *getShadowTy(Type *OrigTy) {
1309 if (!OrigTy->isSized()) {
1310 return nullptr;
1311 }
1312 // For integer type, shadow is the same as the original type.
1313 // This may return weird-sized types like i1.
1314 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy))
1315 return IT;
1316 const DataLayout &DL = F.getParent()->getDataLayout();
1317 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) {
1318 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType());
1319 return VectorType::get(IntegerType::get(*MS.C, EltSize),
1320 VT->getNumElements());
1321 }
1322 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) {
1323 return ArrayType::get(getShadowTy(AT->getElementType()),
1324 AT->getNumElements());
1325 }
1326 if (StructType *ST = dyn_cast<StructType>(OrigTy)) {
1327 SmallVector<Type*, 4> Elements;
1328 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1329 Elements.push_back(getShadowTy(ST->getElementType(i)));
1330 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked());
1331 LLVM_DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n");
1332 return Res;
1333 }
1334 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy);
1335 return IntegerType::get(*MS.C, TypeSize);
1336 }
1337
1338 /// Flatten a vector type.
getShadowTyNoVec__anonfe2889270811::MemorySanitizerVisitor1339 Type *getShadowTyNoVec(Type *ty) {
1340 if (VectorType *vt = dyn_cast<VectorType>(ty))
1341 return IntegerType::get(*MS.C, vt->getBitWidth());
1342 return ty;
1343 }
1344
1345 /// Convert a shadow value to it's flattened variant.
convertToShadowTyNoVec__anonfe2889270811::MemorySanitizerVisitor1346 Value *convertToShadowTyNoVec(Value *V, IRBuilder<> &IRB) {
1347 Type *Ty = V->getType();
1348 Type *NoVecTy = getShadowTyNoVec(Ty);
1349 if (Ty == NoVecTy) return V;
1350 return IRB.CreateBitCast(V, NoVecTy);
1351 }
1352
1353 /// Compute the integer shadow offset that corresponds to a given
1354 /// application address.
1355 ///
1356 /// Offset = (Addr & ~AndMask) ^ XorMask
getShadowPtrOffset__anonfe2889270811::MemorySanitizerVisitor1357 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) {
1358 Value *OffsetLong = IRB.CreatePointerCast(Addr, MS.IntptrTy);
1359
1360 uint64_t AndMask = MS.MapParams->AndMask;
1361 if (AndMask)
1362 OffsetLong =
1363 IRB.CreateAnd(OffsetLong, ConstantInt::get(MS.IntptrTy, ~AndMask));
1364
1365 uint64_t XorMask = MS.MapParams->XorMask;
1366 if (XorMask)
1367 OffsetLong =
1368 IRB.CreateXor(OffsetLong, ConstantInt::get(MS.IntptrTy, XorMask));
1369 return OffsetLong;
1370 }
1371
1372 /// Compute the shadow and origin addresses corresponding to a given
1373 /// application address.
1374 ///
1375 /// Shadow = ShadowBase + Offset
1376 /// Origin = (OriginBase + Offset) & ~3ULL
getShadowOriginPtrUserspace__anonfe2889270811::MemorySanitizerVisitor1377 std::pair<Value *, Value *> getShadowOriginPtrUserspace(Value *Addr,
1378 IRBuilder<> &IRB,
1379 Type *ShadowTy,
1380 unsigned Alignment) {
1381 Value *ShadowOffset = getShadowPtrOffset(Addr, IRB);
1382 Value *ShadowLong = ShadowOffset;
1383 uint64_t ShadowBase = MS.MapParams->ShadowBase;
1384 if (ShadowBase != 0) {
1385 ShadowLong =
1386 IRB.CreateAdd(ShadowLong,
1387 ConstantInt::get(MS.IntptrTy, ShadowBase));
1388 }
1389 Value *ShadowPtr =
1390 IRB.CreateIntToPtr(ShadowLong, PointerType::get(ShadowTy, 0));
1391 Value *OriginPtr = nullptr;
1392 if (MS.TrackOrigins) {
1393 Value *OriginLong = ShadowOffset;
1394 uint64_t OriginBase = MS.MapParams->OriginBase;
1395 if (OriginBase != 0)
1396 OriginLong = IRB.CreateAdd(OriginLong,
1397 ConstantInt::get(MS.IntptrTy, OriginBase));
1398 if (Alignment < kMinOriginAlignment) {
1399 uint64_t Mask = kMinOriginAlignment - 1;
1400 OriginLong =
1401 IRB.CreateAnd(OriginLong, ConstantInt::get(MS.IntptrTy, ~Mask));
1402 }
1403 OriginPtr =
1404 IRB.CreateIntToPtr(OriginLong, PointerType::get(IRB.getInt32Ty(), 0));
1405 }
1406 return std::make_pair(ShadowPtr, OriginPtr);
1407 }
1408
1409 std::pair<Value *, Value *>
getShadowOriginPtrKernel__anonfe2889270811::MemorySanitizerVisitor1410 getShadowOriginPtrKernel(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy,
1411 unsigned Alignment, bool isStore) {
1412 Value *ShadowOriginPtrs;
1413 const DataLayout &DL = F.getParent()->getDataLayout();
1414 int Size = DL.getTypeStoreSize(ShadowTy);
1415
1416 Value *Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size);
1417 Value *AddrCast =
1418 IRB.CreatePointerCast(Addr, PointerType::get(IRB.getInt8Ty(), 0));
1419 if (Getter) {
1420 ShadowOriginPtrs = IRB.CreateCall(Getter, AddrCast);
1421 } else {
1422 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
1423 ShadowOriginPtrs = IRB.CreateCall(isStore ? MS.MsanMetadataPtrForStoreN
1424 : MS.MsanMetadataPtrForLoadN,
1425 {AddrCast, SizeVal});
1426 }
1427 Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0);
1428 ShadowPtr = IRB.CreatePointerCast(ShadowPtr, PointerType::get(ShadowTy, 0));
1429 Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1);
1430
1431 return std::make_pair(ShadowPtr, OriginPtr);
1432 }
1433
getShadowOriginPtr__anonfe2889270811::MemorySanitizerVisitor1434 std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB,
1435 Type *ShadowTy,
1436 unsigned Alignment,
1437 bool isStore) {
1438 std::pair<Value *, Value *> ret;
1439 if (MS.CompileKernel)
1440 ret = getShadowOriginPtrKernel(Addr, IRB, ShadowTy, Alignment, isStore);
1441 else
1442 ret = getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment);
1443 return ret;
1444 }
1445
1446 /// Compute the shadow address for a given function argument.
1447 ///
1448 /// Shadow = ParamTLS+ArgOffset.
getShadowPtrForArgument__anonfe2889270811::MemorySanitizerVisitor1449 Value *getShadowPtrForArgument(Value *A, IRBuilder<> &IRB,
1450 int ArgOffset) {
1451 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy);
1452 if (ArgOffset)
1453 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1454 return IRB.CreateIntToPtr(Base, PointerType::get(getShadowTy(A), 0),
1455 "_msarg");
1456 }
1457
1458 /// Compute the origin address for a given function argument.
getOriginPtrForArgument__anonfe2889270811::MemorySanitizerVisitor1459 Value *getOriginPtrForArgument(Value *A, IRBuilder<> &IRB,
1460 int ArgOffset) {
1461 if (!MS.TrackOrigins)
1462 return nullptr;
1463 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy);
1464 if (ArgOffset)
1465 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1466 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
1467 "_msarg_o");
1468 }
1469
1470 /// Compute the shadow address for a retval.
getShadowPtrForRetval__anonfe2889270811::MemorySanitizerVisitor1471 Value *getShadowPtrForRetval(Value *A, IRBuilder<> &IRB) {
1472 return IRB.CreatePointerCast(MS.RetvalTLS,
1473 PointerType::get(getShadowTy(A), 0),
1474 "_msret");
1475 }
1476
1477 /// Compute the origin address for a retval.
getOriginPtrForRetval__anonfe2889270811::MemorySanitizerVisitor1478 Value *getOriginPtrForRetval(IRBuilder<> &IRB) {
1479 // We keep a single origin for the entire retval. Might be too optimistic.
1480 return MS.RetvalOriginTLS;
1481 }
1482
1483 /// Set SV to be the shadow value for V.
setShadow__anonfe2889270811::MemorySanitizerVisitor1484 void setShadow(Value *V, Value *SV) {
1485 assert(!ShadowMap.count(V) && "Values may only have one shadow");
1486 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V);
1487 }
1488
1489 /// Set Origin to be the origin value for V.
setOrigin__anonfe2889270811::MemorySanitizerVisitor1490 void setOrigin(Value *V, Value *Origin) {
1491 if (!MS.TrackOrigins) return;
1492 assert(!OriginMap.count(V) && "Values may only have one origin");
1493 LLVM_DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n");
1494 OriginMap[V] = Origin;
1495 }
1496
getCleanShadow__anonfe2889270811::MemorySanitizerVisitor1497 Constant *getCleanShadow(Type *OrigTy) {
1498 Type *ShadowTy = getShadowTy(OrigTy);
1499 if (!ShadowTy)
1500 return nullptr;
1501 return Constant::getNullValue(ShadowTy);
1502 }
1503
1504 /// Create a clean shadow value for a given value.
1505 ///
1506 /// Clean shadow (all zeroes) means all bits of the value are defined
1507 /// (initialized).
getCleanShadow__anonfe2889270811::MemorySanitizerVisitor1508 Constant *getCleanShadow(Value *V) {
1509 return getCleanShadow(V->getType());
1510 }
1511
1512 /// Create a dirty shadow of a given shadow type.
getPoisonedShadow__anonfe2889270811::MemorySanitizerVisitor1513 Constant *getPoisonedShadow(Type *ShadowTy) {
1514 assert(ShadowTy);
1515 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy))
1516 return Constant::getAllOnesValue(ShadowTy);
1517 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) {
1518 SmallVector<Constant *, 4> Vals(AT->getNumElements(),
1519 getPoisonedShadow(AT->getElementType()));
1520 return ConstantArray::get(AT, Vals);
1521 }
1522 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) {
1523 SmallVector<Constant *, 4> Vals;
1524 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1525 Vals.push_back(getPoisonedShadow(ST->getElementType(i)));
1526 return ConstantStruct::get(ST, Vals);
1527 }
1528 llvm_unreachable("Unexpected shadow type");
1529 }
1530
1531 /// Create a dirty shadow for a given value.
getPoisonedShadow__anonfe2889270811::MemorySanitizerVisitor1532 Constant *getPoisonedShadow(Value *V) {
1533 Type *ShadowTy = getShadowTy(V);
1534 if (!ShadowTy)
1535 return nullptr;
1536 return getPoisonedShadow(ShadowTy);
1537 }
1538
1539 /// Create a clean (zero) origin.
getCleanOrigin__anonfe2889270811::MemorySanitizerVisitor1540 Value *getCleanOrigin() {
1541 return Constant::getNullValue(MS.OriginTy);
1542 }
1543
1544 /// Get the shadow value for a given Value.
1545 ///
1546 /// This function either returns the value set earlier with setShadow,
1547 /// or extracts if from ParamTLS (for function arguments).
getShadow__anonfe2889270811::MemorySanitizerVisitor1548 Value *getShadow(Value *V) {
1549 if (!PropagateShadow) return getCleanShadow(V);
1550 if (Instruction *I = dyn_cast<Instruction>(V)) {
1551 if (I->getMetadata("nosanitize"))
1552 return getCleanShadow(V);
1553 // For instructions the shadow is already stored in the map.
1554 Value *Shadow = ShadowMap[V];
1555 if (!Shadow) {
1556 LLVM_DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1557 (void)I;
1558 assert(Shadow && "No shadow for a value");
1559 }
1560 return Shadow;
1561 }
1562 if (UndefValue *U = dyn_cast<UndefValue>(V)) {
1563 Value *AllOnes = PoisonUndef ? getPoisonedShadow(V) : getCleanShadow(V);
1564 LLVM_DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n");
1565 (void)U;
1566 return AllOnes;
1567 }
1568 if (Argument *A = dyn_cast<Argument>(V)) {
1569 // For arguments we compute the shadow on demand and store it in the map.
1570 Value **ShadowPtr = &ShadowMap[V];
1571 if (*ShadowPtr)
1572 return *ShadowPtr;
1573 Function *F = A->getParent();
1574 IRBuilder<> EntryIRB(ActualFnStart->getFirstNonPHI());
1575 unsigned ArgOffset = 0;
1576 const DataLayout &DL = F->getParent()->getDataLayout();
1577 for (auto &FArg : F->args()) {
1578 if (!FArg.getType()->isSized()) {
1579 LLVM_DEBUG(dbgs() << "Arg is not sized\n");
1580 continue;
1581 }
1582 unsigned Size =
1583 FArg.hasByValAttr()
1584 ? DL.getTypeAllocSize(FArg.getType()->getPointerElementType())
1585 : DL.getTypeAllocSize(FArg.getType());
1586 if (A == &FArg) {
1587 bool Overflow = ArgOffset + Size > kParamTLSSize;
1588 Value *Base = getShadowPtrForArgument(&FArg, EntryIRB, ArgOffset);
1589 if (FArg.hasByValAttr()) {
1590 // ByVal pointer itself has clean shadow. We copy the actual
1591 // argument shadow to the underlying memory.
1592 // Figure out maximal valid memcpy alignment.
1593 unsigned ArgAlign = FArg.getParamAlignment();
1594 if (ArgAlign == 0) {
1595 Type *EltType = A->getType()->getPointerElementType();
1596 ArgAlign = DL.getABITypeAlignment(EltType);
1597 }
1598 Value *CpShadowPtr =
1599 getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign,
1600 /*isStore*/ true)
1601 .first;
1602 // TODO(glider): need to copy origins.
1603 if (Overflow) {
1604 // ParamTLS overflow.
1605 EntryIRB.CreateMemSet(
1606 CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()),
1607 Size, ArgAlign);
1608 } else {
1609 unsigned CopyAlign = std::min(ArgAlign, kShadowTLSAlignment);
1610 Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base,
1611 CopyAlign, Size);
1612 LLVM_DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n");
1613 (void)Cpy;
1614 }
1615 *ShadowPtr = getCleanShadow(V);
1616 } else {
1617 if (Overflow) {
1618 // ParamTLS overflow.
1619 *ShadowPtr = getCleanShadow(V);
1620 } else {
1621 *ShadowPtr =
1622 EntryIRB.CreateAlignedLoad(Base, kShadowTLSAlignment);
1623 }
1624 }
1625 LLVM_DEBUG(dbgs()
1626 << " ARG: " << FArg << " ==> " << **ShadowPtr << "\n");
1627 if (MS.TrackOrigins && !Overflow) {
1628 Value *OriginPtr =
1629 getOriginPtrForArgument(&FArg, EntryIRB, ArgOffset);
1630 setOrigin(A, EntryIRB.CreateLoad(OriginPtr));
1631 } else {
1632 setOrigin(A, getCleanOrigin());
1633 }
1634 }
1635 ArgOffset += alignTo(Size, kShadowTLSAlignment);
1636 }
1637 assert(*ShadowPtr && "Could not find shadow for an argument");
1638 return *ShadowPtr;
1639 }
1640 // For everything else the shadow is zero.
1641 return getCleanShadow(V);
1642 }
1643
1644 /// Get the shadow for i-th argument of the instruction I.
getShadow__anonfe2889270811::MemorySanitizerVisitor1645 Value *getShadow(Instruction *I, int i) {
1646 return getShadow(I->getOperand(i));
1647 }
1648
1649 /// Get the origin for a value.
getOrigin__anonfe2889270811::MemorySanitizerVisitor1650 Value *getOrigin(Value *V) {
1651 if (!MS.TrackOrigins) return nullptr;
1652 if (!PropagateShadow) return getCleanOrigin();
1653 if (isa<Constant>(V)) return getCleanOrigin();
1654 assert((isa<Instruction>(V) || isa<Argument>(V)) &&
1655 "Unexpected value type in getOrigin()");
1656 if (Instruction *I = dyn_cast<Instruction>(V)) {
1657 if (I->getMetadata("nosanitize"))
1658 return getCleanOrigin();
1659 }
1660 Value *Origin = OriginMap[V];
1661 assert(Origin && "Missing origin");
1662 return Origin;
1663 }
1664
1665 /// Get the origin for i-th argument of the instruction I.
getOrigin__anonfe2889270811::MemorySanitizerVisitor1666 Value *getOrigin(Instruction *I, int i) {
1667 return getOrigin(I->getOperand(i));
1668 }
1669
1670 /// Remember the place where a shadow check should be inserted.
1671 ///
1672 /// This location will be later instrumented with a check that will print a
1673 /// UMR warning in runtime if the shadow value is not 0.
insertShadowCheck__anonfe2889270811::MemorySanitizerVisitor1674 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
1675 assert(Shadow);
1676 if (!InsertChecks) return;
1677 #ifndef NDEBUG
1678 Type *ShadowTy = Shadow->getType();
1679 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy)) &&
1680 "Can only insert checks for integer and vector shadow types");
1681 #endif
1682 InstrumentationList.push_back(
1683 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
1684 }
1685
1686 /// Remember the place where a shadow check should be inserted.
1687 ///
1688 /// This location will be later instrumented with a check that will print a
1689 /// UMR warning in runtime if the value is not fully defined.
insertShadowCheck__anonfe2889270811::MemorySanitizerVisitor1690 void insertShadowCheck(Value *Val, Instruction *OrigIns) {
1691 assert(Val);
1692 Value *Shadow, *Origin;
1693 if (ClCheckConstantShadow) {
1694 Shadow = getShadow(Val);
1695 if (!Shadow) return;
1696 Origin = getOrigin(Val);
1697 } else {
1698 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
1699 if (!Shadow) return;
1700 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val));
1701 }
1702 insertShadowCheck(Shadow, Origin, OrigIns);
1703 }
1704
addReleaseOrdering__anonfe2889270811::MemorySanitizerVisitor1705 AtomicOrdering addReleaseOrdering(AtomicOrdering a) {
1706 switch (a) {
1707 case AtomicOrdering::NotAtomic:
1708 return AtomicOrdering::NotAtomic;
1709 case AtomicOrdering::Unordered:
1710 case AtomicOrdering::Monotonic:
1711 case AtomicOrdering::Release:
1712 return AtomicOrdering::Release;
1713 case AtomicOrdering::Acquire:
1714 case AtomicOrdering::AcquireRelease:
1715 return AtomicOrdering::AcquireRelease;
1716 case AtomicOrdering::SequentiallyConsistent:
1717 return AtomicOrdering::SequentiallyConsistent;
1718 }
1719 llvm_unreachable("Unknown ordering");
1720 }
1721
addAcquireOrdering__anonfe2889270811::MemorySanitizerVisitor1722 AtomicOrdering addAcquireOrdering(AtomicOrdering a) {
1723 switch (a) {
1724 case AtomicOrdering::NotAtomic:
1725 return AtomicOrdering::NotAtomic;
1726 case AtomicOrdering::Unordered:
1727 case AtomicOrdering::Monotonic:
1728 case AtomicOrdering::Acquire:
1729 return AtomicOrdering::Acquire;
1730 case AtomicOrdering::Release:
1731 case AtomicOrdering::AcquireRelease:
1732 return AtomicOrdering::AcquireRelease;
1733 case AtomicOrdering::SequentiallyConsistent:
1734 return AtomicOrdering::SequentiallyConsistent;
1735 }
1736 llvm_unreachable("Unknown ordering");
1737 }
1738
1739 // ------------------- Visitors.
1740 using InstVisitor<MemorySanitizerVisitor>::visit;
visit__anonfe2889270811::MemorySanitizerVisitor1741 void visit(Instruction &I) {
1742 if (!I.getMetadata("nosanitize"))
1743 InstVisitor<MemorySanitizerVisitor>::visit(I);
1744 }
1745
1746 /// Instrument LoadInst
1747 ///
1748 /// Loads the corresponding shadow and (optionally) origin.
1749 /// Optionally, checks that the load address is fully defined.
visitLoadInst__anonfe2889270811::MemorySanitizerVisitor1750 void visitLoadInst(LoadInst &I) {
1751 assert(I.getType()->isSized() && "Load type must have size");
1752 assert(!I.getMetadata("nosanitize"));
1753 IRBuilder<> IRB(I.getNextNode());
1754 Type *ShadowTy = getShadowTy(&I);
1755 Value *Addr = I.getPointerOperand();
1756 Value *ShadowPtr, *OriginPtr;
1757 unsigned Alignment = I.getAlignment();
1758 if (PropagateShadow) {
1759 std::tie(ShadowPtr, OriginPtr) =
1760 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
1761 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_msld"));
1762 } else {
1763 setShadow(&I, getCleanShadow(&I));
1764 }
1765
1766 if (ClCheckAccessAddress)
1767 insertShadowCheck(I.getPointerOperand(), &I);
1768
1769 if (I.isAtomic())
1770 I.setOrdering(addAcquireOrdering(I.getOrdering()));
1771
1772 if (MS.TrackOrigins) {
1773 if (PropagateShadow) {
1774 unsigned OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1775 setOrigin(&I, IRB.CreateAlignedLoad(OriginPtr, OriginAlignment));
1776 } else {
1777 setOrigin(&I, getCleanOrigin());
1778 }
1779 }
1780 }
1781
1782 /// Instrument StoreInst
1783 ///
1784 /// Stores the corresponding shadow and (optionally) origin.
1785 /// Optionally, checks that the store address is fully defined.
visitStoreInst__anonfe2889270811::MemorySanitizerVisitor1786 void visitStoreInst(StoreInst &I) {
1787 StoreList.push_back(&I);
1788 if (ClCheckAccessAddress)
1789 insertShadowCheck(I.getPointerOperand(), &I);
1790 }
1791
handleCASOrRMW__anonfe2889270811::MemorySanitizerVisitor1792 void handleCASOrRMW(Instruction &I) {
1793 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I));
1794
1795 IRBuilder<> IRB(&I);
1796 Value *Addr = I.getOperand(0);
1797 Value *ShadowPtr = getShadowOriginPtr(Addr, IRB, I.getType(),
1798 /*Alignment*/ 1, /*isStore*/ true)
1799 .first;
1800
1801 if (ClCheckAccessAddress)
1802 insertShadowCheck(Addr, &I);
1803
1804 // Only test the conditional argument of cmpxchg instruction.
1805 // The other argument can potentially be uninitialized, but we can not
1806 // detect this situation reliably without possible false positives.
1807 if (isa<AtomicCmpXchgInst>(I))
1808 insertShadowCheck(I.getOperand(1), &I);
1809
1810 IRB.CreateStore(getCleanShadow(&I), ShadowPtr);
1811
1812 setShadow(&I, getCleanShadow(&I));
1813 setOrigin(&I, getCleanOrigin());
1814 }
1815
visitAtomicRMWInst__anonfe2889270811::MemorySanitizerVisitor1816 void visitAtomicRMWInst(AtomicRMWInst &I) {
1817 handleCASOrRMW(I);
1818 I.setOrdering(addReleaseOrdering(I.getOrdering()));
1819 }
1820
visitAtomicCmpXchgInst__anonfe2889270811::MemorySanitizerVisitor1821 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) {
1822 handleCASOrRMW(I);
1823 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering()));
1824 }
1825
1826 // Vector manipulation.
visitExtractElementInst__anonfe2889270811::MemorySanitizerVisitor1827 void visitExtractElementInst(ExtractElementInst &I) {
1828 insertShadowCheck(I.getOperand(1), &I);
1829 IRBuilder<> IRB(&I);
1830 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1),
1831 "_msprop"));
1832 setOrigin(&I, getOrigin(&I, 0));
1833 }
1834
visitInsertElementInst__anonfe2889270811::MemorySanitizerVisitor1835 void visitInsertElementInst(InsertElementInst &I) {
1836 insertShadowCheck(I.getOperand(2), &I);
1837 IRBuilder<> IRB(&I);
1838 setShadow(&I, IRB.CreateInsertElement(getShadow(&I, 0), getShadow(&I, 1),
1839 I.getOperand(2), "_msprop"));
1840 setOriginForNaryOp(I);
1841 }
1842
visitShuffleVectorInst__anonfe2889270811::MemorySanitizerVisitor1843 void visitShuffleVectorInst(ShuffleVectorInst &I) {
1844 insertShadowCheck(I.getOperand(2), &I);
1845 IRBuilder<> IRB(&I);
1846 setShadow(&I, IRB.CreateShuffleVector(getShadow(&I, 0), getShadow(&I, 1),
1847 I.getOperand(2), "_msprop"));
1848 setOriginForNaryOp(I);
1849 }
1850
1851 // Casts.
visitSExtInst__anonfe2889270811::MemorySanitizerVisitor1852 void visitSExtInst(SExtInst &I) {
1853 IRBuilder<> IRB(&I);
1854 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop"));
1855 setOrigin(&I, getOrigin(&I, 0));
1856 }
1857
visitZExtInst__anonfe2889270811::MemorySanitizerVisitor1858 void visitZExtInst(ZExtInst &I) {
1859 IRBuilder<> IRB(&I);
1860 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop"));
1861 setOrigin(&I, getOrigin(&I, 0));
1862 }
1863
visitTruncInst__anonfe2889270811::MemorySanitizerVisitor1864 void visitTruncInst(TruncInst &I) {
1865 IRBuilder<> IRB(&I);
1866 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop"));
1867 setOrigin(&I, getOrigin(&I, 0));
1868 }
1869
visitBitCastInst__anonfe2889270811::MemorySanitizerVisitor1870 void visitBitCastInst(BitCastInst &I) {
1871 // Special case: if this is the bitcast (there is exactly 1 allowed) between
1872 // a musttail call and a ret, don't instrument. New instructions are not
1873 // allowed after a musttail call.
1874 if (auto *CI = dyn_cast<CallInst>(I.getOperand(0)))
1875 if (CI->isMustTailCall())
1876 return;
1877 IRBuilder<> IRB(&I);
1878 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I)));
1879 setOrigin(&I, getOrigin(&I, 0));
1880 }
1881
visitPtrToIntInst__anonfe2889270811::MemorySanitizerVisitor1882 void visitPtrToIntInst(PtrToIntInst &I) {
1883 IRBuilder<> IRB(&I);
1884 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
1885 "_msprop_ptrtoint"));
1886 setOrigin(&I, getOrigin(&I, 0));
1887 }
1888
visitIntToPtrInst__anonfe2889270811::MemorySanitizerVisitor1889 void visitIntToPtrInst(IntToPtrInst &I) {
1890 IRBuilder<> IRB(&I);
1891 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
1892 "_msprop_inttoptr"));
1893 setOrigin(&I, getOrigin(&I, 0));
1894 }
1895
visitFPToSIInst__anonfe2889270811::MemorySanitizerVisitor1896 void visitFPToSIInst(CastInst& I) { handleShadowOr(I); }
visitFPToUIInst__anonfe2889270811::MemorySanitizerVisitor1897 void visitFPToUIInst(CastInst& I) { handleShadowOr(I); }
visitSIToFPInst__anonfe2889270811::MemorySanitizerVisitor1898 void visitSIToFPInst(CastInst& I) { handleShadowOr(I); }
visitUIToFPInst__anonfe2889270811::MemorySanitizerVisitor1899 void visitUIToFPInst(CastInst& I) { handleShadowOr(I); }
visitFPExtInst__anonfe2889270811::MemorySanitizerVisitor1900 void visitFPExtInst(CastInst& I) { handleShadowOr(I); }
visitFPTruncInst__anonfe2889270811::MemorySanitizerVisitor1901 void visitFPTruncInst(CastInst& I) { handleShadowOr(I); }
1902
1903 /// Propagate shadow for bitwise AND.
1904 ///
1905 /// This code is exact, i.e. if, for example, a bit in the left argument
1906 /// is defined and 0, then neither the value not definedness of the
1907 /// corresponding bit in B don't affect the resulting shadow.
visitAnd__anonfe2889270811::MemorySanitizerVisitor1908 void visitAnd(BinaryOperator &I) {
1909 IRBuilder<> IRB(&I);
1910 // "And" of 0 and a poisoned value results in unpoisoned value.
1911 // 1&1 => 1; 0&1 => 0; p&1 => p;
1912 // 1&0 => 0; 0&0 => 0; p&0 => 0;
1913 // 1&p => p; 0&p => 0; p&p => p;
1914 // S = (S1 & S2) | (V1 & S2) | (S1 & V2)
1915 Value *S1 = getShadow(&I, 0);
1916 Value *S2 = getShadow(&I, 1);
1917 Value *V1 = I.getOperand(0);
1918 Value *V2 = I.getOperand(1);
1919 if (V1->getType() != S1->getType()) {
1920 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
1921 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
1922 }
1923 Value *S1S2 = IRB.CreateAnd(S1, S2);
1924 Value *V1S2 = IRB.CreateAnd(V1, S2);
1925 Value *S1V2 = IRB.CreateAnd(S1, V2);
1926 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2)));
1927 setOriginForNaryOp(I);
1928 }
1929
visitOr__anonfe2889270811::MemorySanitizerVisitor1930 void visitOr(BinaryOperator &I) {
1931 IRBuilder<> IRB(&I);
1932 // "Or" of 1 and a poisoned value results in unpoisoned value.
1933 // 1|1 => 1; 0|1 => 1; p|1 => 1;
1934 // 1|0 => 1; 0|0 => 0; p|0 => p;
1935 // 1|p => 1; 0|p => p; p|p => p;
1936 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
1937 Value *S1 = getShadow(&I, 0);
1938 Value *S2 = getShadow(&I, 1);
1939 Value *V1 = IRB.CreateNot(I.getOperand(0));
1940 Value *V2 = IRB.CreateNot(I.getOperand(1));
1941 if (V1->getType() != S1->getType()) {
1942 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
1943 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
1944 }
1945 Value *S1S2 = IRB.CreateAnd(S1, S2);
1946 Value *V1S2 = IRB.CreateAnd(V1, S2);
1947 Value *S1V2 = IRB.CreateAnd(S1, V2);
1948 setShadow(&I, IRB.CreateOr(S1S2, IRB.CreateOr(V1S2, S1V2)));
1949 setOriginForNaryOp(I);
1950 }
1951
1952 /// Default propagation of shadow and/or origin.
1953 ///
1954 /// This class implements the general case of shadow propagation, used in all
1955 /// cases where we don't know and/or don't care about what the operation
1956 /// actually does. It converts all input shadow values to a common type
1957 /// (extending or truncating as necessary), and bitwise OR's them.
1958 ///
1959 /// This is much cheaper than inserting checks (i.e. requiring inputs to be
1960 /// fully initialized), and less prone to false positives.
1961 ///
1962 /// This class also implements the general case of origin propagation. For a
1963 /// Nary operation, result origin is set to the origin of an argument that is
1964 /// not entirely initialized. If there is more than one such arguments, the
1965 /// rightmost of them is picked. It does not matter which one is picked if all
1966 /// arguments are initialized.
1967 template <bool CombineShadow>
1968 class Combiner {
1969 Value *Shadow = nullptr;
1970 Value *Origin = nullptr;
1971 IRBuilder<> &IRB;
1972 MemorySanitizerVisitor *MSV;
1973
1974 public:
Combiner(MemorySanitizerVisitor * MSV,IRBuilder<> & IRB)1975 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB)
1976 : IRB(IRB), MSV(MSV) {}
1977
1978 /// Add a pair of shadow and origin values to the mix.
Add(Value * OpShadow,Value * OpOrigin)1979 Combiner &Add(Value *OpShadow, Value *OpOrigin) {
1980 if (CombineShadow) {
1981 assert(OpShadow);
1982 if (!Shadow)
1983 Shadow = OpShadow;
1984 else {
1985 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
1986 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
1987 }
1988 }
1989
1990 if (MSV->MS.TrackOrigins) {
1991 assert(OpOrigin);
1992 if (!Origin) {
1993 Origin = OpOrigin;
1994 } else {
1995 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin);
1996 // No point in adding something that might result in 0 origin value.
1997 if (!ConstOrigin || !ConstOrigin->isNullValue()) {
1998 Value *FlatShadow = MSV->convertToShadowTyNoVec(OpShadow, IRB);
1999 Value *Cond =
2000 IRB.CreateICmpNE(FlatShadow, MSV->getCleanShadow(FlatShadow));
2001 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin);
2002 }
2003 }
2004 }
2005 return *this;
2006 }
2007
2008 /// Add an application value to the mix.
Add(Value * V)2009 Combiner &Add(Value *V) {
2010 Value *OpShadow = MSV->getShadow(V);
2011 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr;
2012 return Add(OpShadow, OpOrigin);
2013 }
2014
2015 /// Set the current combined values as the given instruction's shadow
2016 /// and origin.
Done(Instruction * I)2017 void Done(Instruction *I) {
2018 if (CombineShadow) {
2019 assert(Shadow);
2020 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
2021 MSV->setShadow(I, Shadow);
2022 }
2023 if (MSV->MS.TrackOrigins) {
2024 assert(Origin);
2025 MSV->setOrigin(I, Origin);
2026 }
2027 }
2028 };
2029
2030 using ShadowAndOriginCombiner = Combiner<true>;
2031 using OriginCombiner = Combiner<false>;
2032
2033 /// Propagate origin for arbitrary operation.
setOriginForNaryOp__anonfe2889270811::MemorySanitizerVisitor2034 void setOriginForNaryOp(Instruction &I) {
2035 if (!MS.TrackOrigins) return;
2036 IRBuilder<> IRB(&I);
2037 OriginCombiner OC(this, IRB);
2038 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI)
2039 OC.Add(OI->get());
2040 OC.Done(&I);
2041 }
2042
VectorOrPrimitiveTypeSizeInBits__anonfe2889270811::MemorySanitizerVisitor2043 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) {
2044 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) &&
2045 "Vector of pointers is not a valid shadow type");
2046 return Ty->isVectorTy() ?
2047 Ty->getVectorNumElements() * Ty->getScalarSizeInBits() :
2048 Ty->getPrimitiveSizeInBits();
2049 }
2050
2051 /// Cast between two shadow types, extending or truncating as
2052 /// necessary.
CreateShadowCast__anonfe2889270811::MemorySanitizerVisitor2053 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy,
2054 bool Signed = false) {
2055 Type *srcTy = V->getType();
2056 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy);
2057 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy);
2058 if (srcSizeInBits > 1 && dstSizeInBits == 1)
2059 return IRB.CreateICmpNE(V, getCleanShadow(V));
2060
2061 if (dstTy->isIntegerTy() && srcTy->isIntegerTy())
2062 return IRB.CreateIntCast(V, dstTy, Signed);
2063 if (dstTy->isVectorTy() && srcTy->isVectorTy() &&
2064 dstTy->getVectorNumElements() == srcTy->getVectorNumElements())
2065 return IRB.CreateIntCast(V, dstTy, Signed);
2066 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits));
2067 Value *V2 =
2068 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed);
2069 return IRB.CreateBitCast(V2, dstTy);
2070 // TODO: handle struct types.
2071 }
2072
2073 /// Cast an application value to the type of its own shadow.
CreateAppToShadowCast__anonfe2889270811::MemorySanitizerVisitor2074 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) {
2075 Type *ShadowTy = getShadowTy(V);
2076 if (V->getType() == ShadowTy)
2077 return V;
2078 if (V->getType()->isPtrOrPtrVectorTy())
2079 return IRB.CreatePtrToInt(V, ShadowTy);
2080 else
2081 return IRB.CreateBitCast(V, ShadowTy);
2082 }
2083
2084 /// Propagate shadow for arbitrary operation.
handleShadowOr__anonfe2889270811::MemorySanitizerVisitor2085 void handleShadowOr(Instruction &I) {
2086 IRBuilder<> IRB(&I);
2087 ShadowAndOriginCombiner SC(this, IRB);
2088 for (Instruction::op_iterator OI = I.op_begin(); OI != I.op_end(); ++OI)
2089 SC.Add(OI->get());
2090 SC.Done(&I);
2091 }
2092
2093 // Handle multiplication by constant.
2094 //
2095 // Handle a special case of multiplication by constant that may have one or
2096 // more zeros in the lower bits. This makes corresponding number of lower bits
2097 // of the result zero as well. We model it by shifting the other operand
2098 // shadow left by the required number of bits. Effectively, we transform
2099 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B).
2100 // We use multiplication by 2**N instead of shift to cover the case of
2101 // multiplication by 0, which may occur in some elements of a vector operand.
handleMulByConstant__anonfe2889270811::MemorySanitizerVisitor2102 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg,
2103 Value *OtherArg) {
2104 Constant *ShadowMul;
2105 Type *Ty = ConstArg->getType();
2106 if (Ty->isVectorTy()) {
2107 unsigned NumElements = Ty->getVectorNumElements();
2108 Type *EltTy = Ty->getSequentialElementType();
2109 SmallVector<Constant *, 16> Elements;
2110 for (unsigned Idx = 0; Idx < NumElements; ++Idx) {
2111 if (ConstantInt *Elt =
2112 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx))) {
2113 const APInt &V = Elt->getValue();
2114 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros();
2115 Elements.push_back(ConstantInt::get(EltTy, V2));
2116 } else {
2117 Elements.push_back(ConstantInt::get(EltTy, 1));
2118 }
2119 }
2120 ShadowMul = ConstantVector::get(Elements);
2121 } else {
2122 if (ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg)) {
2123 const APInt &V = Elt->getValue();
2124 APInt V2 = APInt(V.getBitWidth(), 1) << V.countTrailingZeros();
2125 ShadowMul = ConstantInt::get(Ty, V2);
2126 } else {
2127 ShadowMul = ConstantInt::get(Ty, 1);
2128 }
2129 }
2130
2131 IRBuilder<> IRB(&I);
2132 setShadow(&I,
2133 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst"));
2134 setOrigin(&I, getOrigin(OtherArg));
2135 }
2136
visitMul__anonfe2889270811::MemorySanitizerVisitor2137 void visitMul(BinaryOperator &I) {
2138 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0));
2139 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1));
2140 if (constOp0 && !constOp1)
2141 handleMulByConstant(I, constOp0, I.getOperand(1));
2142 else if (constOp1 && !constOp0)
2143 handleMulByConstant(I, constOp1, I.getOperand(0));
2144 else
2145 handleShadowOr(I);
2146 }
2147
visitFAdd__anonfe2889270811::MemorySanitizerVisitor2148 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); }
visitFSub__anonfe2889270811::MemorySanitizerVisitor2149 void visitFSub(BinaryOperator &I) { handleShadowOr(I); }
visitFMul__anonfe2889270811::MemorySanitizerVisitor2150 void visitFMul(BinaryOperator &I) { handleShadowOr(I); }
visitAdd__anonfe2889270811::MemorySanitizerVisitor2151 void visitAdd(BinaryOperator &I) { handleShadowOr(I); }
visitSub__anonfe2889270811::MemorySanitizerVisitor2152 void visitSub(BinaryOperator &I) { handleShadowOr(I); }
visitXor__anonfe2889270811::MemorySanitizerVisitor2153 void visitXor(BinaryOperator &I) { handleShadowOr(I); }
2154
handleIntegerDiv__anonfe2889270811::MemorySanitizerVisitor2155 void handleIntegerDiv(Instruction &I) {
2156 IRBuilder<> IRB(&I);
2157 // Strict on the second argument.
2158 insertShadowCheck(I.getOperand(1), &I);
2159 setShadow(&I, getShadow(&I, 0));
2160 setOrigin(&I, getOrigin(&I, 0));
2161 }
2162
visitUDiv__anonfe2889270811::MemorySanitizerVisitor2163 void visitUDiv(BinaryOperator &I) { handleIntegerDiv(I); }
visitSDiv__anonfe2889270811::MemorySanitizerVisitor2164 void visitSDiv(BinaryOperator &I) { handleIntegerDiv(I); }
visitURem__anonfe2889270811::MemorySanitizerVisitor2165 void visitURem(BinaryOperator &I) { handleIntegerDiv(I); }
visitSRem__anonfe2889270811::MemorySanitizerVisitor2166 void visitSRem(BinaryOperator &I) { handleIntegerDiv(I); }
2167
2168 // Floating point division is side-effect free. We can not require that the
2169 // divisor is fully initialized and must propagate shadow. See PR37523.
visitFDiv__anonfe2889270811::MemorySanitizerVisitor2170 void visitFDiv(BinaryOperator &I) { handleShadowOr(I); }
visitFRem__anonfe2889270811::MemorySanitizerVisitor2171 void visitFRem(BinaryOperator &I) { handleShadowOr(I); }
2172
2173 /// Instrument == and != comparisons.
2174 ///
2175 /// Sometimes the comparison result is known even if some of the bits of the
2176 /// arguments are not.
handleEqualityComparison__anonfe2889270811::MemorySanitizerVisitor2177 void handleEqualityComparison(ICmpInst &I) {
2178 IRBuilder<> IRB(&I);
2179 Value *A = I.getOperand(0);
2180 Value *B = I.getOperand(1);
2181 Value *Sa = getShadow(A);
2182 Value *Sb = getShadow(B);
2183
2184 // Get rid of pointers and vectors of pointers.
2185 // For ints (and vectors of ints), types of A and Sa match,
2186 // and this is a no-op.
2187 A = IRB.CreatePointerCast(A, Sa->getType());
2188 B = IRB.CreatePointerCast(B, Sb->getType());
2189
2190 // A == B <==> (C = A^B) == 0
2191 // A != B <==> (C = A^B) != 0
2192 // Sc = Sa | Sb
2193 Value *C = IRB.CreateXor(A, B);
2194 Value *Sc = IRB.CreateOr(Sa, Sb);
2195 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now)
2196 // Result is defined if one of the following is true
2197 // * there is a defined 1 bit in C
2198 // * C is fully defined
2199 // Si = !(C & ~Sc) && Sc
2200 Value *Zero = Constant::getNullValue(Sc->getType());
2201 Value *MinusOne = Constant::getAllOnesValue(Sc->getType());
2202 Value *Si =
2203 IRB.CreateAnd(IRB.CreateICmpNE(Sc, Zero),
2204 IRB.CreateICmpEQ(
2205 IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero));
2206 Si->setName("_msprop_icmp");
2207 setShadow(&I, Si);
2208 setOriginForNaryOp(I);
2209 }
2210
2211 /// Build the lowest possible value of V, taking into account V's
2212 /// uninitialized bits.
getLowestPossibleValue__anonfe2889270811::MemorySanitizerVisitor2213 Value *getLowestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2214 bool isSigned) {
2215 if (isSigned) {
2216 // Split shadow into sign bit and other bits.
2217 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2218 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2219 // Maximise the undefined shadow bit, minimize other undefined bits.
2220 return
2221 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaOtherBits)), SaSignBit);
2222 } else {
2223 // Minimize undefined bits.
2224 return IRB.CreateAnd(A, IRB.CreateNot(Sa));
2225 }
2226 }
2227
2228 /// Build the highest possible value of V, taking into account V's
2229 /// uninitialized bits.
getHighestPossibleValue__anonfe2889270811::MemorySanitizerVisitor2230 Value *getHighestPossibleValue(IRBuilder<> &IRB, Value *A, Value *Sa,
2231 bool isSigned) {
2232 if (isSigned) {
2233 // Split shadow into sign bit and other bits.
2234 Value *SaOtherBits = IRB.CreateLShr(IRB.CreateShl(Sa, 1), 1);
2235 Value *SaSignBit = IRB.CreateXor(Sa, SaOtherBits);
2236 // Minimise the undefined shadow bit, maximise other undefined bits.
2237 return
2238 IRB.CreateOr(IRB.CreateAnd(A, IRB.CreateNot(SaSignBit)), SaOtherBits);
2239 } else {
2240 // Maximize undefined bits.
2241 return IRB.CreateOr(A, Sa);
2242 }
2243 }
2244
2245 /// Instrument relational comparisons.
2246 ///
2247 /// This function does exact shadow propagation for all relational
2248 /// comparisons of integers, pointers and vectors of those.
2249 /// FIXME: output seems suboptimal when one of the operands is a constant
handleRelationalComparisonExact__anonfe2889270811::MemorySanitizerVisitor2250 void handleRelationalComparisonExact(ICmpInst &I) {
2251 IRBuilder<> IRB(&I);
2252 Value *A = I.getOperand(0);
2253 Value *B = I.getOperand(1);
2254 Value *Sa = getShadow(A);
2255 Value *Sb = getShadow(B);
2256
2257 // Get rid of pointers and vectors of pointers.
2258 // For ints (and vectors of ints), types of A and Sa match,
2259 // and this is a no-op.
2260 A = IRB.CreatePointerCast(A, Sa->getType());
2261 B = IRB.CreatePointerCast(B, Sb->getType());
2262
2263 // Let [a0, a1] be the interval of possible values of A, taking into account
2264 // its undefined bits. Let [b0, b1] be the interval of possible values of B.
2265 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0).
2266 bool IsSigned = I.isSigned();
2267 Value *S1 = IRB.CreateICmp(I.getPredicate(),
2268 getLowestPossibleValue(IRB, A, Sa, IsSigned),
2269 getHighestPossibleValue(IRB, B, Sb, IsSigned));
2270 Value *S2 = IRB.CreateICmp(I.getPredicate(),
2271 getHighestPossibleValue(IRB, A, Sa, IsSigned),
2272 getLowestPossibleValue(IRB, B, Sb, IsSigned));
2273 Value *Si = IRB.CreateXor(S1, S2);
2274 setShadow(&I, Si);
2275 setOriginForNaryOp(I);
2276 }
2277
2278 /// Instrument signed relational comparisons.
2279 ///
2280 /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest
2281 /// bit of the shadow. Everything else is delegated to handleShadowOr().
handleSignedRelationalComparison__anonfe2889270811::MemorySanitizerVisitor2282 void handleSignedRelationalComparison(ICmpInst &I) {
2283 Constant *constOp;
2284 Value *op = nullptr;
2285 CmpInst::Predicate pre;
2286 if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) {
2287 op = I.getOperand(0);
2288 pre = I.getPredicate();
2289 } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) {
2290 op = I.getOperand(1);
2291 pre = I.getSwappedPredicate();
2292 } else {
2293 handleShadowOr(I);
2294 return;
2295 }
2296
2297 if ((constOp->isNullValue() &&
2298 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) ||
2299 (constOp->isAllOnesValue() &&
2300 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) {
2301 IRBuilder<> IRB(&I);
2302 Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
2303 "_msprop_icmp_s");
2304 setShadow(&I, Shadow);
2305 setOrigin(&I, getOrigin(op));
2306 } else {
2307 handleShadowOr(I);
2308 }
2309 }
2310
visitICmpInst__anonfe2889270811::MemorySanitizerVisitor2311 void visitICmpInst(ICmpInst &I) {
2312 if (!ClHandleICmp) {
2313 handleShadowOr(I);
2314 return;
2315 }
2316 if (I.isEquality()) {
2317 handleEqualityComparison(I);
2318 return;
2319 }
2320
2321 assert(I.isRelational());
2322 if (ClHandleICmpExact) {
2323 handleRelationalComparisonExact(I);
2324 return;
2325 }
2326 if (I.isSigned()) {
2327 handleSignedRelationalComparison(I);
2328 return;
2329 }
2330
2331 assert(I.isUnsigned());
2332 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) {
2333 handleRelationalComparisonExact(I);
2334 return;
2335 }
2336
2337 handleShadowOr(I);
2338 }
2339
visitFCmpInst__anonfe2889270811::MemorySanitizerVisitor2340 void visitFCmpInst(FCmpInst &I) {
2341 handleShadowOr(I);
2342 }
2343
handleShift__anonfe2889270811::MemorySanitizerVisitor2344 void handleShift(BinaryOperator &I) {
2345 IRBuilder<> IRB(&I);
2346 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2347 // Otherwise perform the same shift on S1.
2348 Value *S1 = getShadow(&I, 0);
2349 Value *S2 = getShadow(&I, 1);
2350 Value *S2Conv = IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)),
2351 S2->getType());
2352 Value *V2 = I.getOperand(1);
2353 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2);
2354 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2355 setOriginForNaryOp(I);
2356 }
2357
visitShl__anonfe2889270811::MemorySanitizerVisitor2358 void visitShl(BinaryOperator &I) { handleShift(I); }
visitAShr__anonfe2889270811::MemorySanitizerVisitor2359 void visitAShr(BinaryOperator &I) { handleShift(I); }
visitLShr__anonfe2889270811::MemorySanitizerVisitor2360 void visitLShr(BinaryOperator &I) { handleShift(I); }
2361
2362 /// Instrument llvm.memmove
2363 ///
2364 /// At this point we don't know if llvm.memmove will be inlined or not.
2365 /// If we don't instrument it and it gets inlined,
2366 /// our interceptor will not kick in and we will lose the memmove.
2367 /// If we instrument the call here, but it does not get inlined,
2368 /// we will memove the shadow twice: which is bad in case
2369 /// of overlapping regions. So, we simply lower the intrinsic to a call.
2370 ///
2371 /// Similar situation exists for memcpy and memset.
visitMemMoveInst__anonfe2889270811::MemorySanitizerVisitor2372 void visitMemMoveInst(MemMoveInst &I) {
2373 IRBuilder<> IRB(&I);
2374 IRB.CreateCall(
2375 MS.MemmoveFn,
2376 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2377 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()),
2378 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2379 I.eraseFromParent();
2380 }
2381
2382 // Similar to memmove: avoid copying shadow twice.
2383 // This is somewhat unfortunate as it may slowdown small constant memcpys.
2384 // FIXME: consider doing manual inline for small constant sizes and proper
2385 // alignment.
visitMemCpyInst__anonfe2889270811::MemorySanitizerVisitor2386 void visitMemCpyInst(MemCpyInst &I) {
2387 IRBuilder<> IRB(&I);
2388 IRB.CreateCall(
2389 MS.MemcpyFn,
2390 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2391 IRB.CreatePointerCast(I.getArgOperand(1), IRB.getInt8PtrTy()),
2392 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2393 I.eraseFromParent();
2394 }
2395
2396 // Same as memcpy.
visitMemSetInst__anonfe2889270811::MemorySanitizerVisitor2397 void visitMemSetInst(MemSetInst &I) {
2398 IRBuilder<> IRB(&I);
2399 IRB.CreateCall(
2400 MS.MemsetFn,
2401 {IRB.CreatePointerCast(I.getArgOperand(0), IRB.getInt8PtrTy()),
2402 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false),
2403 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2404 I.eraseFromParent();
2405 }
2406
visitVAStartInst__anonfe2889270811::MemorySanitizerVisitor2407 void visitVAStartInst(VAStartInst &I) {
2408 VAHelper->visitVAStartInst(I);
2409 }
2410
visitVACopyInst__anonfe2889270811::MemorySanitizerVisitor2411 void visitVACopyInst(VACopyInst &I) {
2412 VAHelper->visitVACopyInst(I);
2413 }
2414
2415 /// Handle vector store-like intrinsics.
2416 ///
2417 /// Instrument intrinsics that look like a simple SIMD store: writes memory,
2418 /// has 1 pointer argument and 1 vector argument, returns void.
handleVectorStoreIntrinsic__anonfe2889270811::MemorySanitizerVisitor2419 bool handleVectorStoreIntrinsic(IntrinsicInst &I) {
2420 IRBuilder<> IRB(&I);
2421 Value* Addr = I.getArgOperand(0);
2422 Value *Shadow = getShadow(&I, 1);
2423 Value *ShadowPtr, *OriginPtr;
2424
2425 // We don't know the pointer alignment (could be unaligned SSE store!).
2426 // Have to assume to worst case.
2427 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
2428 Addr, IRB, Shadow->getType(), /*Alignment*/ 1, /*isStore*/ true);
2429 IRB.CreateAlignedStore(Shadow, ShadowPtr, 1);
2430
2431 if (ClCheckAccessAddress)
2432 insertShadowCheck(Addr, &I);
2433
2434 // FIXME: factor out common code from materializeStores
2435 if (MS.TrackOrigins) IRB.CreateStore(getOrigin(&I, 1), OriginPtr);
2436 return true;
2437 }
2438
2439 /// Handle vector load-like intrinsics.
2440 ///
2441 /// Instrument intrinsics that look like a simple SIMD load: reads memory,
2442 /// has 1 pointer argument, returns a vector.
handleVectorLoadIntrinsic__anonfe2889270811::MemorySanitizerVisitor2443 bool handleVectorLoadIntrinsic(IntrinsicInst &I) {
2444 IRBuilder<> IRB(&I);
2445 Value *Addr = I.getArgOperand(0);
2446
2447 Type *ShadowTy = getShadowTy(&I);
2448 Value *ShadowPtr, *OriginPtr;
2449 if (PropagateShadow) {
2450 // We don't know the pointer alignment (could be unaligned SSE load!).
2451 // Have to assume to worst case.
2452 unsigned Alignment = 1;
2453 std::tie(ShadowPtr, OriginPtr) =
2454 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2455 setShadow(&I, IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_msld"));
2456 } else {
2457 setShadow(&I, getCleanShadow(&I));
2458 }
2459
2460 if (ClCheckAccessAddress)
2461 insertShadowCheck(Addr, &I);
2462
2463 if (MS.TrackOrigins) {
2464 if (PropagateShadow)
2465 setOrigin(&I, IRB.CreateLoad(OriginPtr));
2466 else
2467 setOrigin(&I, getCleanOrigin());
2468 }
2469 return true;
2470 }
2471
2472 /// Handle (SIMD arithmetic)-like intrinsics.
2473 ///
2474 /// Instrument intrinsics with any number of arguments of the same type,
2475 /// equal to the return type. The type should be simple (no aggregates or
2476 /// pointers; vectors are fine).
2477 /// Caller guarantees that this intrinsic does not access memory.
maybeHandleSimpleNomemIntrinsic__anonfe2889270811::MemorySanitizerVisitor2478 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) {
2479 Type *RetTy = I.getType();
2480 if (!(RetTy->isIntOrIntVectorTy() ||
2481 RetTy->isFPOrFPVectorTy() ||
2482 RetTy->isX86_MMXTy()))
2483 return false;
2484
2485 unsigned NumArgOperands = I.getNumArgOperands();
2486
2487 for (unsigned i = 0; i < NumArgOperands; ++i) {
2488 Type *Ty = I.getArgOperand(i)->getType();
2489 if (Ty != RetTy)
2490 return false;
2491 }
2492
2493 IRBuilder<> IRB(&I);
2494 ShadowAndOriginCombiner SC(this, IRB);
2495 for (unsigned i = 0; i < NumArgOperands; ++i)
2496 SC.Add(I.getArgOperand(i));
2497 SC.Done(&I);
2498
2499 return true;
2500 }
2501
2502 /// Heuristically instrument unknown intrinsics.
2503 ///
2504 /// The main purpose of this code is to do something reasonable with all
2505 /// random intrinsics we might encounter, most importantly - SIMD intrinsics.
2506 /// We recognize several classes of intrinsics by their argument types and
2507 /// ModRefBehaviour and apply special intrumentation when we are reasonably
2508 /// sure that we know what the intrinsic does.
2509 ///
2510 /// We special-case intrinsics where this approach fails. See llvm.bswap
2511 /// handling as an example of that.
handleUnknownIntrinsic__anonfe2889270811::MemorySanitizerVisitor2512 bool handleUnknownIntrinsic(IntrinsicInst &I) {
2513 unsigned NumArgOperands = I.getNumArgOperands();
2514 if (NumArgOperands == 0)
2515 return false;
2516
2517 if (NumArgOperands == 2 &&
2518 I.getArgOperand(0)->getType()->isPointerTy() &&
2519 I.getArgOperand(1)->getType()->isVectorTy() &&
2520 I.getType()->isVoidTy() &&
2521 !I.onlyReadsMemory()) {
2522 // This looks like a vector store.
2523 return handleVectorStoreIntrinsic(I);
2524 }
2525
2526 if (NumArgOperands == 1 &&
2527 I.getArgOperand(0)->getType()->isPointerTy() &&
2528 I.getType()->isVectorTy() &&
2529 I.onlyReadsMemory()) {
2530 // This looks like a vector load.
2531 return handleVectorLoadIntrinsic(I);
2532 }
2533
2534 if (I.doesNotAccessMemory())
2535 if (maybeHandleSimpleNomemIntrinsic(I))
2536 return true;
2537
2538 // FIXME: detect and handle SSE maskstore/maskload
2539 return false;
2540 }
2541
handleBswap__anonfe2889270811::MemorySanitizerVisitor2542 void handleBswap(IntrinsicInst &I) {
2543 IRBuilder<> IRB(&I);
2544 Value *Op = I.getArgOperand(0);
2545 Type *OpType = Op->getType();
2546 Function *BswapFunc = Intrinsic::getDeclaration(
2547 F.getParent(), Intrinsic::bswap, makeArrayRef(&OpType, 1));
2548 setShadow(&I, IRB.CreateCall(BswapFunc, getShadow(Op)));
2549 setOrigin(&I, getOrigin(Op));
2550 }
2551
2552 // Instrument vector convert instrinsic.
2553 //
2554 // This function instruments intrinsics like cvtsi2ss:
2555 // %Out = int_xxx_cvtyyy(%ConvertOp)
2556 // or
2557 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp)
2558 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same
2559 // number \p Out elements, and (if has 2 arguments) copies the rest of the
2560 // elements from \p CopyOp.
2561 // In most cases conversion involves floating-point value which may trigger a
2562 // hardware exception when not fully initialized. For this reason we require
2563 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise.
2564 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
2565 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always
2566 // return a fully initialized value.
handleVectorConvertIntrinsic__anonfe2889270811::MemorySanitizerVisitor2567 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements) {
2568 IRBuilder<> IRB(&I);
2569 Value *CopyOp, *ConvertOp;
2570
2571 switch (I.getNumArgOperands()) {
2572 case 3:
2573 assert(isa<ConstantInt>(I.getArgOperand(2)) && "Invalid rounding mode");
2574 LLVM_FALLTHROUGH;
2575 case 2:
2576 CopyOp = I.getArgOperand(0);
2577 ConvertOp = I.getArgOperand(1);
2578 break;
2579 case 1:
2580 ConvertOp = I.getArgOperand(0);
2581 CopyOp = nullptr;
2582 break;
2583 default:
2584 llvm_unreachable("Cvt intrinsic with unsupported number of arguments.");
2585 }
2586
2587 // The first *NumUsedElements* elements of ConvertOp are converted to the
2588 // same number of output elements. The rest of the output is copied from
2589 // CopyOp, or (if not available) filled with zeroes.
2590 // Combine shadow for elements of ConvertOp that are used in this operation,
2591 // and insert a check.
2592 // FIXME: consider propagating shadow of ConvertOp, at least in the case of
2593 // int->any conversion.
2594 Value *ConvertShadow = getShadow(ConvertOp);
2595 Value *AggShadow = nullptr;
2596 if (ConvertOp->getType()->isVectorTy()) {
2597 AggShadow = IRB.CreateExtractElement(
2598 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
2599 for (int i = 1; i < NumUsedElements; ++i) {
2600 Value *MoreShadow = IRB.CreateExtractElement(
2601 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i));
2602 AggShadow = IRB.CreateOr(AggShadow, MoreShadow);
2603 }
2604 } else {
2605 AggShadow = ConvertShadow;
2606 }
2607 assert(AggShadow->getType()->isIntegerTy());
2608 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I);
2609
2610 // Build result shadow by zero-filling parts of CopyOp shadow that come from
2611 // ConvertOp.
2612 if (CopyOp) {
2613 assert(CopyOp->getType() == I.getType());
2614 assert(CopyOp->getType()->isVectorTy());
2615 Value *ResultShadow = getShadow(CopyOp);
2616 Type *EltTy = ResultShadow->getType()->getVectorElementType();
2617 for (int i = 0; i < NumUsedElements; ++i) {
2618 ResultShadow = IRB.CreateInsertElement(
2619 ResultShadow, ConstantInt::getNullValue(EltTy),
2620 ConstantInt::get(IRB.getInt32Ty(), i));
2621 }
2622 setShadow(&I, ResultShadow);
2623 setOrigin(&I, getOrigin(CopyOp));
2624 } else {
2625 setShadow(&I, getCleanShadow(&I));
2626 setOrigin(&I, getCleanOrigin());
2627 }
2628 }
2629
2630 // Given a scalar or vector, extract lower 64 bits (or less), and return all
2631 // zeroes if it is zero, and all ones otherwise.
Lower64ShadowExtend__anonfe2889270811::MemorySanitizerVisitor2632 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
2633 if (S->getType()->isVectorTy())
2634 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true);
2635 assert(S->getType()->getPrimitiveSizeInBits() <= 64);
2636 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
2637 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
2638 }
2639
2640 // Given a vector, extract its first element, and return all
2641 // zeroes if it is zero, and all ones otherwise.
LowerElementShadowExtend__anonfe2889270811::MemorySanitizerVisitor2642 Value *LowerElementShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
2643 Value *S1 = IRB.CreateExtractElement(S, (uint64_t)0);
2644 Value *S2 = IRB.CreateICmpNE(S1, getCleanShadow(S1));
2645 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
2646 }
2647
VariableShadowExtend__anonfe2889270811::MemorySanitizerVisitor2648 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) {
2649 Type *T = S->getType();
2650 assert(T->isVectorTy());
2651 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
2652 return IRB.CreateSExt(S2, T);
2653 }
2654
2655 // Instrument vector shift instrinsic.
2656 //
2657 // This function instruments intrinsics like int_x86_avx2_psll_w.
2658 // Intrinsic shifts %In by %ShiftSize bits.
2659 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift
2660 // size, and the rest is ignored. Behavior is defined even if shift size is
2661 // greater than register (or field) width.
handleVectorShiftIntrinsic__anonfe2889270811::MemorySanitizerVisitor2662 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) {
2663 assert(I.getNumArgOperands() == 2);
2664 IRBuilder<> IRB(&I);
2665 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2666 // Otherwise perform the same shift on S1.
2667 Value *S1 = getShadow(&I, 0);
2668 Value *S2 = getShadow(&I, 1);
2669 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2)
2670 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I));
2671 Value *V1 = I.getOperand(0);
2672 Value *V2 = I.getOperand(1);
2673 Value *Shift = IRB.CreateCall(I.getCalledValue(),
2674 {IRB.CreateBitCast(S1, V1->getType()), V2});
2675 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I));
2676 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2677 setOriginForNaryOp(I);
2678 }
2679
2680 // Get an X86_MMX-sized vector type.
getMMXVectorTy__anonfe2889270811::MemorySanitizerVisitor2681 Type *getMMXVectorTy(unsigned EltSizeInBits) {
2682 const unsigned X86_MMXSizeInBits = 64;
2683 return VectorType::get(IntegerType::get(*MS.C, EltSizeInBits),
2684 X86_MMXSizeInBits / EltSizeInBits);
2685 }
2686
2687 // Returns a signed counterpart for an (un)signed-saturate-and-pack
2688 // intrinsic.
getSignedPackIntrinsic__anonfe2889270811::MemorySanitizerVisitor2689 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) {
2690 switch (id) {
2691 case Intrinsic::x86_sse2_packsswb_128:
2692 case Intrinsic::x86_sse2_packuswb_128:
2693 return Intrinsic::x86_sse2_packsswb_128;
2694
2695 case Intrinsic::x86_sse2_packssdw_128:
2696 case Intrinsic::x86_sse41_packusdw:
2697 return Intrinsic::x86_sse2_packssdw_128;
2698
2699 case Intrinsic::x86_avx2_packsswb:
2700 case Intrinsic::x86_avx2_packuswb:
2701 return Intrinsic::x86_avx2_packsswb;
2702
2703 case Intrinsic::x86_avx2_packssdw:
2704 case Intrinsic::x86_avx2_packusdw:
2705 return Intrinsic::x86_avx2_packssdw;
2706
2707 case Intrinsic::x86_mmx_packsswb:
2708 case Intrinsic::x86_mmx_packuswb:
2709 return Intrinsic::x86_mmx_packsswb;
2710
2711 case Intrinsic::x86_mmx_packssdw:
2712 return Intrinsic::x86_mmx_packssdw;
2713 default:
2714 llvm_unreachable("unexpected intrinsic id");
2715 }
2716 }
2717
2718 // Instrument vector pack instrinsic.
2719 //
2720 // This function instruments intrinsics like x86_mmx_packsswb, that
2721 // packs elements of 2 input vectors into half as many bits with saturation.
2722 // Shadow is propagated with the signed variant of the same intrinsic applied
2723 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer).
2724 // EltSizeInBits is used only for x86mmx arguments.
handleVectorPackIntrinsic__anonfe2889270811::MemorySanitizerVisitor2725 void handleVectorPackIntrinsic(IntrinsicInst &I, unsigned EltSizeInBits = 0) {
2726 assert(I.getNumArgOperands() == 2);
2727 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2728 IRBuilder<> IRB(&I);
2729 Value *S1 = getShadow(&I, 0);
2730 Value *S2 = getShadow(&I, 1);
2731 assert(isX86_MMX || S1->getType()->isVectorTy());
2732
2733 // SExt and ICmpNE below must apply to individual elements of input vectors.
2734 // In case of x86mmx arguments, cast them to appropriate vector types and
2735 // back.
2736 Type *T = isX86_MMX ? getMMXVectorTy(EltSizeInBits) : S1->getType();
2737 if (isX86_MMX) {
2738 S1 = IRB.CreateBitCast(S1, T);
2739 S2 = IRB.CreateBitCast(S2, T);
2740 }
2741 Value *S1_ext = IRB.CreateSExt(
2742 IRB.CreateICmpNE(S1, Constant::getNullValue(T)), T);
2743 Value *S2_ext = IRB.CreateSExt(
2744 IRB.CreateICmpNE(S2, Constant::getNullValue(T)), T);
2745 if (isX86_MMX) {
2746 Type *X86_MMXTy = Type::getX86_MMXTy(*MS.C);
2747 S1_ext = IRB.CreateBitCast(S1_ext, X86_MMXTy);
2748 S2_ext = IRB.CreateBitCast(S2_ext, X86_MMXTy);
2749 }
2750
2751 Function *ShadowFn = Intrinsic::getDeclaration(
2752 F.getParent(), getSignedPackIntrinsic(I.getIntrinsicID()));
2753
2754 Value *S =
2755 IRB.CreateCall(ShadowFn, {S1_ext, S2_ext}, "_msprop_vector_pack");
2756 if (isX86_MMX) S = IRB.CreateBitCast(S, getShadowTy(&I));
2757 setShadow(&I, S);
2758 setOriginForNaryOp(I);
2759 }
2760
2761 // Instrument sum-of-absolute-differencies intrinsic.
handleVectorSadIntrinsic__anonfe2889270811::MemorySanitizerVisitor2762 void handleVectorSadIntrinsic(IntrinsicInst &I) {
2763 const unsigned SignificantBitsPerResultElement = 16;
2764 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2765 Type *ResTy = isX86_MMX ? IntegerType::get(*MS.C, 64) : I.getType();
2766 unsigned ZeroBitsPerResultElement =
2767 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement;
2768
2769 IRBuilder<> IRB(&I);
2770 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2771 S = IRB.CreateBitCast(S, ResTy);
2772 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
2773 ResTy);
2774 S = IRB.CreateLShr(S, ZeroBitsPerResultElement);
2775 S = IRB.CreateBitCast(S, getShadowTy(&I));
2776 setShadow(&I, S);
2777 setOriginForNaryOp(I);
2778 }
2779
2780 // Instrument multiply-add intrinsic.
handleVectorPmaddIntrinsic__anonfe2889270811::MemorySanitizerVisitor2781 void handleVectorPmaddIntrinsic(IntrinsicInst &I,
2782 unsigned EltSizeInBits = 0) {
2783 bool isX86_MMX = I.getOperand(0)->getType()->isX86_MMXTy();
2784 Type *ResTy = isX86_MMX ? getMMXVectorTy(EltSizeInBits * 2) : I.getType();
2785 IRBuilder<> IRB(&I);
2786 Value *S = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2787 S = IRB.CreateBitCast(S, ResTy);
2788 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
2789 ResTy);
2790 S = IRB.CreateBitCast(S, getShadowTy(&I));
2791 setShadow(&I, S);
2792 setOriginForNaryOp(I);
2793 }
2794
2795 // Instrument compare-packed intrinsic.
2796 // Basically, an or followed by sext(icmp ne 0) to end up with all-zeros or
2797 // all-ones shadow.
handleVectorComparePackedIntrinsic__anonfe2889270811::MemorySanitizerVisitor2798 void handleVectorComparePackedIntrinsic(IntrinsicInst &I) {
2799 IRBuilder<> IRB(&I);
2800 Type *ResTy = getShadowTy(&I);
2801 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2802 Value *S = IRB.CreateSExt(
2803 IRB.CreateICmpNE(S0, Constant::getNullValue(ResTy)), ResTy);
2804 setShadow(&I, S);
2805 setOriginForNaryOp(I);
2806 }
2807
2808 // Instrument compare-scalar intrinsic.
2809 // This handles both cmp* intrinsics which return the result in the first
2810 // element of a vector, and comi* which return the result as i32.
handleVectorCompareScalarIntrinsic__anonfe2889270811::MemorySanitizerVisitor2811 void handleVectorCompareScalarIntrinsic(IntrinsicInst &I) {
2812 IRBuilder<> IRB(&I);
2813 Value *S0 = IRB.CreateOr(getShadow(&I, 0), getShadow(&I, 1));
2814 Value *S = LowerElementShadowExtend(IRB, S0, getShadowTy(&I));
2815 setShadow(&I, S);
2816 setOriginForNaryOp(I);
2817 }
2818
handleStmxcsr__anonfe2889270811::MemorySanitizerVisitor2819 void handleStmxcsr(IntrinsicInst &I) {
2820 IRBuilder<> IRB(&I);
2821 Value* Addr = I.getArgOperand(0);
2822 Type *Ty = IRB.getInt32Ty();
2823 Value *ShadowPtr =
2824 getShadowOriginPtr(Addr, IRB, Ty, /*Alignment*/ 1, /*isStore*/ true)
2825 .first;
2826
2827 IRB.CreateStore(getCleanShadow(Ty),
2828 IRB.CreatePointerCast(ShadowPtr, Ty->getPointerTo()));
2829
2830 if (ClCheckAccessAddress)
2831 insertShadowCheck(Addr, &I);
2832 }
2833
handleLdmxcsr__anonfe2889270811::MemorySanitizerVisitor2834 void handleLdmxcsr(IntrinsicInst &I) {
2835 if (!InsertChecks) return;
2836
2837 IRBuilder<> IRB(&I);
2838 Value *Addr = I.getArgOperand(0);
2839 Type *Ty = IRB.getInt32Ty();
2840 unsigned Alignment = 1;
2841 Value *ShadowPtr, *OriginPtr;
2842 std::tie(ShadowPtr, OriginPtr) =
2843 getShadowOriginPtr(Addr, IRB, Ty, Alignment, /*isStore*/ false);
2844
2845 if (ClCheckAccessAddress)
2846 insertShadowCheck(Addr, &I);
2847
2848 Value *Shadow = IRB.CreateAlignedLoad(ShadowPtr, Alignment, "_ldmxcsr");
2849 Value *Origin =
2850 MS.TrackOrigins ? IRB.CreateLoad(OriginPtr) : getCleanOrigin();
2851 insertShadowCheck(Shadow, Origin, &I);
2852 }
2853
handleMaskedStore__anonfe2889270811::MemorySanitizerVisitor2854 void handleMaskedStore(IntrinsicInst &I) {
2855 IRBuilder<> IRB(&I);
2856 Value *V = I.getArgOperand(0);
2857 Value *Addr = I.getArgOperand(1);
2858 unsigned Align = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
2859 Value *Mask = I.getArgOperand(3);
2860 Value *Shadow = getShadow(V);
2861
2862 Value *ShadowPtr;
2863 Value *OriginPtr;
2864 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
2865 Addr, IRB, Shadow->getType(), Align, /*isStore*/ true);
2866
2867 if (ClCheckAccessAddress) {
2868 insertShadowCheck(Addr, &I);
2869 // Uninitialized mask is kind of like uninitialized address, but not as
2870 // scary.
2871 insertShadowCheck(Mask, &I);
2872 }
2873
2874 IRB.CreateMaskedStore(Shadow, ShadowPtr, Align, Mask);
2875
2876 if (MS.TrackOrigins) {
2877 auto &DL = F.getParent()->getDataLayout();
2878 paintOrigin(IRB, getOrigin(V), OriginPtr,
2879 DL.getTypeStoreSize(Shadow->getType()),
2880 std::max(Align, kMinOriginAlignment));
2881 }
2882 }
2883
handleMaskedLoad__anonfe2889270811::MemorySanitizerVisitor2884 bool handleMaskedLoad(IntrinsicInst &I) {
2885 IRBuilder<> IRB(&I);
2886 Value *Addr = I.getArgOperand(0);
2887 unsigned Align = cast<ConstantInt>(I.getArgOperand(1))->getZExtValue();
2888 Value *Mask = I.getArgOperand(2);
2889 Value *PassThru = I.getArgOperand(3);
2890
2891 Type *ShadowTy = getShadowTy(&I);
2892 Value *ShadowPtr, *OriginPtr;
2893 if (PropagateShadow) {
2894 std::tie(ShadowPtr, OriginPtr) =
2895 getShadowOriginPtr(Addr, IRB, ShadowTy, Align, /*isStore*/ false);
2896 setShadow(&I, IRB.CreateMaskedLoad(ShadowPtr, Align, Mask,
2897 getShadow(PassThru), "_msmaskedld"));
2898 } else {
2899 setShadow(&I, getCleanShadow(&I));
2900 }
2901
2902 if (ClCheckAccessAddress) {
2903 insertShadowCheck(Addr, &I);
2904 insertShadowCheck(Mask, &I);
2905 }
2906
2907 if (MS.TrackOrigins) {
2908 if (PropagateShadow) {
2909 // Choose between PassThru's and the loaded value's origins.
2910 Value *MaskedPassThruShadow = IRB.CreateAnd(
2911 getShadow(PassThru), IRB.CreateSExt(IRB.CreateNeg(Mask), ShadowTy));
2912
2913 Value *Acc = IRB.CreateExtractElement(
2914 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
2915 for (int i = 1, N = PassThru->getType()->getVectorNumElements(); i < N;
2916 ++i) {
2917 Value *More = IRB.CreateExtractElement(
2918 MaskedPassThruShadow, ConstantInt::get(IRB.getInt32Ty(), i));
2919 Acc = IRB.CreateOr(Acc, More);
2920 }
2921
2922 Value *Origin = IRB.CreateSelect(
2923 IRB.CreateICmpNE(Acc, Constant::getNullValue(Acc->getType())),
2924 getOrigin(PassThru), IRB.CreateLoad(OriginPtr));
2925
2926 setOrigin(&I, Origin);
2927 } else {
2928 setOrigin(&I, getCleanOrigin());
2929 }
2930 }
2931 return true;
2932 }
2933
2934
visitIntrinsicInst__anonfe2889270811::MemorySanitizerVisitor2935 void visitIntrinsicInst(IntrinsicInst &I) {
2936 switch (I.getIntrinsicID()) {
2937 case Intrinsic::bswap:
2938 handleBswap(I);
2939 break;
2940 case Intrinsic::masked_store:
2941 handleMaskedStore(I);
2942 break;
2943 case Intrinsic::masked_load:
2944 handleMaskedLoad(I);
2945 break;
2946 case Intrinsic::x86_sse_stmxcsr:
2947 handleStmxcsr(I);
2948 break;
2949 case Intrinsic::x86_sse_ldmxcsr:
2950 handleLdmxcsr(I);
2951 break;
2952 case Intrinsic::x86_avx512_vcvtsd2usi64:
2953 case Intrinsic::x86_avx512_vcvtsd2usi32:
2954 case Intrinsic::x86_avx512_vcvtss2usi64:
2955 case Intrinsic::x86_avx512_vcvtss2usi32:
2956 case Intrinsic::x86_avx512_cvttss2usi64:
2957 case Intrinsic::x86_avx512_cvttss2usi:
2958 case Intrinsic::x86_avx512_cvttsd2usi64:
2959 case Intrinsic::x86_avx512_cvttsd2usi:
2960 case Intrinsic::x86_avx512_cvtusi2ss:
2961 case Intrinsic::x86_avx512_cvtusi642sd:
2962 case Intrinsic::x86_avx512_cvtusi642ss:
2963 case Intrinsic::x86_sse2_cvtsd2si64:
2964 case Intrinsic::x86_sse2_cvtsd2si:
2965 case Intrinsic::x86_sse2_cvtsd2ss:
2966 case Intrinsic::x86_sse2_cvttsd2si64:
2967 case Intrinsic::x86_sse2_cvttsd2si:
2968 case Intrinsic::x86_sse_cvtss2si64:
2969 case Intrinsic::x86_sse_cvtss2si:
2970 case Intrinsic::x86_sse_cvttss2si64:
2971 case Intrinsic::x86_sse_cvttss2si:
2972 handleVectorConvertIntrinsic(I, 1);
2973 break;
2974 case Intrinsic::x86_sse_cvtps2pi:
2975 case Intrinsic::x86_sse_cvttps2pi:
2976 handleVectorConvertIntrinsic(I, 2);
2977 break;
2978
2979 case Intrinsic::x86_avx512_psll_w_512:
2980 case Intrinsic::x86_avx512_psll_d_512:
2981 case Intrinsic::x86_avx512_psll_q_512:
2982 case Intrinsic::x86_avx512_pslli_w_512:
2983 case Intrinsic::x86_avx512_pslli_d_512:
2984 case Intrinsic::x86_avx512_pslli_q_512:
2985 case Intrinsic::x86_avx512_psrl_w_512:
2986 case Intrinsic::x86_avx512_psrl_d_512:
2987 case Intrinsic::x86_avx512_psrl_q_512:
2988 case Intrinsic::x86_avx512_psra_w_512:
2989 case Intrinsic::x86_avx512_psra_d_512:
2990 case Intrinsic::x86_avx512_psra_q_512:
2991 case Intrinsic::x86_avx512_psrli_w_512:
2992 case Intrinsic::x86_avx512_psrli_d_512:
2993 case Intrinsic::x86_avx512_psrli_q_512:
2994 case Intrinsic::x86_avx512_psrai_w_512:
2995 case Intrinsic::x86_avx512_psrai_d_512:
2996 case Intrinsic::x86_avx512_psrai_q_512:
2997 case Intrinsic::x86_avx512_psra_q_256:
2998 case Intrinsic::x86_avx512_psra_q_128:
2999 case Intrinsic::x86_avx512_psrai_q_256:
3000 case Intrinsic::x86_avx512_psrai_q_128:
3001 case Intrinsic::x86_avx2_psll_w:
3002 case Intrinsic::x86_avx2_psll_d:
3003 case Intrinsic::x86_avx2_psll_q:
3004 case Intrinsic::x86_avx2_pslli_w:
3005 case Intrinsic::x86_avx2_pslli_d:
3006 case Intrinsic::x86_avx2_pslli_q:
3007 case Intrinsic::x86_avx2_psrl_w:
3008 case Intrinsic::x86_avx2_psrl_d:
3009 case Intrinsic::x86_avx2_psrl_q:
3010 case Intrinsic::x86_avx2_psra_w:
3011 case Intrinsic::x86_avx2_psra_d:
3012 case Intrinsic::x86_avx2_psrli_w:
3013 case Intrinsic::x86_avx2_psrli_d:
3014 case Intrinsic::x86_avx2_psrli_q:
3015 case Intrinsic::x86_avx2_psrai_w:
3016 case Intrinsic::x86_avx2_psrai_d:
3017 case Intrinsic::x86_sse2_psll_w:
3018 case Intrinsic::x86_sse2_psll_d:
3019 case Intrinsic::x86_sse2_psll_q:
3020 case Intrinsic::x86_sse2_pslli_w:
3021 case Intrinsic::x86_sse2_pslli_d:
3022 case Intrinsic::x86_sse2_pslli_q:
3023 case Intrinsic::x86_sse2_psrl_w:
3024 case Intrinsic::x86_sse2_psrl_d:
3025 case Intrinsic::x86_sse2_psrl_q:
3026 case Intrinsic::x86_sse2_psra_w:
3027 case Intrinsic::x86_sse2_psra_d:
3028 case Intrinsic::x86_sse2_psrli_w:
3029 case Intrinsic::x86_sse2_psrli_d:
3030 case Intrinsic::x86_sse2_psrli_q:
3031 case Intrinsic::x86_sse2_psrai_w:
3032 case Intrinsic::x86_sse2_psrai_d:
3033 case Intrinsic::x86_mmx_psll_w:
3034 case Intrinsic::x86_mmx_psll_d:
3035 case Intrinsic::x86_mmx_psll_q:
3036 case Intrinsic::x86_mmx_pslli_w:
3037 case Intrinsic::x86_mmx_pslli_d:
3038 case Intrinsic::x86_mmx_pslli_q:
3039 case Intrinsic::x86_mmx_psrl_w:
3040 case Intrinsic::x86_mmx_psrl_d:
3041 case Intrinsic::x86_mmx_psrl_q:
3042 case Intrinsic::x86_mmx_psra_w:
3043 case Intrinsic::x86_mmx_psra_d:
3044 case Intrinsic::x86_mmx_psrli_w:
3045 case Intrinsic::x86_mmx_psrli_d:
3046 case Intrinsic::x86_mmx_psrli_q:
3047 case Intrinsic::x86_mmx_psrai_w:
3048 case Intrinsic::x86_mmx_psrai_d:
3049 handleVectorShiftIntrinsic(I, /* Variable */ false);
3050 break;
3051 case Intrinsic::x86_avx2_psllv_d:
3052 case Intrinsic::x86_avx2_psllv_d_256:
3053 case Intrinsic::x86_avx512_psllv_d_512:
3054 case Intrinsic::x86_avx2_psllv_q:
3055 case Intrinsic::x86_avx2_psllv_q_256:
3056 case Intrinsic::x86_avx512_psllv_q_512:
3057 case Intrinsic::x86_avx2_psrlv_d:
3058 case Intrinsic::x86_avx2_psrlv_d_256:
3059 case Intrinsic::x86_avx512_psrlv_d_512:
3060 case Intrinsic::x86_avx2_psrlv_q:
3061 case Intrinsic::x86_avx2_psrlv_q_256:
3062 case Intrinsic::x86_avx512_psrlv_q_512:
3063 case Intrinsic::x86_avx2_psrav_d:
3064 case Intrinsic::x86_avx2_psrav_d_256:
3065 case Intrinsic::x86_avx512_psrav_d_512:
3066 case Intrinsic::x86_avx512_psrav_q_128:
3067 case Intrinsic::x86_avx512_psrav_q_256:
3068 case Intrinsic::x86_avx512_psrav_q_512:
3069 handleVectorShiftIntrinsic(I, /* Variable */ true);
3070 break;
3071
3072 case Intrinsic::x86_sse2_packsswb_128:
3073 case Intrinsic::x86_sse2_packssdw_128:
3074 case Intrinsic::x86_sse2_packuswb_128:
3075 case Intrinsic::x86_sse41_packusdw:
3076 case Intrinsic::x86_avx2_packsswb:
3077 case Intrinsic::x86_avx2_packssdw:
3078 case Intrinsic::x86_avx2_packuswb:
3079 case Intrinsic::x86_avx2_packusdw:
3080 handleVectorPackIntrinsic(I);
3081 break;
3082
3083 case Intrinsic::x86_mmx_packsswb:
3084 case Intrinsic::x86_mmx_packuswb:
3085 handleVectorPackIntrinsic(I, 16);
3086 break;
3087
3088 case Intrinsic::x86_mmx_packssdw:
3089 handleVectorPackIntrinsic(I, 32);
3090 break;
3091
3092 case Intrinsic::x86_mmx_psad_bw:
3093 case Intrinsic::x86_sse2_psad_bw:
3094 case Intrinsic::x86_avx2_psad_bw:
3095 handleVectorSadIntrinsic(I);
3096 break;
3097
3098 case Intrinsic::x86_sse2_pmadd_wd:
3099 case Intrinsic::x86_avx2_pmadd_wd:
3100 case Intrinsic::x86_ssse3_pmadd_ub_sw_128:
3101 case Intrinsic::x86_avx2_pmadd_ub_sw:
3102 handleVectorPmaddIntrinsic(I);
3103 break;
3104
3105 case Intrinsic::x86_ssse3_pmadd_ub_sw:
3106 handleVectorPmaddIntrinsic(I, 8);
3107 break;
3108
3109 case Intrinsic::x86_mmx_pmadd_wd:
3110 handleVectorPmaddIntrinsic(I, 16);
3111 break;
3112
3113 case Intrinsic::x86_sse_cmp_ss:
3114 case Intrinsic::x86_sse2_cmp_sd:
3115 case Intrinsic::x86_sse_comieq_ss:
3116 case Intrinsic::x86_sse_comilt_ss:
3117 case Intrinsic::x86_sse_comile_ss:
3118 case Intrinsic::x86_sse_comigt_ss:
3119 case Intrinsic::x86_sse_comige_ss:
3120 case Intrinsic::x86_sse_comineq_ss:
3121 case Intrinsic::x86_sse_ucomieq_ss:
3122 case Intrinsic::x86_sse_ucomilt_ss:
3123 case Intrinsic::x86_sse_ucomile_ss:
3124 case Intrinsic::x86_sse_ucomigt_ss:
3125 case Intrinsic::x86_sse_ucomige_ss:
3126 case Intrinsic::x86_sse_ucomineq_ss:
3127 case Intrinsic::x86_sse2_comieq_sd:
3128 case Intrinsic::x86_sse2_comilt_sd:
3129 case Intrinsic::x86_sse2_comile_sd:
3130 case Intrinsic::x86_sse2_comigt_sd:
3131 case Intrinsic::x86_sse2_comige_sd:
3132 case Intrinsic::x86_sse2_comineq_sd:
3133 case Intrinsic::x86_sse2_ucomieq_sd:
3134 case Intrinsic::x86_sse2_ucomilt_sd:
3135 case Intrinsic::x86_sse2_ucomile_sd:
3136 case Intrinsic::x86_sse2_ucomigt_sd:
3137 case Intrinsic::x86_sse2_ucomige_sd:
3138 case Intrinsic::x86_sse2_ucomineq_sd:
3139 handleVectorCompareScalarIntrinsic(I);
3140 break;
3141
3142 case Intrinsic::x86_sse_cmp_ps:
3143 case Intrinsic::x86_sse2_cmp_pd:
3144 // FIXME: For x86_avx_cmp_pd_256 and x86_avx_cmp_ps_256 this function
3145 // generates reasonably looking IR that fails in the backend with "Do not
3146 // know how to split the result of this operator!".
3147 handleVectorComparePackedIntrinsic(I);
3148 break;
3149
3150 case Intrinsic::is_constant:
3151 // The result of llvm.is.constant() is always defined.
3152 setShadow(&I, getCleanShadow(&I));
3153 setOrigin(&I, getCleanOrigin());
3154 break;
3155
3156 default:
3157 if (!handleUnknownIntrinsic(I))
3158 visitInstruction(I);
3159 break;
3160 }
3161 }
3162
visitCallSite__anonfe2889270811::MemorySanitizerVisitor3163 void visitCallSite(CallSite CS) {
3164 Instruction &I = *CS.getInstruction();
3165 assert(!I.getMetadata("nosanitize"));
3166 assert((CS.isCall() || CS.isInvoke()) && "Unknown type of CallSite");
3167 if (CS.isCall()) {
3168 CallInst *Call = cast<CallInst>(&I);
3169
3170 // For inline asm, do the usual thing: check argument shadow and mark all
3171 // outputs as clean. Note that any side effects of the inline asm that are
3172 // not immediately visible in its constraints are not handled.
3173 if (Call->isInlineAsm()) {
3174 if (ClHandleAsmConservative && MS.CompileKernel)
3175 visitAsmInstruction(I);
3176 else
3177 visitInstruction(I);
3178 return;
3179 }
3180
3181 assert(!isa<IntrinsicInst>(&I) && "intrinsics are handled elsewhere");
3182
3183 // We are going to insert code that relies on the fact that the callee
3184 // will become a non-readonly function after it is instrumented by us. To
3185 // prevent this code from being optimized out, mark that function
3186 // non-readonly in advance.
3187 if (Function *Func = Call->getCalledFunction()) {
3188 // Clear out readonly/readnone attributes.
3189 AttrBuilder B;
3190 B.addAttribute(Attribute::ReadOnly)
3191 .addAttribute(Attribute::ReadNone);
3192 Func->removeAttributes(AttributeList::FunctionIndex, B);
3193 }
3194
3195 maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI);
3196 }
3197 IRBuilder<> IRB(&I);
3198
3199 unsigned ArgOffset = 0;
3200 LLVM_DEBUG(dbgs() << " CallSite: " << I << "\n");
3201 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
3202 ArgIt != End; ++ArgIt) {
3203 Value *A = *ArgIt;
3204 unsigned i = ArgIt - CS.arg_begin();
3205 if (!A->getType()->isSized()) {
3206 LLVM_DEBUG(dbgs() << "Arg " << i << " is not sized: " << I << "\n");
3207 continue;
3208 }
3209 unsigned Size = 0;
3210 Value *Store = nullptr;
3211 // Compute the Shadow for arg even if it is ByVal, because
3212 // in that case getShadow() will copy the actual arg shadow to
3213 // __msan_param_tls.
3214 Value *ArgShadow = getShadow(A);
3215 Value *ArgShadowBase = getShadowPtrForArgument(A, IRB, ArgOffset);
3216 LLVM_DEBUG(dbgs() << " Arg#" << i << ": " << *A
3217 << " Shadow: " << *ArgShadow << "\n");
3218 bool ArgIsInitialized = false;
3219 const DataLayout &DL = F.getParent()->getDataLayout();
3220 if (CS.paramHasAttr(i, Attribute::ByVal)) {
3221 assert(A->getType()->isPointerTy() &&
3222 "ByVal argument is not a pointer!");
3223 Size = DL.getTypeAllocSize(A->getType()->getPointerElementType());
3224 if (ArgOffset + Size > kParamTLSSize) break;
3225 unsigned ParamAlignment = CS.getParamAlignment(i);
3226 unsigned Alignment = std::min(ParamAlignment, kShadowTLSAlignment);
3227 Value *AShadowPtr =
3228 getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment,
3229 /*isStore*/ false)
3230 .first;
3231
3232 Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr,
3233 Alignment, Size);
3234 // TODO(glider): need to copy origins.
3235 } else {
3236 Size = DL.getTypeAllocSize(A->getType());
3237 if (ArgOffset + Size > kParamTLSSize) break;
3238 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase,
3239 kShadowTLSAlignment);
3240 Constant *Cst = dyn_cast<Constant>(ArgShadow);
3241 if (Cst && Cst->isNullValue()) ArgIsInitialized = true;
3242 }
3243 if (MS.TrackOrigins && !ArgIsInitialized)
3244 IRB.CreateStore(getOrigin(A),
3245 getOriginPtrForArgument(A, IRB, ArgOffset));
3246 (void)Store;
3247 assert(Size != 0 && Store != nullptr);
3248 LLVM_DEBUG(dbgs() << " Param:" << *Store << "\n");
3249 ArgOffset += alignTo(Size, 8);
3250 }
3251 LLVM_DEBUG(dbgs() << " done with call args\n");
3252
3253 FunctionType *FT = CS.getFunctionType();
3254 if (FT->isVarArg()) {
3255 VAHelper->visitCallSite(CS, IRB);
3256 }
3257
3258 // Now, get the shadow for the RetVal.
3259 if (!I.getType()->isSized()) return;
3260 // Don't emit the epilogue for musttail call returns.
3261 if (CS.isCall() && cast<CallInst>(&I)->isMustTailCall()) return;
3262 IRBuilder<> IRBBefore(&I);
3263 // Until we have full dynamic coverage, make sure the retval shadow is 0.
3264 Value *Base = getShadowPtrForRetval(&I, IRBBefore);
3265 IRBBefore.CreateAlignedStore(getCleanShadow(&I), Base, kShadowTLSAlignment);
3266 BasicBlock::iterator NextInsn;
3267 if (CS.isCall()) {
3268 NextInsn = ++I.getIterator();
3269 assert(NextInsn != I.getParent()->end());
3270 } else {
3271 BasicBlock *NormalDest = cast<InvokeInst>(&I)->getNormalDest();
3272 if (!NormalDest->getSinglePredecessor()) {
3273 // FIXME: this case is tricky, so we are just conservative here.
3274 // Perhaps we need to split the edge between this BB and NormalDest,
3275 // but a naive attempt to use SplitEdge leads to a crash.
3276 setShadow(&I, getCleanShadow(&I));
3277 setOrigin(&I, getCleanOrigin());
3278 return;
3279 }
3280 // FIXME: NextInsn is likely in a basic block that has not been visited yet.
3281 // Anything inserted there will be instrumented by MSan later!
3282 NextInsn = NormalDest->getFirstInsertionPt();
3283 assert(NextInsn != NormalDest->end() &&
3284 "Could not find insertion point for retval shadow load");
3285 }
3286 IRBuilder<> IRBAfter(&*NextInsn);
3287 Value *RetvalShadow =
3288 IRBAfter.CreateAlignedLoad(getShadowPtrForRetval(&I, IRBAfter),
3289 kShadowTLSAlignment, "_msret");
3290 setShadow(&I, RetvalShadow);
3291 if (MS.TrackOrigins)
3292 setOrigin(&I, IRBAfter.CreateLoad(getOriginPtrForRetval(IRBAfter)));
3293 }
3294
isAMustTailRetVal__anonfe2889270811::MemorySanitizerVisitor3295 bool isAMustTailRetVal(Value *RetVal) {
3296 if (auto *I = dyn_cast<BitCastInst>(RetVal)) {
3297 RetVal = I->getOperand(0);
3298 }
3299 if (auto *I = dyn_cast<CallInst>(RetVal)) {
3300 return I->isMustTailCall();
3301 }
3302 return false;
3303 }
3304
visitReturnInst__anonfe2889270811::MemorySanitizerVisitor3305 void visitReturnInst(ReturnInst &I) {
3306 IRBuilder<> IRB(&I);
3307 Value *RetVal = I.getReturnValue();
3308 if (!RetVal) return;
3309 // Don't emit the epilogue for musttail call returns.
3310 if (isAMustTailRetVal(RetVal)) return;
3311 Value *ShadowPtr = getShadowPtrForRetval(RetVal, IRB);
3312 if (CheckReturnValue) {
3313 insertShadowCheck(RetVal, &I);
3314 Value *Shadow = getCleanShadow(RetVal);
3315 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
3316 } else {
3317 Value *Shadow = getShadow(RetVal);
3318 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
3319 if (MS.TrackOrigins)
3320 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval(IRB));
3321 }
3322 }
3323
visitPHINode__anonfe2889270811::MemorySanitizerVisitor3324 void visitPHINode(PHINode &I) {
3325 IRBuilder<> IRB(&I);
3326 if (!PropagateShadow) {
3327 setShadow(&I, getCleanShadow(&I));
3328 setOrigin(&I, getCleanOrigin());
3329 return;
3330 }
3331
3332 ShadowPHINodes.push_back(&I);
3333 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
3334 "_msphi_s"));
3335 if (MS.TrackOrigins)
3336 setOrigin(&I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(),
3337 "_msphi_o"));
3338 }
3339
getLocalVarDescription__anonfe2889270811::MemorySanitizerVisitor3340 Value *getLocalVarDescription(AllocaInst &I) {
3341 SmallString<2048> StackDescriptionStorage;
3342 raw_svector_ostream StackDescription(StackDescriptionStorage);
3343 // We create a string with a description of the stack allocation and
3344 // pass it into __msan_set_alloca_origin.
3345 // It will be printed by the run-time if stack-originated UMR is found.
3346 // The first 4 bytes of the string are set to '----' and will be replaced
3347 // by __msan_va_arg_overflow_size_tls at the first call.
3348 StackDescription << "----" << I.getName() << "@" << F.getName();
3349 return createPrivateNonConstGlobalForString(*F.getParent(),
3350 StackDescription.str());
3351 }
3352
instrumentAllocaUserspace__anonfe2889270811::MemorySanitizerVisitor3353 void instrumentAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
3354 if (PoisonStack && ClPoisonStackWithCall) {
3355 IRB.CreateCall(MS.MsanPoisonStackFn,
3356 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
3357 } else {
3358 Value *ShadowBase, *OriginBase;
3359 std::tie(ShadowBase, OriginBase) =
3360 getShadowOriginPtr(&I, IRB, IRB.getInt8Ty(), 1, /*isStore*/ true);
3361
3362 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
3363 IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlignment());
3364 }
3365
3366 if (PoisonStack && MS.TrackOrigins) {
3367 Value *Descr = getLocalVarDescription(I);
3368 IRB.CreateCall(MS.MsanSetAllocaOrigin4Fn,
3369 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
3370 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy()),
3371 IRB.CreatePointerCast(&F, MS.IntptrTy)});
3372 }
3373 }
3374
instrumentAllocaKmsan__anonfe2889270811::MemorySanitizerVisitor3375 void instrumentAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
3376 Value *Descr = getLocalVarDescription(I);
3377 if (PoisonStack) {
3378 IRB.CreateCall(MS.MsanPoisonAllocaFn,
3379 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len,
3380 IRB.CreatePointerCast(Descr, IRB.getInt8PtrTy())});
3381 } else {
3382 IRB.CreateCall(MS.MsanUnpoisonAllocaFn,
3383 {IRB.CreatePointerCast(&I, IRB.getInt8PtrTy()), Len});
3384 }
3385 }
3386
visitAllocaInst__anonfe2889270811::MemorySanitizerVisitor3387 void visitAllocaInst(AllocaInst &I) {
3388 setShadow(&I, getCleanShadow(&I));
3389 setOrigin(&I, getCleanOrigin());
3390 IRBuilder<> IRB(I.getNextNode());
3391 const DataLayout &DL = F.getParent()->getDataLayout();
3392 uint64_t TypeSize = DL.getTypeAllocSize(I.getAllocatedType());
3393 Value *Len = ConstantInt::get(MS.IntptrTy, TypeSize);
3394 if (I.isArrayAllocation())
3395 Len = IRB.CreateMul(Len, I.getArraySize());
3396
3397 if (MS.CompileKernel)
3398 instrumentAllocaKmsan(I, IRB, Len);
3399 else
3400 instrumentAllocaUserspace(I, IRB, Len);
3401 }
3402
visitSelectInst__anonfe2889270811::MemorySanitizerVisitor3403 void visitSelectInst(SelectInst& I) {
3404 IRBuilder<> IRB(&I);
3405 // a = select b, c, d
3406 Value *B = I.getCondition();
3407 Value *C = I.getTrueValue();
3408 Value *D = I.getFalseValue();
3409 Value *Sb = getShadow(B);
3410 Value *Sc = getShadow(C);
3411 Value *Sd = getShadow(D);
3412
3413 // Result shadow if condition shadow is 0.
3414 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd);
3415 Value *Sa1;
3416 if (I.getType()->isAggregateType()) {
3417 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do
3418 // an extra "select". This results in much more compact IR.
3419 // Sa = select Sb, poisoned, (select b, Sc, Sd)
3420 Sa1 = getPoisonedShadow(getShadowTy(I.getType()));
3421 } else {
3422 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ]
3423 // If Sb (condition is poisoned), look for bits in c and d that are equal
3424 // and both unpoisoned.
3425 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd.
3426
3427 // Cast arguments to shadow-compatible type.
3428 C = CreateAppToShadowCast(IRB, C);
3429 D = CreateAppToShadowCast(IRB, D);
3430
3431 // Result shadow if condition shadow is 1.
3432 Sa1 = IRB.CreateOr(IRB.CreateXor(C, D), IRB.CreateOr(Sc, Sd));
3433 }
3434 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select");
3435 setShadow(&I, Sa);
3436 if (MS.TrackOrigins) {
3437 // Origins are always i32, so any vector conditions must be flattened.
3438 // FIXME: consider tracking vector origins for app vectors?
3439 if (B->getType()->isVectorTy()) {
3440 Type *FlatTy = getShadowTyNoVec(B->getType());
3441 B = IRB.CreateICmpNE(IRB.CreateBitCast(B, FlatTy),
3442 ConstantInt::getNullValue(FlatTy));
3443 Sb = IRB.CreateICmpNE(IRB.CreateBitCast(Sb, FlatTy),
3444 ConstantInt::getNullValue(FlatTy));
3445 }
3446 // a = select b, c, d
3447 // Oa = Sb ? Ob : (b ? Oc : Od)
3448 setOrigin(
3449 &I, IRB.CreateSelect(Sb, getOrigin(I.getCondition()),
3450 IRB.CreateSelect(B, getOrigin(I.getTrueValue()),
3451 getOrigin(I.getFalseValue()))));
3452 }
3453 }
3454
visitLandingPadInst__anonfe2889270811::MemorySanitizerVisitor3455 void visitLandingPadInst(LandingPadInst &I) {
3456 // Do nothing.
3457 // See https://github.com/google/sanitizers/issues/504
3458 setShadow(&I, getCleanShadow(&I));
3459 setOrigin(&I, getCleanOrigin());
3460 }
3461
visitCatchSwitchInst__anonfe2889270811::MemorySanitizerVisitor3462 void visitCatchSwitchInst(CatchSwitchInst &I) {
3463 setShadow(&I, getCleanShadow(&I));
3464 setOrigin(&I, getCleanOrigin());
3465 }
3466
visitFuncletPadInst__anonfe2889270811::MemorySanitizerVisitor3467 void visitFuncletPadInst(FuncletPadInst &I) {
3468 setShadow(&I, getCleanShadow(&I));
3469 setOrigin(&I, getCleanOrigin());
3470 }
3471
visitGetElementPtrInst__anonfe2889270811::MemorySanitizerVisitor3472 void visitGetElementPtrInst(GetElementPtrInst &I) {
3473 handleShadowOr(I);
3474 }
3475
visitExtractValueInst__anonfe2889270811::MemorySanitizerVisitor3476 void visitExtractValueInst(ExtractValueInst &I) {
3477 IRBuilder<> IRB(&I);
3478 Value *Agg = I.getAggregateOperand();
3479 LLVM_DEBUG(dbgs() << "ExtractValue: " << I << "\n");
3480 Value *AggShadow = getShadow(Agg);
3481 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
3482 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices());
3483 LLVM_DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n");
3484 setShadow(&I, ResShadow);
3485 setOriginForNaryOp(I);
3486 }
3487
visitInsertValueInst__anonfe2889270811::MemorySanitizerVisitor3488 void visitInsertValueInst(InsertValueInst &I) {
3489 IRBuilder<> IRB(&I);
3490 LLVM_DEBUG(dbgs() << "InsertValue: " << I << "\n");
3491 Value *AggShadow = getShadow(I.getAggregateOperand());
3492 Value *InsShadow = getShadow(I.getInsertedValueOperand());
3493 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
3494 LLVM_DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n");
3495 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices());
3496 LLVM_DEBUG(dbgs() << " Res: " << *Res << "\n");
3497 setShadow(&I, Res);
3498 setOriginForNaryOp(I);
3499 }
3500
dumpInst__anonfe2889270811::MemorySanitizerVisitor3501 void dumpInst(Instruction &I) {
3502 if (CallInst *CI = dyn_cast<CallInst>(&I)) {
3503 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n";
3504 } else {
3505 errs() << "ZZZ " << I.getOpcodeName() << "\n";
3506 }
3507 errs() << "QQQ " << I << "\n";
3508 }
3509
visitResumeInst__anonfe2889270811::MemorySanitizerVisitor3510 void visitResumeInst(ResumeInst &I) {
3511 LLVM_DEBUG(dbgs() << "Resume: " << I << "\n");
3512 // Nothing to do here.
3513 }
3514
visitCleanupReturnInst__anonfe2889270811::MemorySanitizerVisitor3515 void visitCleanupReturnInst(CleanupReturnInst &CRI) {
3516 LLVM_DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n");
3517 // Nothing to do here.
3518 }
3519
visitCatchReturnInst__anonfe2889270811::MemorySanitizerVisitor3520 void visitCatchReturnInst(CatchReturnInst &CRI) {
3521 LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n");
3522 // Nothing to do here.
3523 }
3524
instrumentAsmArgument__anonfe2889270811::MemorySanitizerVisitor3525 void instrumentAsmArgument(Value *Operand, Instruction &I, IRBuilder<> &IRB,
3526 const DataLayout &DL, bool isOutput) {
3527 // For each assembly argument, we check its value for being initialized.
3528 // If the argument is a pointer, we assume it points to a single element
3529 // of the corresponding type (or to a 8-byte word, if the type is unsized).
3530 // Each such pointer is instrumented with a call to the runtime library.
3531 Type *OpType = Operand->getType();
3532 // Check the operand value itself.
3533 insertShadowCheck(Operand, &I);
3534 if (!OpType->isPointerTy() || !isOutput) {
3535 assert(!isOutput);
3536 return;
3537 }
3538 Type *ElType = OpType->getPointerElementType();
3539 if (!ElType->isSized())
3540 return;
3541 int Size = DL.getTypeStoreSize(ElType);
3542 Value *Ptr = IRB.CreatePointerCast(Operand, IRB.getInt8PtrTy());
3543 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
3544 IRB.CreateCall(MS.MsanInstrumentAsmStoreFn, {Ptr, SizeVal});
3545 }
3546
3547 /// Get the number of output arguments returned by pointers.
getNumOutputArgs__anonfe2889270811::MemorySanitizerVisitor3548 int getNumOutputArgs(InlineAsm *IA, CallInst *CI) {
3549 int NumRetOutputs = 0;
3550 int NumOutputs = 0;
3551 Type *RetTy = dyn_cast<Value>(CI)->getType();
3552 if (!RetTy->isVoidTy()) {
3553 // Register outputs are returned via the CallInst return value.
3554 StructType *ST = dyn_cast_or_null<StructType>(RetTy);
3555 if (ST)
3556 NumRetOutputs = ST->getNumElements();
3557 else
3558 NumRetOutputs = 1;
3559 }
3560 InlineAsm::ConstraintInfoVector Constraints = IA->ParseConstraints();
3561 for (size_t i = 0, n = Constraints.size(); i < n; i++) {
3562 InlineAsm::ConstraintInfo Info = Constraints[i];
3563 switch (Info.Type) {
3564 case InlineAsm::isOutput:
3565 NumOutputs++;
3566 break;
3567 default:
3568 break;
3569 }
3570 }
3571 return NumOutputs - NumRetOutputs;
3572 }
3573
visitAsmInstruction__anonfe2889270811::MemorySanitizerVisitor3574 void visitAsmInstruction(Instruction &I) {
3575 // Conservative inline assembly handling: check for poisoned shadow of
3576 // asm() arguments, then unpoison the result and all the memory locations
3577 // pointed to by those arguments.
3578 // An inline asm() statement in C++ contains lists of input and output
3579 // arguments used by the assembly code. These are mapped to operands of the
3580 // CallInst as follows:
3581 // - nR register outputs ("=r) are returned by value in a single structure
3582 // (SSA value of the CallInst);
3583 // - nO other outputs ("=m" and others) are returned by pointer as first
3584 // nO operands of the CallInst;
3585 // - nI inputs ("r", "m" and others) are passed to CallInst as the
3586 // remaining nI operands.
3587 // The total number of asm() arguments in the source is nR+nO+nI, and the
3588 // corresponding CallInst has nO+nI+1 operands (the last operand is the
3589 // function to be called).
3590 const DataLayout &DL = F.getParent()->getDataLayout();
3591 CallInst *CI = dyn_cast<CallInst>(&I);
3592 IRBuilder<> IRB(&I);
3593 InlineAsm *IA = cast<InlineAsm>(CI->getCalledValue());
3594 int OutputArgs = getNumOutputArgs(IA, CI);
3595 // The last operand of a CallInst is the function itself.
3596 int NumOperands = CI->getNumOperands() - 1;
3597
3598 // Check input arguments. Doing so before unpoisoning output arguments, so
3599 // that we won't overwrite uninit values before checking them.
3600 for (int i = OutputArgs; i < NumOperands; i++) {
3601 Value *Operand = CI->getOperand(i);
3602 instrumentAsmArgument(Operand, I, IRB, DL, /*isOutput*/ false);
3603 }
3604 // Unpoison output arguments. This must happen before the actual InlineAsm
3605 // call, so that the shadow for memory published in the asm() statement
3606 // remains valid.
3607 for (int i = 0; i < OutputArgs; i++) {
3608 Value *Operand = CI->getOperand(i);
3609 instrumentAsmArgument(Operand, I, IRB, DL, /*isOutput*/ true);
3610 }
3611
3612 setShadow(&I, getCleanShadow(&I));
3613 setOrigin(&I, getCleanOrigin());
3614 }
3615
visitInstruction__anonfe2889270811::MemorySanitizerVisitor3616 void visitInstruction(Instruction &I) {
3617 // Everything else: stop propagating and check for poisoned shadow.
3618 if (ClDumpStrictInstructions)
3619 dumpInst(I);
3620 LLVM_DEBUG(dbgs() << "DEFAULT: " << I << "\n");
3621 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) {
3622 Value *Operand = I.getOperand(i);
3623 if (Operand->getType()->isSized())
3624 insertShadowCheck(Operand, &I);
3625 }
3626 setShadow(&I, getCleanShadow(&I));
3627 setOrigin(&I, getCleanOrigin());
3628 }
3629 };
3630
3631 /// AMD64-specific implementation of VarArgHelper.
3632 struct VarArgAMD64Helper : public VarArgHelper {
3633 // An unfortunate workaround for asymmetric lowering of va_arg stuff.
3634 // See a comment in visitCallSite for more details.
3635 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7
3636 static const unsigned AMD64FpEndOffsetSSE = 176;
3637 // If SSE is disabled, fp_offset in va_list is zero.
3638 static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
3639
3640 unsigned AMD64FpEndOffset;
3641 Function &F;
3642 MemorySanitizer &MS;
3643 MemorySanitizerVisitor &MSV;
3644 Value *VAArgTLSCopy = nullptr;
3645 Value *VAArgTLSOriginCopy = nullptr;
3646 Value *VAArgOverflowSize = nullptr;
3647
3648 SmallVector<CallInst*, 16> VAStartInstrumentationList;
3649
3650 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
3651
VarArgAMD64Helper__anonfe2889270811::VarArgAMD64Helper3652 VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
3653 MemorySanitizerVisitor &MSV)
3654 : F(F), MS(MS), MSV(MSV) {
3655 AMD64FpEndOffset = AMD64FpEndOffsetSSE;
3656 for (const auto &Attr : F.getAttributes().getFnAttributes()) {
3657 if (Attr.isStringAttribute() &&
3658 (Attr.getKindAsString() == "target-features")) {
3659 if (Attr.getValueAsString().contains("-sse"))
3660 AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
3661 break;
3662 }
3663 }
3664 }
3665
classifyArgument__anonfe2889270811::VarArgAMD64Helper3666 ArgKind classifyArgument(Value* arg) {
3667 // A very rough approximation of X86_64 argument classification rules.
3668 Type *T = arg->getType();
3669 if (T->isFPOrFPVectorTy() || T->isX86_MMXTy())
3670 return AK_FloatingPoint;
3671 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
3672 return AK_GeneralPurpose;
3673 if (T->isPointerTy())
3674 return AK_GeneralPurpose;
3675 return AK_Memory;
3676 }
3677
3678 // For VarArg functions, store the argument shadow in an ABI-specific format
3679 // that corresponds to va_list layout.
3680 // We do this because Clang lowers va_arg in the frontend, and this pass
3681 // only sees the low level code that deals with va_list internals.
3682 // A much easier alternative (provided that Clang emits va_arg instructions)
3683 // would have been to associate each live instance of va_list with a copy of
3684 // MSanParamTLS, and extract shadow on va_arg() call in the argument list
3685 // order.
visitCallSite__anonfe2889270811::VarArgAMD64Helper3686 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {
3687 unsigned GpOffset = 0;
3688 unsigned FpOffset = AMD64GpEndOffset;
3689 unsigned OverflowOffset = AMD64FpEndOffset;
3690 const DataLayout &DL = F.getParent()->getDataLayout();
3691 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
3692 ArgIt != End; ++ArgIt) {
3693 Value *A = *ArgIt;
3694 unsigned ArgNo = CS.getArgumentNo(ArgIt);
3695 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams();
3696 bool IsByVal = CS.paramHasAttr(ArgNo, Attribute::ByVal);
3697 if (IsByVal) {
3698 // ByVal arguments always go to the overflow area.
3699 // Fixed arguments passed through the overflow area will be stepped
3700 // over by va_start, so don't count them towards the offset.
3701 if (IsFixed)
3702 continue;
3703 assert(A->getType()->isPointerTy());
3704 Type *RealTy = A->getType()->getPointerElementType();
3705 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
3706 Value *ShadowBase = getShadowPtrForVAArgument(
3707 RealTy, IRB, OverflowOffset, alignTo(ArgSize, 8));
3708 Value *OriginBase = nullptr;
3709 if (MS.TrackOrigins)
3710 OriginBase = getOriginPtrForVAArgument(RealTy, IRB, OverflowOffset);
3711 OverflowOffset += alignTo(ArgSize, 8);
3712 if (!ShadowBase)
3713 continue;
3714 Value *ShadowPtr, *OriginPtr;
3715 std::tie(ShadowPtr, OriginPtr) =
3716 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
3717 /*isStore*/ false);
3718
3719 IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
3720 kShadowTLSAlignment, ArgSize);
3721 if (MS.TrackOrigins)
3722 IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
3723 kShadowTLSAlignment, ArgSize);
3724 } else {
3725 ArgKind AK = classifyArgument(A);
3726 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
3727 AK = AK_Memory;
3728 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
3729 AK = AK_Memory;
3730 Value *ShadowBase, *OriginBase = nullptr;
3731 switch (AK) {
3732 case AK_GeneralPurpose:
3733 ShadowBase =
3734 getShadowPtrForVAArgument(A->getType(), IRB, GpOffset, 8);
3735 if (MS.TrackOrigins)
3736 OriginBase =
3737 getOriginPtrForVAArgument(A->getType(), IRB, GpOffset);
3738 GpOffset += 8;
3739 break;
3740 case AK_FloatingPoint:
3741 ShadowBase =
3742 getShadowPtrForVAArgument(A->getType(), IRB, FpOffset, 16);
3743 if (MS.TrackOrigins)
3744 OriginBase =
3745 getOriginPtrForVAArgument(A->getType(), IRB, FpOffset);
3746 FpOffset += 16;
3747 break;
3748 case AK_Memory:
3749 if (IsFixed)
3750 continue;
3751 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
3752 ShadowBase =
3753 getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset, 8);
3754 if (MS.TrackOrigins)
3755 OriginBase =
3756 getOriginPtrForVAArgument(A->getType(), IRB, OverflowOffset);
3757 OverflowOffset += alignTo(ArgSize, 8);
3758 }
3759 // Take fixed arguments into account for GpOffset and FpOffset,
3760 // but don't actually store shadows for them.
3761 // TODO(glider): don't call get*PtrForVAArgument() for them.
3762 if (IsFixed)
3763 continue;
3764 if (!ShadowBase)
3765 continue;
3766 Value *Shadow = MSV.getShadow(A);
3767 IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
3768 if (MS.TrackOrigins) {
3769 Value *Origin = MSV.getOrigin(A);
3770 unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
3771 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
3772 std::max(kShadowTLSAlignment, kMinOriginAlignment));
3773 }
3774 }
3775 }
3776 Constant *OverflowSize =
3777 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
3778 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
3779 }
3780
3781 /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonfe2889270811::VarArgAMD64Helper3782 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
3783 unsigned ArgOffset, unsigned ArgSize) {
3784 // Make sure we don't overflow __msan_va_arg_tls.
3785 if (ArgOffset + ArgSize > kParamTLSSize)
3786 return nullptr;
3787 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
3788 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
3789 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
3790 "_msarg_va_s");
3791 }
3792
3793 /// Compute the origin address for a given va_arg.
getOriginPtrForVAArgument__anonfe2889270811::VarArgAMD64Helper3794 Value *getOriginPtrForVAArgument(Type *Ty, IRBuilder<> &IRB, int ArgOffset) {
3795 Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
3796 // getOriginPtrForVAArgument() is always called after
3797 // getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never
3798 // overflow.
3799 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
3800 return IRB.CreateIntToPtr(Base, PointerType::get(MS.OriginTy, 0),
3801 "_msarg_va_o");
3802 }
3803
unpoisonVAListTagForInst__anonfe2889270811::VarArgAMD64Helper3804 void unpoisonVAListTagForInst(IntrinsicInst &I) {
3805 IRBuilder<> IRB(&I);
3806 Value *VAListTag = I.getArgOperand(0);
3807 Value *ShadowPtr, *OriginPtr;
3808 unsigned Alignment = 8;
3809 std::tie(ShadowPtr, OriginPtr) =
3810 MSV.getShadowOriginPtr(VAListTag, IRB, IRB.getInt8Ty(), Alignment,
3811 /*isStore*/ true);
3812
3813 // Unpoison the whole __va_list_tag.
3814 // FIXME: magic ABI constants.
3815 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
3816 /* size */ 24, Alignment, false);
3817 // We shouldn't need to zero out the origins, as they're only checked for
3818 // nonzero shadow.
3819 }
3820
visitVAStartInst__anonfe2889270811::VarArgAMD64Helper3821 void visitVAStartInst(VAStartInst &I) override {
3822 if (F.getCallingConv() == CallingConv::Win64)
3823 return;
3824 VAStartInstrumentationList.push_back(&I);
3825 unpoisonVAListTagForInst(I);
3826 }
3827
visitVACopyInst__anonfe2889270811::VarArgAMD64Helper3828 void visitVACopyInst(VACopyInst &I) override {
3829 if (F.getCallingConv() == CallingConv::Win64) return;
3830 unpoisonVAListTagForInst(I);
3831 }
3832
finalizeInstrumentation__anonfe2889270811::VarArgAMD64Helper3833 void finalizeInstrumentation() override {
3834 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
3835 "finalizeInstrumentation called twice");
3836 if (!VAStartInstrumentationList.empty()) {
3837 // If there is a va_start in this function, make a backup copy of
3838 // va_arg_tls somewhere in the function entry block.
3839 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
3840 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
3841 Value *CopySize =
3842 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset),
3843 VAArgOverflowSize);
3844 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
3845 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
3846 if (MS.TrackOrigins) {
3847 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
3848 IRB.CreateMemCpy(VAArgTLSOriginCopy, 8, MS.VAArgOriginTLS, 8, CopySize);
3849 }
3850 }
3851
3852 // Instrument va_start.
3853 // Copy va_list shadow from the backup copy of the TLS contents.
3854 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
3855 CallInst *OrigInst = VAStartInstrumentationList[i];
3856 IRBuilder<> IRB(OrigInst->getNextNode());
3857 Value *VAListTag = OrigInst->getArgOperand(0);
3858
3859 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
3860 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
3861 ConstantInt::get(MS.IntptrTy, 16)),
3862 PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
3863 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr);
3864 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
3865 unsigned Alignment = 16;
3866 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
3867 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
3868 Alignment, /*isStore*/ true);
3869 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
3870 AMD64FpEndOffset);
3871 if (MS.TrackOrigins)
3872 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
3873 Alignment, AMD64FpEndOffset);
3874 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
3875 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
3876 ConstantInt::get(MS.IntptrTy, 8)),
3877 PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
3878 Value *OverflowArgAreaPtr = IRB.CreateLoad(OverflowArgAreaPtrPtr);
3879 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
3880 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
3881 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
3882 Alignment, /*isStore*/ true);
3883 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
3884 AMD64FpEndOffset);
3885 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
3886 VAArgOverflowSize);
3887 if (MS.TrackOrigins) {
3888 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
3889 AMD64FpEndOffset);
3890 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
3891 VAArgOverflowSize);
3892 }
3893 }
3894 }
3895 };
3896
3897 /// MIPS64-specific implementation of VarArgHelper.
3898 struct VarArgMIPS64Helper : public VarArgHelper {
3899 Function &F;
3900 MemorySanitizer &MS;
3901 MemorySanitizerVisitor &MSV;
3902 Value *VAArgTLSCopy = nullptr;
3903 Value *VAArgSize = nullptr;
3904
3905 SmallVector<CallInst*, 16> VAStartInstrumentationList;
3906
VarArgMIPS64Helper__anonfe2889270811::VarArgMIPS64Helper3907 VarArgMIPS64Helper(Function &F, MemorySanitizer &MS,
3908 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
3909
visitCallSite__anonfe2889270811::VarArgMIPS64Helper3910 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {
3911 unsigned VAArgOffset = 0;
3912 const DataLayout &DL = F.getParent()->getDataLayout();
3913 for (CallSite::arg_iterator ArgIt = CS.arg_begin() +
3914 CS.getFunctionType()->getNumParams(), End = CS.arg_end();
3915 ArgIt != End; ++ArgIt) {
3916 Triple TargetTriple(F.getParent()->getTargetTriple());
3917 Value *A = *ArgIt;
3918 Value *Base;
3919 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
3920 if (TargetTriple.getArch() == Triple::mips64) {
3921 // Adjusting the shadow for argument with size < 8 to match the placement
3922 // of bits in big endian system
3923 if (ArgSize < 8)
3924 VAArgOffset += (8 - ArgSize);
3925 }
3926 Base = getShadowPtrForVAArgument(A->getType(), IRB, VAArgOffset, ArgSize);
3927 VAArgOffset += ArgSize;
3928 VAArgOffset = alignTo(VAArgOffset, 8);
3929 if (!Base)
3930 continue;
3931 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
3932 }
3933
3934 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(), VAArgOffset);
3935 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
3936 // a new class member i.e. it is the total size of all VarArgs.
3937 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
3938 }
3939
3940 /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonfe2889270811::VarArgMIPS64Helper3941 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
3942 unsigned ArgOffset, unsigned ArgSize) {
3943 // Make sure we don't overflow __msan_va_arg_tls.
3944 if (ArgOffset + ArgSize > kParamTLSSize)
3945 return nullptr;
3946 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
3947 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
3948 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
3949 "_msarg");
3950 }
3951
visitVAStartInst__anonfe2889270811::VarArgMIPS64Helper3952 void visitVAStartInst(VAStartInst &I) override {
3953 IRBuilder<> IRB(&I);
3954 VAStartInstrumentationList.push_back(&I);
3955 Value *VAListTag = I.getArgOperand(0);
3956 Value *ShadowPtr, *OriginPtr;
3957 unsigned Alignment = 8;
3958 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
3959 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
3960 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
3961 /* size */ 8, Alignment, false);
3962 }
3963
visitVACopyInst__anonfe2889270811::VarArgMIPS64Helper3964 void visitVACopyInst(VACopyInst &I) override {
3965 IRBuilder<> IRB(&I);
3966 VAStartInstrumentationList.push_back(&I);
3967 Value *VAListTag = I.getArgOperand(0);
3968 Value *ShadowPtr, *OriginPtr;
3969 unsigned Alignment = 8;
3970 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
3971 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
3972 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
3973 /* size */ 8, Alignment, false);
3974 }
3975
finalizeInstrumentation__anonfe2889270811::VarArgMIPS64Helper3976 void finalizeInstrumentation() override {
3977 assert(!VAArgSize && !VAArgTLSCopy &&
3978 "finalizeInstrumentation called twice");
3979 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
3980 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
3981 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0),
3982 VAArgSize);
3983
3984 if (!VAStartInstrumentationList.empty()) {
3985 // If there is a va_start in this function, make a backup copy of
3986 // va_arg_tls somewhere in the function entry block.
3987 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
3988 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
3989 }
3990
3991 // Instrument va_start.
3992 // Copy va_list shadow from the backup copy of the TLS contents.
3993 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
3994 CallInst *OrigInst = VAStartInstrumentationList[i];
3995 IRBuilder<> IRB(OrigInst->getNextNode());
3996 Value *VAListTag = OrigInst->getArgOperand(0);
3997 Value *RegSaveAreaPtrPtr =
3998 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
3999 PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
4000 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr);
4001 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
4002 unsigned Alignment = 8;
4003 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
4004 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4005 Alignment, /*isStore*/ true);
4006 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
4007 CopySize);
4008 }
4009 }
4010 };
4011
4012 /// AArch64-specific implementation of VarArgHelper.
4013 struct VarArgAArch64Helper : public VarArgHelper {
4014 static const unsigned kAArch64GrArgSize = 64;
4015 static const unsigned kAArch64VrArgSize = 128;
4016
4017 static const unsigned AArch64GrBegOffset = 0;
4018 static const unsigned AArch64GrEndOffset = kAArch64GrArgSize;
4019 // Make VR space aligned to 16 bytes.
4020 static const unsigned AArch64VrBegOffset = AArch64GrEndOffset;
4021 static const unsigned AArch64VrEndOffset = AArch64VrBegOffset
4022 + kAArch64VrArgSize;
4023 static const unsigned AArch64VAEndOffset = AArch64VrEndOffset;
4024
4025 Function &F;
4026 MemorySanitizer &MS;
4027 MemorySanitizerVisitor &MSV;
4028 Value *VAArgTLSCopy = nullptr;
4029 Value *VAArgOverflowSize = nullptr;
4030
4031 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4032
4033 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
4034
VarArgAArch64Helper__anonfe2889270811::VarArgAArch64Helper4035 VarArgAArch64Helper(Function &F, MemorySanitizer &MS,
4036 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
4037
classifyArgument__anonfe2889270811::VarArgAArch64Helper4038 ArgKind classifyArgument(Value* arg) {
4039 Type *T = arg->getType();
4040 if (T->isFPOrFPVectorTy())
4041 return AK_FloatingPoint;
4042 if ((T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
4043 || (T->isPointerTy()))
4044 return AK_GeneralPurpose;
4045 return AK_Memory;
4046 }
4047
4048 // The instrumentation stores the argument shadow in a non ABI-specific
4049 // format because it does not know which argument is named (since Clang,
4050 // like x86_64 case, lowers the va_args in the frontend and this pass only
4051 // sees the low level code that deals with va_list internals).
4052 // The first seven GR registers are saved in the first 56 bytes of the
4053 // va_arg tls arra, followers by the first 8 FP/SIMD registers, and then
4054 // the remaining arguments.
4055 // Using constant offset within the va_arg TLS array allows fast copy
4056 // in the finalize instrumentation.
visitCallSite__anonfe2889270811::VarArgAArch64Helper4057 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {
4058 unsigned GrOffset = AArch64GrBegOffset;
4059 unsigned VrOffset = AArch64VrBegOffset;
4060 unsigned OverflowOffset = AArch64VAEndOffset;
4061
4062 const DataLayout &DL = F.getParent()->getDataLayout();
4063 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
4064 ArgIt != End; ++ArgIt) {
4065 Value *A = *ArgIt;
4066 unsigned ArgNo = CS.getArgumentNo(ArgIt);
4067 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams();
4068 ArgKind AK = classifyArgument(A);
4069 if (AK == AK_GeneralPurpose && GrOffset >= AArch64GrEndOffset)
4070 AK = AK_Memory;
4071 if (AK == AK_FloatingPoint && VrOffset >= AArch64VrEndOffset)
4072 AK = AK_Memory;
4073 Value *Base;
4074 switch (AK) {
4075 case AK_GeneralPurpose:
4076 Base = getShadowPtrForVAArgument(A->getType(), IRB, GrOffset, 8);
4077 GrOffset += 8;
4078 break;
4079 case AK_FloatingPoint:
4080 Base = getShadowPtrForVAArgument(A->getType(), IRB, VrOffset, 8);
4081 VrOffset += 16;
4082 break;
4083 case AK_Memory:
4084 // Don't count fixed arguments in the overflow area - va_start will
4085 // skip right over them.
4086 if (IsFixed)
4087 continue;
4088 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4089 Base = getShadowPtrForVAArgument(A->getType(), IRB, OverflowOffset,
4090 alignTo(ArgSize, 8));
4091 OverflowOffset += alignTo(ArgSize, 8);
4092 break;
4093 }
4094 // Count Gp/Vr fixed arguments to their respective offsets, but don't
4095 // bother to actually store a shadow.
4096 if (IsFixed)
4097 continue;
4098 if (!Base)
4099 continue;
4100 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
4101 }
4102 Constant *OverflowSize =
4103 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset);
4104 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
4105 }
4106
4107 /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonfe2889270811::VarArgAArch64Helper4108 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4109 unsigned ArgOffset, unsigned ArgSize) {
4110 // Make sure we don't overflow __msan_va_arg_tls.
4111 if (ArgOffset + ArgSize > kParamTLSSize)
4112 return nullptr;
4113 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4114 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4115 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4116 "_msarg");
4117 }
4118
visitVAStartInst__anonfe2889270811::VarArgAArch64Helper4119 void visitVAStartInst(VAStartInst &I) override {
4120 IRBuilder<> IRB(&I);
4121 VAStartInstrumentationList.push_back(&I);
4122 Value *VAListTag = I.getArgOperand(0);
4123 Value *ShadowPtr, *OriginPtr;
4124 unsigned Alignment = 8;
4125 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4126 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4127 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4128 /* size */ 32, Alignment, false);
4129 }
4130
visitVACopyInst__anonfe2889270811::VarArgAArch64Helper4131 void visitVACopyInst(VACopyInst &I) override {
4132 IRBuilder<> IRB(&I);
4133 VAStartInstrumentationList.push_back(&I);
4134 Value *VAListTag = I.getArgOperand(0);
4135 Value *ShadowPtr, *OriginPtr;
4136 unsigned Alignment = 8;
4137 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4138 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4139 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4140 /* size */ 32, Alignment, false);
4141 }
4142
4143 // Retrieve a va_list field of 'void*' size.
getVAField64__anonfe2889270811::VarArgAArch64Helper4144 Value* getVAField64(IRBuilder<> &IRB, Value *VAListTag, int offset) {
4145 Value *SaveAreaPtrPtr =
4146 IRB.CreateIntToPtr(
4147 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4148 ConstantInt::get(MS.IntptrTy, offset)),
4149 Type::getInt64PtrTy(*MS.C));
4150 return IRB.CreateLoad(SaveAreaPtrPtr);
4151 }
4152
4153 // Retrieve a va_list field of 'int' size.
getVAField32__anonfe2889270811::VarArgAArch64Helper4154 Value* getVAField32(IRBuilder<> &IRB, Value *VAListTag, int offset) {
4155 Value *SaveAreaPtr =
4156 IRB.CreateIntToPtr(
4157 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4158 ConstantInt::get(MS.IntptrTy, offset)),
4159 Type::getInt32PtrTy(*MS.C));
4160 Value *SaveArea32 = IRB.CreateLoad(SaveAreaPtr);
4161 return IRB.CreateSExt(SaveArea32, MS.IntptrTy);
4162 }
4163
finalizeInstrumentation__anonfe2889270811::VarArgAArch64Helper4164 void finalizeInstrumentation() override {
4165 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
4166 "finalizeInstrumentation called twice");
4167 if (!VAStartInstrumentationList.empty()) {
4168 // If there is a va_start in this function, make a backup copy of
4169 // va_arg_tls somewhere in the function entry block.
4170 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
4171 VAArgOverflowSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
4172 Value *CopySize =
4173 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, AArch64VAEndOffset),
4174 VAArgOverflowSize);
4175 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4176 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
4177 }
4178
4179 Value *GrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64GrArgSize);
4180 Value *VrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64VrArgSize);
4181
4182 // Instrument va_start, copy va_list shadow from the backup copy of
4183 // the TLS contents.
4184 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4185 CallInst *OrigInst = VAStartInstrumentationList[i];
4186 IRBuilder<> IRB(OrigInst->getNextNode());
4187
4188 Value *VAListTag = OrigInst->getArgOperand(0);
4189
4190 // The variadic ABI for AArch64 creates two areas to save the incoming
4191 // argument registers (one for 64-bit general register xn-x7 and another
4192 // for 128-bit FP/SIMD vn-v7).
4193 // We need then to propagate the shadow arguments on both regions
4194 // 'va::__gr_top + va::__gr_offs' and 'va::__vr_top + va::__vr_offs'.
4195 // The remaning arguments are saved on shadow for 'va::stack'.
4196 // One caveat is it requires only to propagate the non-named arguments,
4197 // however on the call site instrumentation 'all' the arguments are
4198 // saved. So to copy the shadow values from the va_arg TLS array
4199 // we need to adjust the offset for both GR and VR fields based on
4200 // the __{gr,vr}_offs value (since they are stores based on incoming
4201 // named arguments).
4202
4203 // Read the stack pointer from the va_list.
4204 Value *StackSaveAreaPtr = getVAField64(IRB, VAListTag, 0);
4205
4206 // Read both the __gr_top and __gr_off and add them up.
4207 Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8);
4208 Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24);
4209
4210 Value *GrRegSaveAreaPtr = IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea);
4211
4212 // Read both the __vr_top and __vr_off and add them up.
4213 Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16);
4214 Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28);
4215
4216 Value *VrRegSaveAreaPtr = IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea);
4217
4218 // It does not know how many named arguments is being used and, on the
4219 // callsite all the arguments were saved. Since __gr_off is defined as
4220 // '0 - ((8 - named_gr) * 8)', the idea is to just propagate the variadic
4221 // argument by ignoring the bytes of shadow from named arguments.
4222 Value *GrRegSaveAreaShadowPtrOff =
4223 IRB.CreateAdd(GrArgSize, GrOffSaveArea);
4224
4225 Value *GrRegSaveAreaShadowPtr =
4226 MSV.getShadowOriginPtr(GrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4227 /*Alignment*/ 8, /*isStore*/ true)
4228 .first;
4229
4230 Value *GrSrcPtr = IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4231 GrRegSaveAreaShadowPtrOff);
4232 Value *GrCopySize = IRB.CreateSub(GrArgSize, GrRegSaveAreaShadowPtrOff);
4233
4234 IRB.CreateMemCpy(GrRegSaveAreaShadowPtr, 8, GrSrcPtr, 8, GrCopySize);
4235
4236 // Again, but for FP/SIMD values.
4237 Value *VrRegSaveAreaShadowPtrOff =
4238 IRB.CreateAdd(VrArgSize, VrOffSaveArea);
4239
4240 Value *VrRegSaveAreaShadowPtr =
4241 MSV.getShadowOriginPtr(VrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4242 /*Alignment*/ 8, /*isStore*/ true)
4243 .first;
4244
4245 Value *VrSrcPtr = IRB.CreateInBoundsGEP(
4246 IRB.getInt8Ty(),
4247 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4248 IRB.getInt32(AArch64VrBegOffset)),
4249 VrRegSaveAreaShadowPtrOff);
4250 Value *VrCopySize = IRB.CreateSub(VrArgSize, VrRegSaveAreaShadowPtrOff);
4251
4252 IRB.CreateMemCpy(VrRegSaveAreaShadowPtr, 8, VrSrcPtr, 8, VrCopySize);
4253
4254 // And finally for remaining arguments.
4255 Value *StackSaveAreaShadowPtr =
4256 MSV.getShadowOriginPtr(StackSaveAreaPtr, IRB, IRB.getInt8Ty(),
4257 /*Alignment*/ 16, /*isStore*/ true)
4258 .first;
4259
4260 Value *StackSrcPtr =
4261 IRB.CreateInBoundsGEP(IRB.getInt8Ty(), VAArgTLSCopy,
4262 IRB.getInt32(AArch64VAEndOffset));
4263
4264 IRB.CreateMemCpy(StackSaveAreaShadowPtr, 16, StackSrcPtr, 16,
4265 VAArgOverflowSize);
4266 }
4267 }
4268 };
4269
4270 /// PowerPC64-specific implementation of VarArgHelper.
4271 struct VarArgPowerPC64Helper : public VarArgHelper {
4272 Function &F;
4273 MemorySanitizer &MS;
4274 MemorySanitizerVisitor &MSV;
4275 Value *VAArgTLSCopy = nullptr;
4276 Value *VAArgSize = nullptr;
4277
4278 SmallVector<CallInst*, 16> VAStartInstrumentationList;
4279
VarArgPowerPC64Helper__anonfe2889270811::VarArgPowerPC64Helper4280 VarArgPowerPC64Helper(Function &F, MemorySanitizer &MS,
4281 MemorySanitizerVisitor &MSV) : F(F), MS(MS), MSV(MSV) {}
4282
visitCallSite__anonfe2889270811::VarArgPowerPC64Helper4283 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {
4284 // For PowerPC, we need to deal with alignment of stack arguments -
4285 // they are mostly aligned to 8 bytes, but vectors and i128 arrays
4286 // are aligned to 16 bytes, byvals can be aligned to 8 or 16 bytes,
4287 // and QPX vectors are aligned to 32 bytes. For that reason, we
4288 // compute current offset from stack pointer (which is always properly
4289 // aligned), and offset for the first vararg, then subtract them.
4290 unsigned VAArgBase;
4291 Triple TargetTriple(F.getParent()->getTargetTriple());
4292 // Parameter save area starts at 48 bytes from frame pointer for ABIv1,
4293 // and 32 bytes for ABIv2. This is usually determined by target
4294 // endianness, but in theory could be overriden by function attribute.
4295 // For simplicity, we ignore it here (it'd only matter for QPX vectors).
4296 if (TargetTriple.getArch() == Triple::ppc64)
4297 VAArgBase = 48;
4298 else
4299 VAArgBase = 32;
4300 unsigned VAArgOffset = VAArgBase;
4301 const DataLayout &DL = F.getParent()->getDataLayout();
4302 for (CallSite::arg_iterator ArgIt = CS.arg_begin(), End = CS.arg_end();
4303 ArgIt != End; ++ArgIt) {
4304 Value *A = *ArgIt;
4305 unsigned ArgNo = CS.getArgumentNo(ArgIt);
4306 bool IsFixed = ArgNo < CS.getFunctionType()->getNumParams();
4307 bool IsByVal = CS.paramHasAttr(ArgNo, Attribute::ByVal);
4308 if (IsByVal) {
4309 assert(A->getType()->isPointerTy());
4310 Type *RealTy = A->getType()->getPointerElementType();
4311 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
4312 uint64_t ArgAlign = CS.getParamAlignment(ArgNo);
4313 if (ArgAlign < 8)
4314 ArgAlign = 8;
4315 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
4316 if (!IsFixed) {
4317 Value *Base = getShadowPtrForVAArgument(
4318 RealTy, IRB, VAArgOffset - VAArgBase, ArgSize);
4319 if (Base) {
4320 Value *AShadowPtr, *AOriginPtr;
4321 std::tie(AShadowPtr, AOriginPtr) =
4322 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
4323 kShadowTLSAlignment, /*isStore*/ false);
4324
4325 IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
4326 kShadowTLSAlignment, ArgSize);
4327 }
4328 }
4329 VAArgOffset += alignTo(ArgSize, 8);
4330 } else {
4331 Value *Base;
4332 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
4333 uint64_t ArgAlign = 8;
4334 if (A->getType()->isArrayTy()) {
4335 // Arrays are aligned to element size, except for long double
4336 // arrays, which are aligned to 8 bytes.
4337 Type *ElementTy = A->getType()->getArrayElementType();
4338 if (!ElementTy->isPPC_FP128Ty())
4339 ArgAlign = DL.getTypeAllocSize(ElementTy);
4340 } else if (A->getType()->isVectorTy()) {
4341 // Vectors are naturally aligned.
4342 ArgAlign = DL.getTypeAllocSize(A->getType());
4343 }
4344 if (ArgAlign < 8)
4345 ArgAlign = 8;
4346 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
4347 if (DL.isBigEndian()) {
4348 // Adjusting the shadow for argument with size < 8 to match the placement
4349 // of bits in big endian system
4350 if (ArgSize < 8)
4351 VAArgOffset += (8 - ArgSize);
4352 }
4353 if (!IsFixed) {
4354 Base = getShadowPtrForVAArgument(A->getType(), IRB,
4355 VAArgOffset - VAArgBase, ArgSize);
4356 if (Base)
4357 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
4358 }
4359 VAArgOffset += ArgSize;
4360 VAArgOffset = alignTo(VAArgOffset, 8);
4361 }
4362 if (IsFixed)
4363 VAArgBase = VAArgOffset;
4364 }
4365
4366 Constant *TotalVAArgSize = ConstantInt::get(IRB.getInt64Ty(),
4367 VAArgOffset - VAArgBase);
4368 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
4369 // a new class member i.e. it is the total size of all VarArgs.
4370 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
4371 }
4372
4373 /// Compute the shadow address for a given va_arg.
getShadowPtrForVAArgument__anonfe2889270811::VarArgPowerPC64Helper4374 Value *getShadowPtrForVAArgument(Type *Ty, IRBuilder<> &IRB,
4375 unsigned ArgOffset, unsigned ArgSize) {
4376 // Make sure we don't overflow __msan_va_arg_tls.
4377 if (ArgOffset + ArgSize > kParamTLSSize)
4378 return nullptr;
4379 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
4380 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
4381 return IRB.CreateIntToPtr(Base, PointerType::get(MSV.getShadowTy(Ty), 0),
4382 "_msarg");
4383 }
4384
visitVAStartInst__anonfe2889270811::VarArgPowerPC64Helper4385 void visitVAStartInst(VAStartInst &I) override {
4386 IRBuilder<> IRB(&I);
4387 VAStartInstrumentationList.push_back(&I);
4388 Value *VAListTag = I.getArgOperand(0);
4389 Value *ShadowPtr, *OriginPtr;
4390 unsigned Alignment = 8;
4391 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4392 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4393 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4394 /* size */ 8, Alignment, false);
4395 }
4396
visitVACopyInst__anonfe2889270811::VarArgPowerPC64Helper4397 void visitVACopyInst(VACopyInst &I) override {
4398 IRBuilder<> IRB(&I);
4399 Value *VAListTag = I.getArgOperand(0);
4400 Value *ShadowPtr, *OriginPtr;
4401 unsigned Alignment = 8;
4402 std::tie(ShadowPtr, OriginPtr) = MSV.getShadowOriginPtr(
4403 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
4404 // Unpoison the whole __va_list_tag.
4405 // FIXME: magic ABI constants.
4406 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
4407 /* size */ 8, Alignment, false);
4408 }
4409
finalizeInstrumentation__anonfe2889270811::VarArgPowerPC64Helper4410 void finalizeInstrumentation() override {
4411 assert(!VAArgSize && !VAArgTLSCopy &&
4412 "finalizeInstrumentation called twice");
4413 IRBuilder<> IRB(MSV.ActualFnStart->getFirstNonPHI());
4414 VAArgSize = IRB.CreateLoad(MS.VAArgOverflowSizeTLS);
4415 Value *CopySize = IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, 0),
4416 VAArgSize);
4417
4418 if (!VAStartInstrumentationList.empty()) {
4419 // If there is a va_start in this function, make a backup copy of
4420 // va_arg_tls somewhere in the function entry block.
4421 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
4422 IRB.CreateMemCpy(VAArgTLSCopy, 8, MS.VAArgTLS, 8, CopySize);
4423 }
4424
4425 // Instrument va_start.
4426 // Copy va_list shadow from the backup copy of the TLS contents.
4427 for (size_t i = 0, n = VAStartInstrumentationList.size(); i < n; i++) {
4428 CallInst *OrigInst = VAStartInstrumentationList[i];
4429 IRBuilder<> IRB(OrigInst->getNextNode());
4430 Value *VAListTag = OrigInst->getArgOperand(0);
4431 Value *RegSaveAreaPtrPtr =
4432 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
4433 PointerType::get(Type::getInt64PtrTy(*MS.C), 0));
4434 Value *RegSaveAreaPtr = IRB.CreateLoad(RegSaveAreaPtrPtr);
4435 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
4436 unsigned Alignment = 8;
4437 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
4438 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
4439 Alignment, /*isStore*/ true);
4440 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
4441 CopySize);
4442 }
4443 }
4444 };
4445
4446 /// A no-op implementation of VarArgHelper.
4447 struct VarArgNoOpHelper : public VarArgHelper {
VarArgNoOpHelper__anonfe2889270811::VarArgNoOpHelper4448 VarArgNoOpHelper(Function &F, MemorySanitizer &MS,
4449 MemorySanitizerVisitor &MSV) {}
4450
visitCallSite__anonfe2889270811::VarArgNoOpHelper4451 void visitCallSite(CallSite &CS, IRBuilder<> &IRB) override {}
4452
visitVAStartInst__anonfe2889270811::VarArgNoOpHelper4453 void visitVAStartInst(VAStartInst &I) override {}
4454
visitVACopyInst__anonfe2889270811::VarArgNoOpHelper4455 void visitVACopyInst(VACopyInst &I) override {}
4456
finalizeInstrumentation__anonfe2889270811::VarArgNoOpHelper4457 void finalizeInstrumentation() override {}
4458 };
4459
4460 } // end anonymous namespace
4461
CreateVarArgHelper(Function & Func,MemorySanitizer & Msan,MemorySanitizerVisitor & Visitor)4462 static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
4463 MemorySanitizerVisitor &Visitor) {
4464 // VarArg handling is only implemented on AMD64. False positives are possible
4465 // on other platforms.
4466 Triple TargetTriple(Func.getParent()->getTargetTriple());
4467 if (TargetTriple.getArch() == Triple::x86_64)
4468 return new VarArgAMD64Helper(Func, Msan, Visitor);
4469 else if (TargetTriple.isMIPS64())
4470 return new VarArgMIPS64Helper(Func, Msan, Visitor);
4471 else if (TargetTriple.getArch() == Triple::aarch64)
4472 return new VarArgAArch64Helper(Func, Msan, Visitor);
4473 else if (TargetTriple.getArch() == Triple::ppc64 ||
4474 TargetTriple.getArch() == Triple::ppc64le)
4475 return new VarArgPowerPC64Helper(Func, Msan, Visitor);
4476 else
4477 return new VarArgNoOpHelper(Func, Msan, Visitor);
4478 }
4479
sanitizeFunction(Function & F,TargetLibraryInfo & TLI)4480 bool MemorySanitizer::sanitizeFunction(Function &F, TargetLibraryInfo &TLI) {
4481 if (!CompileKernel && (&F == MsanCtorFunction))
4482 return false;
4483 MemorySanitizerVisitor Visitor(F, *this, TLI);
4484
4485 // Clear out readonly/readnone attributes.
4486 AttrBuilder B;
4487 B.addAttribute(Attribute::ReadOnly)
4488 .addAttribute(Attribute::ReadNone);
4489 F.removeAttributes(AttributeList::FunctionIndex, B);
4490
4491 return Visitor.runOnFunction();
4492 }
4493