LLVM  8.0.0svn
DataFlowSanitizer.cpp
Go to the documentation of this file.
1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 /// \file
11 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow
12 /// analysis.
13 ///
14 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific
15 /// class of bugs on its own. Instead, it provides a generic dynamic data flow
16 /// analysis framework to be used by clients to help detect application-specific
17 /// issues within their own code.
18 ///
19 /// The analysis is based on automatic propagation of data flow labels (also
20 /// known as taint labels) through a program as it performs computation. Each
21 /// byte of application memory is backed by two bytes of shadow memory which
22 /// hold the label. On Linux/x86_64, memory is laid out as follows:
23 ///
24 /// +--------------------+ 0x800000000000 (top of memory)
25 /// | application memory |
26 /// +--------------------+ 0x700000008000 (kAppAddr)
27 /// | |
28 /// | unused |
29 /// | |
30 /// +--------------------+ 0x200200000000 (kUnusedAddr)
31 /// | union table |
32 /// +--------------------+ 0x200000000000 (kUnionTableAddr)
33 /// | shadow memory |
34 /// +--------------------+ 0x000000010000 (kShadowAddr)
35 /// | reserved by kernel |
36 /// +--------------------+ 0x000000000000
37 ///
38 /// To derive a shadow memory address from an application memory address,
39 /// bits 44-46 are cleared to bring the address into the range
40 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to
41 /// account for the double byte representation of shadow labels and move the
42 /// address into the shadow memory range. See the function
43 /// DataFlowSanitizer::getShadowAddress below.
44 ///
45 /// For more information, please refer to the design document:
46 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
47 //
48 //===----------------------------------------------------------------------===//
49 
50 #include "llvm/ADT/DenseMap.h"
51 #include "llvm/ADT/DenseSet.h"
53 #include "llvm/ADT/None.h"
54 #include "llvm/ADT/SmallPtrSet.h"
55 #include "llvm/ADT/SmallVector.h"
56 #include "llvm/ADT/StringExtras.h"
57 #include "llvm/ADT/StringRef.h"
58 #include "llvm/ADT/Triple.h"
61 #include "llvm/IR/Argument.h"
62 #include "llvm/IR/Attributes.h"
63 #include "llvm/IR/BasicBlock.h"
64 #include "llvm/IR/CallSite.h"
65 #include "llvm/IR/Constant.h"
66 #include "llvm/IR/Constants.h"
67 #include "llvm/IR/DataLayout.h"
68 #include "llvm/IR/DerivedTypes.h"
69 #include "llvm/IR/Dominators.h"
70 #include "llvm/IR/Function.h"
71 #include "llvm/IR/GlobalAlias.h"
72 #include "llvm/IR/GlobalValue.h"
73 #include "llvm/IR/GlobalVariable.h"
74 #include "llvm/IR/IRBuilder.h"
75 #include "llvm/IR/InlineAsm.h"
76 #include "llvm/IR/InstVisitor.h"
77 #include "llvm/IR/InstrTypes.h"
78 #include "llvm/IR/Instruction.h"
79 #include "llvm/IR/Instructions.h"
80 #include "llvm/IR/IntrinsicInst.h"
81 #include "llvm/IR/LLVMContext.h"
82 #include "llvm/IR/MDBuilder.h"
83 #include "llvm/IR/Module.h"
84 #include "llvm/IR/Type.h"
85 #include "llvm/IR/User.h"
86 #include "llvm/IR/Value.h"
87 #include "llvm/Pass.h"
88 #include "llvm/Support/Casting.h"
94 #include <algorithm>
95 #include <cassert>
96 #include <cstddef>
97 #include <cstdint>
98 #include <iterator>
99 #include <memory>
100 #include <set>
101 #include <string>
102 #include <utility>
103 #include <vector>
104 
105 using namespace llvm;
106 
107 // External symbol to be used when generating the shadow address for
108 // architectures with multiple VMAs. Instead of using a constant integer
109 // the runtime will set the external mask based on the VMA range.
110 static const char *const kDFSanExternShadowPtrMask = "__dfsan_shadow_ptr_mask";
111 
112 // The -dfsan-preserve-alignment flag controls whether this pass assumes that
113 // alignment requirements provided by the input IR are correct. For example,
114 // if the input IR contains a load with alignment 8, this flag will cause
115 // the shadow load to have alignment 16. This flag is disabled by default as
116 // we have unfortunately encountered too much code (including Clang itself;
117 // see PR14291) which performs misaligned access.
119  "dfsan-preserve-alignment",
120  cl::desc("respect alignment requirements provided by input IR"), cl::Hidden,
121  cl::init(false));
122 
123 // The ABI list files control how shadow parameters are passed. The pass treats
124 // every function labelled "uninstrumented" in the ABI list file as conforming
125 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains
126 // additional annotations for those functions, a call to one of those functions
127 // will produce a warning message, as the labelling behaviour of the function is
128 // unknown. The other supported annotations are "functional" and "discard",
129 // which are described below under DataFlowSanitizer::WrapperKind.
131  "dfsan-abilist",
132  cl::desc("File listing native ABI functions and how the pass treats them"),
133  cl::Hidden);
134 
135 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented
136 // functions (see DataFlowSanitizer::InstrumentedABI below).
137 static cl::opt<bool> ClArgsABI(
138  "dfsan-args-abi",
139  cl::desc("Use the argument ABI rather than the TLS ABI"),
140  cl::Hidden);
141 
142 // Controls whether the pass includes or ignores the labels of pointers in load
143 // instructions.
145  "dfsan-combine-pointer-labels-on-load",
146  cl::desc("Combine the label of the pointer with the label of the data when "
147  "loading from memory."),
148  cl::Hidden, cl::init(true));
149 
150 // Controls whether the pass includes or ignores the labels of pointers in
151 // stores instructions.
153  "dfsan-combine-pointer-labels-on-store",
154  cl::desc("Combine the label of the pointer with the label of the data when "
155  "storing in memory."),
156  cl::Hidden, cl::init(false));
157 
159  "dfsan-debug-nonzero-labels",
160  cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, "
161  "load or return with a nonzero label"),
162  cl::Hidden);
163 
165  // Types of GlobalVariables are always pointer types.
166  Type *GType = G.getValueType();
167  // For now we support blacklisting struct types only.
168  if (StructType *SGType = dyn_cast<StructType>(GType)) {
169  if (!SGType->isLiteral())
170  return SGType->getName();
171  }
172  return "<unknown type>";
173 }
174 
175 namespace {
176 
177 class DFSanABIList {
178  std::unique_ptr<SpecialCaseList> SCL;
179 
180  public:
181  DFSanABIList() = default;
182 
183  void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); }
184 
185  /// Returns whether either this function or its source file are listed in the
186  /// given category.
187  bool isIn(const Function &F, StringRef Category) const {
188  return isIn(*F.getParent(), Category) ||
189  SCL->inSection("dataflow", "fun", F.getName(), Category);
190  }
191 
192  /// Returns whether this global alias is listed in the given category.
193  ///
194  /// If GA aliases a function, the alias's name is matched as a function name
195  /// would be. Similarly, aliases of globals are matched like globals.
196  bool isIn(const GlobalAlias &GA, StringRef Category) const {
197  if (isIn(*GA.getParent(), Category))
198  return true;
199 
200  if (isa<FunctionType>(GA.getValueType()))
201  return SCL->inSection("dataflow", "fun", GA.getName(), Category);
202 
203  return SCL->inSection("dataflow", "global", GA.getName(), Category) ||
204  SCL->inSection("dataflow", "type", GetGlobalTypeString(GA),
205  Category);
206  }
207 
208  /// Returns whether this module is listed in the given category.
209  bool isIn(const Module &M, StringRef Category) const {
210  return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category);
211  }
212 };
213 
214 /// TransformedFunction is used to express the result of transforming one
215 /// function type into another. This struct is immutable. It holds metadata
216 /// useful for updating calls of the old function to the new type.
217 struct TransformedFunction {
218  TransformedFunction(FunctionType* OriginalType,
219  FunctionType* TransformedType,
220  std::vector<unsigned> ArgumentIndexMapping)
221  : OriginalType(OriginalType),
222  TransformedType(TransformedType),
223  ArgumentIndexMapping(ArgumentIndexMapping) {}
224 
225  // Disallow copies.
226  TransformedFunction(const TransformedFunction&) = delete;
227  TransformedFunction& operator=(const TransformedFunction&) = delete;
228 
229  // Allow moves.
230  TransformedFunction(TransformedFunction&&) = default;
231  TransformedFunction& operator=(TransformedFunction&&) = default;
232 
233  /// Type of the function before the transformation.
234  FunctionType* const OriginalType;
235 
236  /// Type of the function after the transformation.
237  FunctionType* const TransformedType;
238 
239  /// Transforming a function may change the position of arguments. This
240  /// member records the mapping from each argument's old position to its new
241  /// position. Argument positions are zero-indexed. If the transformation
242  /// from F to F' made the first argument of F into the third argument of F',
243  /// then ArgumentIndexMapping[0] will equal 2.
244  const std::vector<unsigned> ArgumentIndexMapping;
245 };
246 
247 /// Given function attributes from a call site for the original function,
248 /// return function attributes appropriate for a call to the transformed
249 /// function.
250 AttributeList TransformFunctionAttributes(
251  const TransformedFunction& TransformedFunction,
252  LLVMContext& Ctx, AttributeList CallSiteAttrs) {
253 
254  // Construct a vector of AttributeSet for each function argument.
255  std::vector<llvm::AttributeSet> ArgumentAttributes(
256  TransformedFunction.TransformedType->getNumParams());
257 
258  // Copy attributes from the parameter of the original function to the
259  // transformed version. 'ArgumentIndexMapping' holds the mapping from
260  // old argument position to new.
261  for (unsigned i=0, ie = TransformedFunction.ArgumentIndexMapping.size();
262  i < ie; ++i) {
263  unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[i];
264  ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttributes(i);
265  }
266 
267  // Copy annotations on varargs arguments.
268  for (unsigned i = TransformedFunction.OriginalType->getNumParams(),
269  ie = CallSiteAttrs.getNumAttrSets(); i<ie; ++i) {
270  ArgumentAttributes.push_back(CallSiteAttrs.getParamAttributes(i));
271  }
272 
273  return AttributeList::get(
274  Ctx,
275  CallSiteAttrs.getFnAttributes(),
276  CallSiteAttrs.getRetAttributes(),
277  llvm::makeArrayRef(ArgumentAttributes));
278 }
279 
280 class DataFlowSanitizer : public ModulePass {
281  friend struct DFSanFunction;
282  friend class DFSanVisitor;
283 
284  enum {
285  ShadowWidth = 16
286  };
287 
288  /// Which ABI should be used for instrumented functions?
289  enum InstrumentedABI {
290  /// Argument and return value labels are passed through additional
291  /// arguments and by modifying the return type.
292  IA_Args,
293 
294  /// Argument and return value labels are passed through TLS variables
295  /// __dfsan_arg_tls and __dfsan_retval_tls.
296  IA_TLS
297  };
298 
299  /// How should calls to uninstrumented functions be handled?
300  enum WrapperKind {
301  /// This function is present in an uninstrumented form but we don't know
302  /// how it should be handled. Print a warning and call the function anyway.
303  /// Don't label the return value.
304  WK_Warning,
305 
306  /// This function does not write to (user-accessible) memory, and its return
307  /// value is unlabelled.
308  WK_Discard,
309 
310  /// This function does not write to (user-accessible) memory, and the label
311  /// of its return value is the union of the label of its arguments.
312  WK_Functional,
313 
314  /// Instead of calling the function, a custom wrapper __dfsw_F is called,
315  /// where F is the name of the function. This function may wrap the
316  /// original function or provide its own implementation. This is similar to
317  /// the IA_Args ABI, except that IA_Args uses a struct return type to
318  /// pass the return value shadow in a register, while WK_Custom uses an
319  /// extra pointer argument to return the shadow. This allows the wrapped
320  /// form of the function type to be expressed in C.
321  WK_Custom
322  };
323 
324  Module *Mod;
325  LLVMContext *Ctx;
326  IntegerType *ShadowTy;
327  PointerType *ShadowPtrTy;
328  IntegerType *IntptrTy;
329  ConstantInt *ZeroShadow;
330  ConstantInt *ShadowPtrMask;
331  ConstantInt *ShadowPtrMul;
332  Constant *ArgTLS;
333  Constant *RetvalTLS;
334  void *(*GetArgTLSPtr)();
335  void *(*GetRetvalTLSPtr)();
336  Constant *GetArgTLS;
337  Constant *GetRetvalTLS;
338  Constant *ExternalShadowMask;
339  FunctionType *DFSanUnionFnTy;
340  FunctionType *DFSanUnionLoadFnTy;
341  FunctionType *DFSanUnimplementedFnTy;
342  FunctionType *DFSanSetLabelFnTy;
343  FunctionType *DFSanNonzeroLabelFnTy;
344  FunctionType *DFSanVarargWrapperFnTy;
345  Constant *DFSanUnionFn;
346  Constant *DFSanCheckedUnionFn;
347  Constant *DFSanUnionLoadFn;
348  Constant *DFSanUnimplementedFn;
349  Constant *DFSanSetLabelFn;
350  Constant *DFSanNonzeroLabelFn;
351  Constant *DFSanVarargWrapperFn;
352  MDNode *ColdCallWeights;
353  DFSanABIList ABIList;
354  DenseMap<Value *, Function *> UnwrappedFnMap;
355  AttrBuilder ReadOnlyNoneAttrs;
356  bool DFSanRuntimeShadowMask = false;
357 
358  Value *getShadowAddress(Value *Addr, Instruction *Pos);
359  bool isInstrumented(const Function *F);
360  bool isInstrumented(const GlobalAlias *GA);
361  FunctionType *getArgsFunctionType(FunctionType *T);
362  FunctionType *getTrampolineFunctionType(FunctionType *T);
363  TransformedFunction getCustomFunctionType(FunctionType *T);
364  InstrumentedABI getInstrumentedABI();
365  WrapperKind getWrapperKind(Function *F);
366  void addGlobalNamePrefix(GlobalValue *GV);
367  Function *buildWrapperFunction(Function *F, StringRef NewFName,
368  GlobalValue::LinkageTypes NewFLink,
369  FunctionType *NewFT);
370  Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName);
371 
372 public:
373  static char ID;
374 
375  DataFlowSanitizer(
376  const std::vector<std::string> &ABIListFiles = std::vector<std::string>(),
377  void *(*getArgTLS)() = nullptr, void *(*getRetValTLS)() = nullptr);
378 
379  bool doInitialization(Module &M) override;
380  bool runOnModule(Module &M) override;
381 };
382 
383 struct DFSanFunction {
384  DataFlowSanitizer &DFS;
385  Function *F;
386  DominatorTree DT;
387  DataFlowSanitizer::InstrumentedABI IA;
388  bool IsNativeABI;
389  Value *ArgTLSPtr = nullptr;
390  Value *RetvalTLSPtr = nullptr;
391  AllocaInst *LabelReturnAlloca = nullptr;
392  DenseMap<Value *, Value *> ValShadowMap;
393  DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap;
394  std::vector<std::pair<PHINode *, PHINode *>> PHIFixups;
395  DenseSet<Instruction *> SkipInsts;
396  std::vector<Value *> NonZeroChecks;
397  bool AvoidNewBlocks;
398 
399  struct CachedCombinedShadow {
400  BasicBlock *Block;
401  Value *Shadow;
402  };
403  DenseMap<std::pair<Value *, Value *>, CachedCombinedShadow>
404  CachedCombinedShadows;
405  DenseMap<Value *, std::set<Value *>> ShadowElements;
406 
407  DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI)
408  : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) {
409  DT.recalculate(*F);
410  // FIXME: Need to track down the register allocator issue which causes poor
411  // performance in pathological cases with large numbers of basic blocks.
412  AvoidNewBlocks = F->size() > 1000;
413  }
414 
415  Value *getArgTLSPtr();
416  Value *getArgTLS(unsigned Index, Instruction *Pos);
417  Value *getRetvalTLS();
418  Value *getShadow(Value *V);
419  void setShadow(Instruction *I, Value *Shadow);
420  Value *combineShadows(Value *V1, Value *V2, Instruction *Pos);
421  Value *combineOperandShadows(Instruction *Inst);
422  Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align,
423  Instruction *Pos);
424  void storeShadow(Value *Addr, uint64_t Size, uint64_t Align, Value *Shadow,
425  Instruction *Pos);
426 };
427 
428 class DFSanVisitor : public InstVisitor<DFSanVisitor> {
429 public:
430  DFSanFunction &DFSF;
431 
432  DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {}
433 
434  const DataLayout &getDataLayout() const {
435  return DFSF.F->getParent()->getDataLayout();
436  }
437 
438  void visitOperandShadowInst(Instruction &I);
439  void visitBinaryOperator(BinaryOperator &BO);
440  void visitCastInst(CastInst &CI);
441  void visitCmpInst(CmpInst &CI);
442  void visitGetElementPtrInst(GetElementPtrInst &GEPI);
443  void visitLoadInst(LoadInst &LI);
444  void visitStoreInst(StoreInst &SI);
445  void visitReturnInst(ReturnInst &RI);
446  void visitCallSite(CallSite CS);
447  void visitPHINode(PHINode &PN);
448  void visitExtractElementInst(ExtractElementInst &I);
449  void visitInsertElementInst(InsertElementInst &I);
450  void visitShuffleVectorInst(ShuffleVectorInst &I);
451  void visitExtractValueInst(ExtractValueInst &I);
452  void visitInsertValueInst(InsertValueInst &I);
453  void visitAllocaInst(AllocaInst &I);
454  void visitSelectInst(SelectInst &I);
455  void visitMemSetInst(MemSetInst &I);
456  void visitMemTransferInst(MemTransferInst &I);
457 };
458 
459 } // end anonymous namespace
460 
462 
463 INITIALIZE_PASS(DataFlowSanitizer, "dfsan",
464  "DataFlowSanitizer: dynamic data flow analysis.", false, false)
465 
466 ModulePass *
467 llvm::createDataFlowSanitizerPass(const std::vector<std::string> &ABIListFiles,
468  void *(*getArgTLS)(),
469  void *(*getRetValTLS)()) {
470  return new DataFlowSanitizer(ABIListFiles, getArgTLS, getRetValTLS);
471 }
472 
473 DataFlowSanitizer::DataFlowSanitizer(
474  const std::vector<std::string> &ABIListFiles, void *(*getArgTLS)(),
475  void *(*getRetValTLS)())
476  : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS) {
477  std::vector<std::string> AllABIListFiles(std::move(ABIListFiles));
478  AllABIListFiles.insert(AllABIListFiles.end(), ClABIListFiles.begin(),
479  ClABIListFiles.end());
480  ABIList.set(SpecialCaseList::createOrDie(AllABIListFiles));
481 }
482 
483 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) {
484  SmallVector<Type *, 4> ArgTypes(T->param_begin(), T->param_end());
485  ArgTypes.append(T->getNumParams(), ShadowTy);
486  if (T->isVarArg())
487  ArgTypes.push_back(ShadowPtrTy);
488  Type *RetType = T->getReturnType();
489  if (!RetType->isVoidTy())
490  RetType = StructType::get(RetType, ShadowTy);
491  return FunctionType::get(RetType, ArgTypes, T->isVarArg());
492 }
493 
494 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) {
495  assert(!T->isVarArg());
496  SmallVector<Type *, 4> ArgTypes;
497  ArgTypes.push_back(T->getPointerTo());
498  ArgTypes.append(T->param_begin(), T->param_end());
499  ArgTypes.append(T->getNumParams(), ShadowTy);
500  Type *RetType = T->getReturnType();
501  if (!RetType->isVoidTy())
502  ArgTypes.push_back(ShadowPtrTy);
503  return FunctionType::get(T->getReturnType(), ArgTypes, false);
504 }
505 
506 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) {
507  SmallVector<Type *, 4> ArgTypes;
508 
509  // Some parameters of the custom function being constructed are
510  // parameters of T. Record the mapping from parameters of T to
511  // parameters of the custom function, so that parameter attributes
512  // at call sites can be updated.
513  std::vector<unsigned> ArgumentIndexMapping;
514  for (unsigned i = 0, ie = T->getNumParams(); i != ie; ++i) {
515  Type* param_type = T->getParamType(i);
516  FunctionType *FT;
517  if (isa<PointerType>(param_type) && (FT = dyn_cast<FunctionType>(
518  cast<PointerType>(param_type)->getElementType()))) {
519  ArgumentIndexMapping.push_back(ArgTypes.size());
520  ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo());
521  ArgTypes.push_back(Type::getInt8PtrTy(*Ctx));
522  } else {
523  ArgumentIndexMapping.push_back(ArgTypes.size());
524  ArgTypes.push_back(param_type);
525  }
526  }
527  for (unsigned i = 0, e = T->getNumParams(); i != e; ++i)
528  ArgTypes.push_back(ShadowTy);
529  if (T->isVarArg())
530  ArgTypes.push_back(ShadowPtrTy);
531  Type *RetType = T->getReturnType();
532  if (!RetType->isVoidTy())
533  ArgTypes.push_back(ShadowPtrTy);
534  return TransformedFunction(
535  T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()),
536  ArgumentIndexMapping);
537 }
538 
539 bool DataFlowSanitizer::doInitialization(Module &M) {
540  Triple TargetTriple(M.getTargetTriple());
541  bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
542  bool IsMIPS64 = TargetTriple.isMIPS64();
543  bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 ||
544  TargetTriple.getArch() == Triple::aarch64_be;
545 
546  const DataLayout &DL = M.getDataLayout();
547 
548  Mod = &M;
549  Ctx = &M.getContext();
550  ShadowTy = IntegerType::get(*Ctx, ShadowWidth);
551  ShadowPtrTy = PointerType::getUnqual(ShadowTy);
552  IntptrTy = DL.getIntPtrType(*Ctx);
553  ZeroShadow = ConstantInt::getSigned(ShadowTy, 0);
554  ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidth / 8);
555  if (IsX86_64)
556  ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL);
557  else if (IsMIPS64)
558  ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL);
559  // AArch64 supports multiple VMAs and the shadow mask is set at runtime.
560  else if (IsAArch64)
561  DFSanRuntimeShadowMask = true;
562  else
563  report_fatal_error("unsupported triple");
564 
565  Type *DFSanUnionArgs[2] = { ShadowTy, ShadowTy };
566  DFSanUnionFnTy =
567  FunctionType::get(ShadowTy, DFSanUnionArgs, /*isVarArg=*/ false);
568  Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy };
569  DFSanUnionLoadFnTy =
570  FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false);
571  DFSanUnimplementedFnTy = FunctionType::get(
572  Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
573  Type *DFSanSetLabelArgs[3] = { ShadowTy, Type::getInt8PtrTy(*Ctx), IntptrTy };
574  DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx),
575  DFSanSetLabelArgs, /*isVarArg=*/false);
576  DFSanNonzeroLabelFnTy = FunctionType::get(
577  Type::getVoidTy(*Ctx), None, /*isVarArg=*/false);
578  DFSanVarargWrapperFnTy = FunctionType::get(
579  Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
580 
581  if (GetArgTLSPtr) {
582  Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
583  ArgTLS = nullptr;
584  GetArgTLS = ConstantExpr::getIntToPtr(
585  ConstantInt::get(IntptrTy, uintptr_t(GetArgTLSPtr)),
587  FunctionType::get(PointerType::getUnqual(ArgTLSTy), false)));
588  }
589  if (GetRetvalTLSPtr) {
590  RetvalTLS = nullptr;
591  GetRetvalTLS = ConstantExpr::getIntToPtr(
592  ConstantInt::get(IntptrTy, uintptr_t(GetRetvalTLSPtr)),
594  FunctionType::get(PointerType::getUnqual(ShadowTy), false)));
595  }
596 
597  ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000);
598  return true;
599 }
600 
601 bool DataFlowSanitizer::isInstrumented(const Function *F) {
602  return !ABIList.isIn(*F, "uninstrumented");
603 }
604 
605 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) {
606  return !ABIList.isIn(*GA, "uninstrumented");
607 }
608 
609 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() {
610  return ClArgsABI ? IA_Args : IA_TLS;
611 }
612 
613 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) {
614  if (ABIList.isIn(*F, "functional"))
615  return WK_Functional;
616  if (ABIList.isIn(*F, "discard"))
617  return WK_Discard;
618  if (ABIList.isIn(*F, "custom"))
619  return WK_Custom;
620 
621  return WK_Warning;
622 }
623 
624 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) {
625  std::string GVName = GV->getName(), Prefix = "dfs$";
626  GV->setName(Prefix + GVName);
627 
628  // Try to change the name of the function in module inline asm. We only do
629  // this for specific asm directives, currently only ".symver", to try to avoid
630  // corrupting asm which happens to contain the symbol name as a substring.
631  // Note that the substitution for .symver assumes that the versioned symbol
632  // also has an instrumented name.
633  std::string Asm = GV->getParent()->getModuleInlineAsm();
634  std::string SearchStr = ".symver " + GVName + ",";
635  size_t Pos = Asm.find(SearchStr);
636  if (Pos != std::string::npos) {
637  Asm.replace(Pos, SearchStr.size(),
638  ".symver " + Prefix + GVName + "," + Prefix);
639  GV->getParent()->setModuleInlineAsm(Asm);
640  }
641 }
642 
643 Function *
644 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName,
645  GlobalValue::LinkageTypes NewFLink,
646  FunctionType *NewFT) {
647  FunctionType *FT = F->getFunctionType();
648  Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(),
649  NewFName, F->getParent());
650  NewF->copyAttributesFrom(F);
651  NewF->removeAttributes(
654 
655  BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF);
656  if (F->isVarArg()) {
658  AttrBuilder().addAttribute("split-stack"));
659  CallInst::Create(DFSanVarargWrapperFn,
660  IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "",
661  BB);
662  new UnreachableInst(*Ctx, BB);
663  } else {
664  std::vector<Value *> Args;
665  unsigned n = FT->getNumParams();
666  for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n)
667  Args.push_back(&*ai);
668  CallInst *CI = CallInst::Create(F, Args, "", BB);
669  if (FT->getReturnType()->isVoidTy())
670  ReturnInst::Create(*Ctx, BB);
671  else
672  ReturnInst::Create(*Ctx, CI, BB);
673  }
674 
675  return NewF;
676 }
677 
678 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT,
679  StringRef FName) {
680  FunctionType *FTT = getTrampolineFunctionType(FT);
681  Constant *C = Mod->getOrInsertFunction(FName, FTT);
682  Function *F = dyn_cast<Function>(C);
683  if (F && F->isDeclaration()) {
685  BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F);
686  std::vector<Value *> Args;
687  Function::arg_iterator AI = F->arg_begin(); ++AI;
688  for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N)
689  Args.push_back(&*AI);
690  CallInst *CI = CallInst::Create(&*F->arg_begin(), Args, "", BB);
691  ReturnInst *RI;
692  if (FT->getReturnType()->isVoidTy())
693  RI = ReturnInst::Create(*Ctx, BB);
694  else
695  RI = ReturnInst::Create(*Ctx, CI, BB);
696 
697  DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true);
698  Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; ++ValAI;
699  for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N)
700  DFSF.ValShadowMap[&*ValAI] = &*ShadowAI;
701  DFSanVisitor(DFSF).visitCallInst(*CI);
702  if (!FT->getReturnType()->isVoidTy())
703  new StoreInst(DFSF.getShadow(RI->getReturnValue()),
704  &*std::prev(F->arg_end()), RI);
705  }
706 
707  return C;
708 }
709 
710 bool DataFlowSanitizer::runOnModule(Module &M) {
711  if (ABIList.isIn(M, "skip"))
712  return false;
713 
714  if (!GetArgTLSPtr) {
715  Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
716  ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy);
717  if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS))
718  G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
719  }
720  if (!GetRetvalTLSPtr) {
721  RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", ShadowTy);
722  if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS))
723  G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
724  }
725 
726  ExternalShadowMask =
727  Mod->getOrInsertGlobal(kDFSanExternShadowPtrMask, IntptrTy);
728 
729  DFSanUnionFn = Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy);
730  if (Function *F = dyn_cast<Function>(DFSanUnionFn)) {
731  F->addAttribute(AttributeList::FunctionIndex, Attribute::NoUnwind);
732  F->addAttribute(AttributeList::FunctionIndex, Attribute::ReadNone);
733  F->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
734  F->addParamAttr(0, Attribute::ZExt);
735  F->addParamAttr(1, Attribute::ZExt);
736  }
737  DFSanCheckedUnionFn = Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy);
738  if (Function *F = dyn_cast<Function>(DFSanCheckedUnionFn)) {
739  F->addAttribute(AttributeList::FunctionIndex, Attribute::NoUnwind);
740  F->addAttribute(AttributeList::FunctionIndex, Attribute::ReadNone);
741  F->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
742  F->addParamAttr(0, Attribute::ZExt);
743  F->addParamAttr(1, Attribute::ZExt);
744  }
745  DFSanUnionLoadFn =
746  Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy);
747  if (Function *F = dyn_cast<Function>(DFSanUnionLoadFn)) {
748  F->addAttribute(AttributeList::FunctionIndex, Attribute::NoUnwind);
749  F->addAttribute(AttributeList::FunctionIndex, Attribute::ReadOnly);
750  F->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
751  }
752  DFSanUnimplementedFn =
753  Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy);
754  DFSanSetLabelFn =
755  Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy);
756  if (Function *F = dyn_cast<Function>(DFSanSetLabelFn)) {
757  F->addParamAttr(0, Attribute::ZExt);
758  }
759  DFSanNonzeroLabelFn =
760  Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy);
761  DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper",
762  DFSanVarargWrapperFnTy);
763 
764  std::vector<Function *> FnsToInstrument;
765  SmallPtrSet<Function *, 2> FnsWithNativeABI;
766  for (Function &i : M) {
767  if (!i.isIntrinsic() &&
768  &i != DFSanUnionFn &&
769  &i != DFSanCheckedUnionFn &&
770  &i != DFSanUnionLoadFn &&
771  &i != DFSanUnimplementedFn &&
772  &i != DFSanSetLabelFn &&
773  &i != DFSanNonzeroLabelFn &&
774  &i != DFSanVarargWrapperFn)
775  FnsToInstrument.push_back(&i);
776  }
777 
778  // Give function aliases prefixes when necessary, and build wrappers where the
779  // instrumentedness is inconsistent.
780  for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) {
781  GlobalAlias *GA = &*i;
782  ++i;
783  // Don't stop on weak. We assume people aren't playing games with the
784  // instrumentedness of overridden weak aliases.
785  if (auto F = dyn_cast<Function>(GA->getBaseObject())) {
786  bool GAInst = isInstrumented(GA), FInst = isInstrumented(F);
787  if (GAInst && FInst) {
788  addGlobalNamePrefix(GA);
789  } else if (GAInst != FInst) {
790  // Non-instrumented alias of an instrumented function, or vice versa.
791  // Replace the alias with a native-ABI wrapper of the aliasee. The pass
792  // below will take care of instrumenting it.
793  Function *NewF =
794  buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType());
796  NewF->takeName(GA);
797  GA->eraseFromParent();
798  FnsToInstrument.push_back(NewF);
799  }
800  }
801  }
802 
803  ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly)
804  .addAttribute(Attribute::ReadNone);
805 
806  // First, change the ABI of every function in the module. ABI-listed
807  // functions keep their original ABI and get a wrapper function.
808  for (std::vector<Function *>::iterator i = FnsToInstrument.begin(),
809  e = FnsToInstrument.end();
810  i != e; ++i) {
811  Function &F = **i;
812  FunctionType *FT = F.getFunctionType();
813 
814  bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() &&
815  FT->getReturnType()->isVoidTy());
816 
817  if (isInstrumented(&F)) {
818  // Instrumented functions get a 'dfs$' prefix. This allows us to more
819  // easily identify cases of mismatching ABIs.
820  if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) {
821  FunctionType *NewFT = getArgsFunctionType(FT);
822  Function *NewF = Function::Create(NewFT, F.getLinkage(),
823  F.getAddressSpace(), "", &M);
824  NewF->copyAttributesFrom(&F);
825  NewF->removeAttributes(
828  for (Function::arg_iterator FArg = F.arg_begin(),
829  NewFArg = NewF->arg_begin(),
830  FArgEnd = F.arg_end();
831  FArg != FArgEnd; ++FArg, ++NewFArg) {
832  FArg->replaceAllUsesWith(&*NewFArg);
833  }
834  NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList());
835 
836  for (Function::user_iterator UI = F.user_begin(), UE = F.user_end();
837  UI != UE;) {
838  BlockAddress *BA = dyn_cast<BlockAddress>(*UI);
839  ++UI;
840  if (BA) {
841  BA->replaceAllUsesWith(
842  BlockAddress::get(NewF, BA->getBasicBlock()));
843  delete BA;
844  }
845  }
848  NewF->takeName(&F);
849  F.eraseFromParent();
850  *i = NewF;
851  addGlobalNamePrefix(NewF);
852  } else {
853  addGlobalNamePrefix(&F);
854  }
855  } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) {
856  // Build a wrapper function for F. The wrapper simply calls F, and is
857  // added to FnsToInstrument so that any instrumentation according to its
858  // WrapperKind is done in the second pass below.
859  FunctionType *NewFT = getInstrumentedABI() == IA_Args
860  ? getArgsFunctionType(FT)
861  : FT;
862 
863  // If the function being wrapped has local linkage, then preserve the
864  // function's linkage in the wrapper function.
865  GlobalValue::LinkageTypes wrapperLinkage =
866  F.hasLocalLinkage()
867  ? F.getLinkage()
869 
870  Function *NewF = buildWrapperFunction(
871  &F, std::string("dfsw$") + std::string(F.getName()),
872  wrapperLinkage, NewFT);
873  if (getInstrumentedABI() == IA_TLS)
874  NewF->removeAttributes(AttributeList::FunctionIndex, ReadOnlyNoneAttrs);
875 
876  Value *WrappedFnCst =
878  F.replaceAllUsesWith(WrappedFnCst);
879 
880  UnwrappedFnMap[WrappedFnCst] = &F;
881  *i = NewF;
882 
883  if (!F.isDeclaration()) {
884  // This function is probably defining an interposition of an
885  // uninstrumented function and hence needs to keep the original ABI.
886  // But any functions it may call need to use the instrumented ABI, so
887  // we instrument it in a mode which preserves the original ABI.
888  FnsWithNativeABI.insert(&F);
889 
890  // This code needs to rebuild the iterators, as they may be invalidated
891  // by the push_back, taking care that the new range does not include
892  // any functions added by this code.
893  size_t N = i - FnsToInstrument.begin(),
894  Count = e - FnsToInstrument.begin();
895  FnsToInstrument.push_back(&F);
896  i = FnsToInstrument.begin() + N;
897  e = FnsToInstrument.begin() + Count;
898  }
899  // Hopefully, nobody will try to indirectly call a vararg
900  // function... yet.
901  } else if (FT->isVarArg()) {
902  UnwrappedFnMap[&F] = &F;
903  *i = nullptr;
904  }
905  }
906 
907  for (Function *i : FnsToInstrument) {
908  if (!i || i->isDeclaration())
909  continue;
910 
912 
913  DFSanFunction DFSF(*this, i, FnsWithNativeABI.count(i));
914 
915  // DFSanVisitor may create new basic blocks, which confuses df_iterator.
916  // Build a copy of the list before iterating over it.
917  SmallVector<BasicBlock *, 4> BBList(depth_first(&i->getEntryBlock()));
918 
919  for (BasicBlock *i : BBList) {
920  Instruction *Inst = &i->front();
921  while (true) {
922  // DFSanVisitor may split the current basic block, changing the current
923  // instruction's next pointer and moving the next instruction to the
924  // tail block from which we should continue.
925  Instruction *Next = Inst->getNextNode();
926  // DFSanVisitor may delete Inst, so keep track of whether it was a
927  // terminator.
928  bool IsTerminator = Inst->isTerminator();
929  if (!DFSF.SkipInsts.count(Inst))
930  DFSanVisitor(DFSF).visit(Inst);
931  if (IsTerminator)
932  break;
933  Inst = Next;
934  }
935  }
936 
937  // We will not necessarily be able to compute the shadow for every phi node
938  // until we have visited every block. Therefore, the code that handles phi
939  // nodes adds them to the PHIFixups list so that they can be properly
940  // handled here.
941  for (std::vector<std::pair<PHINode *, PHINode *>>::iterator
942  i = DFSF.PHIFixups.begin(),
943  e = DFSF.PHIFixups.end();
944  i != e; ++i) {
945  for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n;
946  ++val) {
947  i->second->setIncomingValue(
948  val, DFSF.getShadow(i->first->getIncomingValue(val)));
949  }
950  }
951 
952  // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy
953  // places (i.e. instructions in basic blocks we haven't even begun visiting
954  // yet). To make our life easier, do this work in a pass after the main
955  // instrumentation.
956  if (ClDebugNonzeroLabels) {
957  for (Value *V : DFSF.NonZeroChecks) {
958  Instruction *Pos;
959  if (Instruction *I = dyn_cast<Instruction>(V))
960  Pos = I->getNextNode();
961  else
962  Pos = &DFSF.F->getEntryBlock().front();
963  while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos))
964  Pos = Pos->getNextNode();
965  IRBuilder<> IRB(Pos);
966  Value *Ne = IRB.CreateICmpNE(V, DFSF.DFS.ZeroShadow);
967  BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
968  Ne, Pos, /*Unreachable=*/false, ColdCallWeights));
969  IRBuilder<> ThenIRB(BI);
970  ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {});
971  }
972  }
973  }
974 
975  return false;
976 }
977 
978 Value *DFSanFunction::getArgTLSPtr() {
979  if (ArgTLSPtr)
980  return ArgTLSPtr;
981  if (DFS.ArgTLS)
982  return ArgTLSPtr = DFS.ArgTLS;
983 
984  IRBuilder<> IRB(&F->getEntryBlock().front());
985  return ArgTLSPtr = IRB.CreateCall(DFS.GetArgTLS, {});
986 }
987 
988 Value *DFSanFunction::getRetvalTLS() {
989  if (RetvalTLSPtr)
990  return RetvalTLSPtr;
991  if (DFS.RetvalTLS)
992  return RetvalTLSPtr = DFS.RetvalTLS;
993 
994  IRBuilder<> IRB(&F->getEntryBlock().front());
995  return RetvalTLSPtr = IRB.CreateCall(DFS.GetRetvalTLS, {});
996 }
997 
998 Value *DFSanFunction::getArgTLS(unsigned Idx, Instruction *Pos) {
999  IRBuilder<> IRB(Pos);
1000  return IRB.CreateConstGEP2_64(getArgTLSPtr(), 0, Idx);
1001 }
1002 
1003 Value *DFSanFunction::getShadow(Value *V) {
1004  if (!isa<Argument>(V) && !isa<Instruction>(V))
1005  return DFS.ZeroShadow;
1006  Value *&Shadow = ValShadowMap[V];
1007  if (!Shadow) {
1008  if (Argument *A = dyn_cast<Argument>(V)) {
1009  if (IsNativeABI)
1010  return DFS.ZeroShadow;
1011  switch (IA) {
1012  case DataFlowSanitizer::IA_TLS: {
1013  Value *ArgTLSPtr = getArgTLSPtr();
1014  Instruction *ArgTLSPos =
1015  DFS.ArgTLS ? &*F->getEntryBlock().begin()
1016  : cast<Instruction>(ArgTLSPtr)->getNextNode();
1017  IRBuilder<> IRB(ArgTLSPos);
1018  Shadow = IRB.CreateLoad(getArgTLS(A->getArgNo(), ArgTLSPos));
1019  break;
1020  }
1021  case DataFlowSanitizer::IA_Args: {
1022  unsigned ArgIdx = A->getArgNo() + F->arg_size() / 2;
1024  while (ArgIdx--)
1025  ++i;
1026  Shadow = &*i;
1027  assert(Shadow->getType() == DFS.ShadowTy);
1028  break;
1029  }
1030  }
1031  NonZeroChecks.push_back(Shadow);
1032  } else {
1033  Shadow = DFS.ZeroShadow;
1034  }
1035  }
1036  return Shadow;
1037 }
1038 
1039 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) {
1040  assert(!ValShadowMap.count(I));
1041  assert(Shadow->getType() == DFS.ShadowTy);
1042  ValShadowMap[I] = Shadow;
1043 }
1044 
1045 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) {
1046  assert(Addr != RetvalTLS && "Reinstrumenting?");
1047  IRBuilder<> IRB(Pos);
1048  Value *ShadowPtrMaskValue;
1049  if (DFSanRuntimeShadowMask)
1050  ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask);
1051  else
1052  ShadowPtrMaskValue = ShadowPtrMask;
1053  return IRB.CreateIntToPtr(
1054  IRB.CreateMul(
1055  IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy),
1056  IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)),
1057  ShadowPtrMul),
1058  ShadowPtrTy);
1059 }
1060 
1061 // Generates IR to compute the union of the two given shadows, inserting it
1062 // before Pos. Returns the computed union Value.
1063 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) {
1064  if (V1 == DFS.ZeroShadow)
1065  return V2;
1066  if (V2 == DFS.ZeroShadow)
1067  return V1;
1068  if (V1 == V2)
1069  return V1;
1070 
1071  auto V1Elems = ShadowElements.find(V1);
1072  auto V2Elems = ShadowElements.find(V2);
1073  if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) {
1074  if (std::includes(V1Elems->second.begin(), V1Elems->second.end(),
1075  V2Elems->second.begin(), V2Elems->second.end())) {
1076  return V1;
1077  } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(),
1078  V1Elems->second.begin(), V1Elems->second.end())) {
1079  return V2;
1080  }
1081  } else if (V1Elems != ShadowElements.end()) {
1082  if (V1Elems->second.count(V2))
1083  return V1;
1084  } else if (V2Elems != ShadowElements.end()) {
1085  if (V2Elems->second.count(V1))
1086  return V2;
1087  }
1088 
1089  auto Key = std::make_pair(V1, V2);
1090  if (V1 > V2)
1091  std::swap(Key.first, Key.second);
1092  CachedCombinedShadow &CCS = CachedCombinedShadows[Key];
1093  if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent()))
1094  return CCS.Shadow;
1095 
1096  IRBuilder<> IRB(Pos);
1097  if (AvoidNewBlocks) {
1098  CallInst *Call = IRB.CreateCall(DFS.DFSanCheckedUnionFn, {V1, V2});
1099  Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1100  Call->addParamAttr(0, Attribute::ZExt);
1101  Call->addParamAttr(1, Attribute::ZExt);
1102 
1103  CCS.Block = Pos->getParent();
1104  CCS.Shadow = Call;
1105  } else {
1106  BasicBlock *Head = Pos->getParent();
1107  Value *Ne = IRB.CreateICmpNE(V1, V2);
1108  BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
1109  Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT));
1110  IRBuilder<> ThenIRB(BI);
1111  CallInst *Call = ThenIRB.CreateCall(DFS.DFSanUnionFn, {V1, V2});
1112  Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1113  Call->addParamAttr(0, Attribute::ZExt);
1114  Call->addParamAttr(1, Attribute::ZExt);
1115 
1116  BasicBlock *Tail = BI->getSuccessor(0);
1117  PHINode *Phi = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front());
1118  Phi->addIncoming(Call, Call->getParent());
1119  Phi->addIncoming(V1, Head);
1120 
1121  CCS.Block = Tail;
1122  CCS.Shadow = Phi;
1123  }
1124 
1125  std::set<Value *> UnionElems;
1126  if (V1Elems != ShadowElements.end()) {
1127  UnionElems = V1Elems->second;
1128  } else {
1129  UnionElems.insert(V1);
1130  }
1131  if (V2Elems != ShadowElements.end()) {
1132  UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end());
1133  } else {
1134  UnionElems.insert(V2);
1135  }
1136  ShadowElements[CCS.Shadow] = std::move(UnionElems);
1137 
1138  return CCS.Shadow;
1139 }
1140 
1141 // A convenience function which folds the shadows of each of the operands
1142 // of the provided instruction Inst, inserting the IR before Inst. Returns
1143 // the computed union Value.
1144 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) {
1145  if (Inst->getNumOperands() == 0)
1146  return DFS.ZeroShadow;
1147 
1148  Value *Shadow = getShadow(Inst->getOperand(0));
1149  for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) {
1150  Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst);
1151  }
1152  return Shadow;
1153 }
1154 
1155 void DFSanVisitor::visitOperandShadowInst(Instruction &I) {
1156  Value *CombinedShadow = DFSF.combineOperandShadows(&I);
1157  DFSF.setShadow(&I, CombinedShadow);
1158 }
1159 
1160 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where
1161 // Addr has alignment Align, and take the union of each of those shadows.
1162 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align,
1163  Instruction *Pos) {
1164  if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1165  const auto i = AllocaShadowMap.find(AI);
1166  if (i != AllocaShadowMap.end()) {
1167  IRBuilder<> IRB(Pos);
1168  return IRB.CreateLoad(i->second);
1169  }
1170  }
1171 
1172  uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8;
1174  GetUnderlyingObjects(Addr, Objs, Pos->getModule()->getDataLayout());
1175  bool AllConstants = true;
1176  for (Value *Obj : Objs) {
1177  if (isa<Function>(Obj) || isa<BlockAddress>(Obj))
1178  continue;
1179  if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant())
1180  continue;
1181 
1182  AllConstants = false;
1183  break;
1184  }
1185  if (AllConstants)
1186  return DFS.ZeroShadow;
1187 
1188  Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1189  switch (Size) {
1190  case 0:
1191  return DFS.ZeroShadow;
1192  case 1: {
1193  LoadInst *LI = new LoadInst(ShadowAddr, "", Pos);
1194  LI->setAlignment(ShadowAlign);
1195  return LI;
1196  }
1197  case 2: {
1198  IRBuilder<> IRB(Pos);
1199  Value *ShadowAddr1 = IRB.CreateGEP(DFS.ShadowTy, ShadowAddr,
1200  ConstantInt::get(DFS.IntptrTy, 1));
1201  return combineShadows(IRB.CreateAlignedLoad(ShadowAddr, ShadowAlign),
1202  IRB.CreateAlignedLoad(ShadowAddr1, ShadowAlign), Pos);
1203  }
1204  }
1205  if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidth) == 0) {
1206  // Fast path for the common case where each byte has identical shadow: load
1207  // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any
1208  // shadow is non-equal.
1209  BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F);
1210  IRBuilder<> FallbackIRB(FallbackBB);
1211  CallInst *FallbackCall = FallbackIRB.CreateCall(
1212  DFS.DFSanUnionLoadFn,
1213  {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1214  FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1215 
1216  // Compare each of the shadows stored in the loaded 64 bits to each other,
1217  // by computing (WideShadow rotl ShadowWidth) == WideShadow.
1218  IRBuilder<> IRB(Pos);
1219  Value *WideAddr =
1220  IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx));
1221  Value *WideShadow = IRB.CreateAlignedLoad(WideAddr, ShadowAlign);
1222  Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.ShadowTy);
1223  Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidth);
1224  Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidth);
1225  Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow);
1226  Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow);
1227 
1228  BasicBlock *Head = Pos->getParent();
1229  BasicBlock *Tail = Head->splitBasicBlock(Pos->getIterator());
1230 
1231  if (DomTreeNode *OldNode = DT.getNode(Head)) {
1232  std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end());
1233 
1234  DomTreeNode *NewNode = DT.addNewBlock(Tail, Head);
1235  for (auto Child : Children)
1236  DT.changeImmediateDominator(Child, NewNode);
1237  }
1238 
1239  // In the following code LastBr will refer to the previous basic block's
1240  // conditional branch instruction, whose true successor is fixed up to point
1241  // to the next block during the loop below or to the tail after the final
1242  // iteration.
1243  BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq);
1244  ReplaceInstWithInst(Head->getTerminator(), LastBr);
1245  DT.addNewBlock(FallbackBB, Head);
1246 
1247  for (uint64_t Ofs = 64 / DFS.ShadowWidth; Ofs != Size;
1248  Ofs += 64 / DFS.ShadowWidth) {
1249  BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F);
1250  DT.addNewBlock(NextBB, LastBr->getParent());
1251  IRBuilder<> NextIRB(NextBB);
1252  WideAddr = NextIRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr,
1253  ConstantInt::get(DFS.IntptrTy, 1));
1254  Value *NextWideShadow = NextIRB.CreateAlignedLoad(WideAddr, ShadowAlign);
1255  ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow);
1256  LastBr->setSuccessor(0, NextBB);
1257  LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB);
1258  }
1259 
1260  LastBr->setSuccessor(0, Tail);
1261  FallbackIRB.CreateBr(Tail);
1262  PHINode *Shadow = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front());
1263  Shadow->addIncoming(FallbackCall, FallbackBB);
1264  Shadow->addIncoming(TruncShadow, LastBr->getParent());
1265  return Shadow;
1266  }
1267 
1268  IRBuilder<> IRB(Pos);
1269  CallInst *FallbackCall = IRB.CreateCall(
1270  DFS.DFSanUnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1271  FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1272  return FallbackCall;
1273 }
1274 
1275 void DFSanVisitor::visitLoadInst(LoadInst &LI) {
1276  auto &DL = LI.getModule()->getDataLayout();
1277  uint64_t Size = DL.getTypeStoreSize(LI.getType());
1278  if (Size == 0) {
1279  DFSF.setShadow(&LI, DFSF.DFS.ZeroShadow);
1280  return;
1281  }
1282 
1283  uint64_t Align;
1284  if (ClPreserveAlignment) {
1285  Align = LI.getAlignment();
1286  if (Align == 0)
1287  Align = DL.getABITypeAlignment(LI.getType());
1288  } else {
1289  Align = 1;
1290  }
1291  IRBuilder<> IRB(&LI);
1292  Value *Shadow = DFSF.loadShadow(LI.getPointerOperand(), Size, Align, &LI);
1294  Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand());
1295  Shadow = DFSF.combineShadows(Shadow, PtrShadow, &LI);
1296  }
1297  if (Shadow != DFSF.DFS.ZeroShadow)
1298  DFSF.NonZeroChecks.push_back(Shadow);
1299 
1300  DFSF.setShadow(&LI, Shadow);
1301 }
1302 
1303 void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, uint64_t Align,
1304  Value *Shadow, Instruction *Pos) {
1305  if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1306  const auto i = AllocaShadowMap.find(AI);
1307  if (i != AllocaShadowMap.end()) {
1308  IRBuilder<> IRB(Pos);
1309  IRB.CreateStore(Shadow, i->second);
1310  return;
1311  }
1312  }
1313 
1314  uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8;
1315  IRBuilder<> IRB(Pos);
1316  Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1317  if (Shadow == DFS.ZeroShadow) {
1318  IntegerType *ShadowTy = IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidth);
1319  Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0);
1320  Value *ExtShadowAddr =
1321  IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy));
1322  IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign);
1323  return;
1324  }
1325 
1326  const unsigned ShadowVecSize = 128 / DFS.ShadowWidth;
1327  uint64_t Offset = 0;
1328  if (Size >= ShadowVecSize) {
1329  VectorType *ShadowVecTy = VectorType::get(DFS.ShadowTy, ShadowVecSize);
1330  Value *ShadowVec = UndefValue::get(ShadowVecTy);
1331  for (unsigned i = 0; i != ShadowVecSize; ++i) {
1332  ShadowVec = IRB.CreateInsertElement(
1333  ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i));
1334  }
1335  Value *ShadowVecAddr =
1336  IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy));
1337  do {
1338  Value *CurShadowVecAddr =
1339  IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset);
1340  IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign);
1341  Size -= ShadowVecSize;
1342  ++Offset;
1343  } while (Size >= ShadowVecSize);
1344  Offset *= ShadowVecSize;
1345  }
1346  while (Size > 0) {
1347  Value *CurShadowAddr =
1348  IRB.CreateConstGEP1_32(DFS.ShadowTy, ShadowAddr, Offset);
1349  IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign);
1350  --Size;
1351  ++Offset;
1352  }
1353 }
1354 
1355 void DFSanVisitor::visitStoreInst(StoreInst &SI) {
1356  auto &DL = SI.getModule()->getDataLayout();
1357  uint64_t Size = DL.getTypeStoreSize(SI.getValueOperand()->getType());
1358  if (Size == 0)
1359  return;
1360 
1361  uint64_t Align;
1362  if (ClPreserveAlignment) {
1363  Align = SI.getAlignment();
1364  if (Align == 0)
1365  Align = DL.getABITypeAlignment(SI.getValueOperand()->getType());
1366  } else {
1367  Align = 1;
1368  }
1369 
1370  Value* Shadow = DFSF.getShadow(SI.getValueOperand());
1372  Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand());
1373  Shadow = DFSF.combineShadows(Shadow, PtrShadow, &SI);
1374  }
1375  DFSF.storeShadow(SI.getPointerOperand(), Size, Align, Shadow, &SI);
1376 }
1377 
1378 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) {
1379  visitOperandShadowInst(BO);
1380 }
1381 
1382 void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); }
1383 
1384 void DFSanVisitor::visitCmpInst(CmpInst &CI) { visitOperandShadowInst(CI); }
1385 
1386 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) {
1387  visitOperandShadowInst(GEPI);
1388 }
1389 
1390 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) {
1391  visitOperandShadowInst(I);
1392 }
1393 
1394 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) {
1395  visitOperandShadowInst(I);
1396 }
1397 
1398 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) {
1399  visitOperandShadowInst(I);
1400 }
1401 
1402 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) {
1403  visitOperandShadowInst(I);
1404 }
1405 
1406 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) {
1407  visitOperandShadowInst(I);
1408 }
1409 
1410 void DFSanVisitor::visitAllocaInst(AllocaInst &I) {
1411  bool AllLoadsStores = true;
1412  for (User *U : I.users()) {
1413  if (isa<LoadInst>(U))
1414  continue;
1415 
1416  if (StoreInst *SI = dyn_cast<StoreInst>(U)) {
1417  if (SI->getPointerOperand() == &I)
1418  continue;
1419  }
1420 
1421  AllLoadsStores = false;
1422  break;
1423  }
1424  if (AllLoadsStores) {
1425  IRBuilder<> IRB(&I);
1426  DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.ShadowTy);
1427  }
1428  DFSF.setShadow(&I, DFSF.DFS.ZeroShadow);
1429 }
1430 
1431 void DFSanVisitor::visitSelectInst(SelectInst &I) {
1432  Value *CondShadow = DFSF.getShadow(I.getCondition());
1433  Value *TrueShadow = DFSF.getShadow(I.getTrueValue());
1434  Value *FalseShadow = DFSF.getShadow(I.getFalseValue());
1435 
1436  if (isa<VectorType>(I.getCondition()->getType())) {
1437  DFSF.setShadow(
1438  &I,
1439  DFSF.combineShadows(
1440  CondShadow, DFSF.combineShadows(TrueShadow, FalseShadow, &I), &I));
1441  } else {
1442  Value *ShadowSel;
1443  if (TrueShadow == FalseShadow) {
1444  ShadowSel = TrueShadow;
1445  } else {
1446  ShadowSel =
1447  SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I);
1448  }
1449  DFSF.setShadow(&I, DFSF.combineShadows(CondShadow, ShadowSel, &I));
1450  }
1451 }
1452 
1453 void DFSanVisitor::visitMemSetInst(MemSetInst &I) {
1454  IRBuilder<> IRB(&I);
1455  Value *ValShadow = DFSF.getShadow(I.getValue());
1456  IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn,
1457  {ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(
1458  *DFSF.DFS.Ctx)),
1459  IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)});
1460 }
1461 
1462 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) {
1463  IRBuilder<> IRB(&I);
1464  Value *DestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I);
1465  Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I);
1466  Value *LenShadow = IRB.CreateMul(
1467  I.getLength(),
1468  ConstantInt::get(I.getLength()->getType(), DFSF.DFS.ShadowWidth / 8));
1469  Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx);
1470  DestShadow = IRB.CreateBitCast(DestShadow, Int8Ptr);
1471  SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr);
1472  auto *MTI = cast<MemTransferInst>(
1473  IRB.CreateCall(I.getCalledValue(),
1474  {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()}));
1475  if (ClPreserveAlignment) {
1476  MTI->setDestAlignment(I.getDestAlignment() * (DFSF.DFS.ShadowWidth / 8));
1477  MTI->setSourceAlignment(I.getSourceAlignment() * (DFSF.DFS.ShadowWidth / 8));
1478  } else {
1479  MTI->setDestAlignment(DFSF.DFS.ShadowWidth / 8);
1480  MTI->setSourceAlignment(DFSF.DFS.ShadowWidth / 8);
1481  }
1482 }
1483 
1484 void DFSanVisitor::visitReturnInst(ReturnInst &RI) {
1485  if (!DFSF.IsNativeABI && RI.getReturnValue()) {
1486  switch (DFSF.IA) {
1487  case DataFlowSanitizer::IA_TLS: {
1488  Value *S = DFSF.getShadow(RI.getReturnValue());
1489  IRBuilder<> IRB(&RI);
1490  IRB.CreateStore(S, DFSF.getRetvalTLS());
1491  break;
1492  }
1493  case DataFlowSanitizer::IA_Args: {
1494  IRBuilder<> IRB(&RI);
1495  Type *RT = DFSF.F->getFunctionType()->getReturnType();
1496  Value *InsVal =
1498  Value *InsShadow =
1499  IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1);
1500  RI.setOperand(0, InsShadow);
1501  break;
1502  }
1503  }
1504  }
1505 }
1506 
1507 void DFSanVisitor::visitCallSite(CallSite CS) {
1508  Function *F = CS.getCalledFunction();
1509  if ((F && F->isIntrinsic()) || isa<InlineAsm>(CS.getCalledValue())) {
1510  visitOperandShadowInst(*CS.getInstruction());
1511  return;
1512  }
1513 
1514  // Calls to this function are synthesized in wrappers, and we shouldn't
1515  // instrument them.
1516  if (F == DFSF.DFS.DFSanVarargWrapperFn)
1517  return;
1518 
1519  IRBuilder<> IRB(CS.getInstruction());
1520 
1522  DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue());
1523  if (i != DFSF.DFS.UnwrappedFnMap.end()) {
1524  Function *F = i->second;
1525  switch (DFSF.DFS.getWrapperKind(F)) {
1526  case DataFlowSanitizer::WK_Warning:
1527  CS.setCalledFunction(F);
1528  IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn,
1529  IRB.CreateGlobalStringPtr(F->getName()));
1530  DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
1531  return;
1532  case DataFlowSanitizer::WK_Discard:
1533  CS.setCalledFunction(F);
1534  DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
1535  return;
1536  case DataFlowSanitizer::WK_Functional:
1537  CS.setCalledFunction(F);
1538  visitOperandShadowInst(*CS.getInstruction());
1539  return;
1540  case DataFlowSanitizer::WK_Custom:
1541  // Don't try to handle invokes of custom functions, it's too complicated.
1542  // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_
1543  // wrapper.
1544  if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) {
1545  FunctionType *FT = F->getFunctionType();
1546  TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT);
1547  std::string CustomFName = "__dfsw_";
1548  CustomFName += F->getName();
1549  Constant *CustomF = DFSF.DFS.Mod->getOrInsertFunction(
1550  CustomFName, CustomFn.TransformedType);
1551  if (Function *CustomFn = dyn_cast<Function>(CustomF)) {
1552  CustomFn->copyAttributesFrom(F);
1553 
1554  // Custom functions returning non-void will write to the return label.
1555  if (!FT->getReturnType()->isVoidTy()) {
1556  CustomFn->removeAttributes(AttributeList::FunctionIndex,
1557  DFSF.DFS.ReadOnlyNoneAttrs);
1558  }
1559  }
1560 
1561  std::vector<Value *> Args;
1562 
1564  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) {
1565  Type *T = (*i)->getType();
1566  FunctionType *ParamFT;
1567  if (isa<PointerType>(T) &&
1568  (ParamFT = dyn_cast<FunctionType>(
1569  cast<PointerType>(T)->getElementType()))) {
1570  std::string TName = "dfst";
1571  TName += utostr(FT->getNumParams() - n);
1572  TName += "$";
1573  TName += F->getName();
1574  Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName);
1575  Args.push_back(T);
1576  Args.push_back(
1577  IRB.CreateBitCast(*i, Type::getInt8PtrTy(*DFSF.DFS.Ctx)));
1578  } else {
1579  Args.push_back(*i);
1580  }
1581  }
1582 
1583  i = CS.arg_begin();
1584  const unsigned ShadowArgStart = Args.size();
1585  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1586  Args.push_back(DFSF.getShadow(*i));
1587 
1588  if (FT->isVarArg()) {
1589  auto *LabelVATy = ArrayType::get(DFSF.DFS.ShadowTy,
1590  CS.arg_size() - FT->getNumParams());
1591  auto *LabelVAAlloca = new AllocaInst(
1592  LabelVATy, getDataLayout().getAllocaAddrSpace(),
1593  "labelva", &DFSF.F->getEntryBlock().front());
1594 
1595  for (unsigned n = 0; i != CS.arg_end(); ++i, ++n) {
1596  auto LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, n);
1597  IRB.CreateStore(DFSF.getShadow(*i), LabelVAPtr);
1598  }
1599 
1600  Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0));
1601  }
1602 
1603  if (!FT->getReturnType()->isVoidTy()) {
1604  if (!DFSF.LabelReturnAlloca) {
1605  DFSF.LabelReturnAlloca =
1606  new AllocaInst(DFSF.DFS.ShadowTy,
1607  getDataLayout().getAllocaAddrSpace(),
1608  "labelreturn", &DFSF.F->getEntryBlock().front());
1609  }
1610  Args.push_back(DFSF.LabelReturnAlloca);
1611  }
1612 
1613  for (i = CS.arg_begin() + FT->getNumParams(); i != CS.arg_end(); ++i)
1614  Args.push_back(*i);
1615 
1616  CallInst *CustomCI = IRB.CreateCall(CustomF, Args);
1617  CustomCI->setCallingConv(CI->getCallingConv());
1618  CustomCI->setAttributes(TransformFunctionAttributes(CustomFn,
1619  CI->getContext(), CI->getAttributes()));
1620 
1621  // Update the parameter attributes of the custom call instruction to
1622  // zero extend the shadow parameters. This is required for targets
1623  // which consider ShadowTy an illegal type.
1624  for (unsigned n = 0; n < FT->getNumParams(); n++) {
1625  const unsigned ArgNo = ShadowArgStart + n;
1626  if (CustomCI->getArgOperand(ArgNo)->getType() == DFSF.DFS.ShadowTy)
1627  CustomCI->addParamAttr(ArgNo, Attribute::ZExt);
1628  }
1629 
1630  if (!FT->getReturnType()->isVoidTy()) {
1631  LoadInst *LabelLoad = IRB.CreateLoad(DFSF.LabelReturnAlloca);
1632  DFSF.setShadow(CustomCI, LabelLoad);
1633  }
1634 
1635  CI->replaceAllUsesWith(CustomCI);
1636  CI->eraseFromParent();
1637  return;
1638  }
1639  break;
1640  }
1641  }
1642 
1643  FunctionType *FT = cast<FunctionType>(
1645  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1646  for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) {
1647  IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)),
1648  DFSF.getArgTLS(i, CS.getInstruction()));
1649  }
1650  }
1651 
1652  Instruction *Next = nullptr;
1653  if (!CS.getType()->isVoidTy()) {
1654  if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) {
1655  if (II->getNormalDest()->getSinglePredecessor()) {
1656  Next = &II->getNormalDest()->front();
1657  } else {
1658  BasicBlock *NewBB =
1659  SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT);
1660  Next = &NewBB->front();
1661  }
1662  } else {
1663  assert(CS->getIterator() != CS->getParent()->end());
1664  Next = CS->getNextNode();
1665  }
1666 
1667  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1668  IRBuilder<> NextIRB(Next);
1669  LoadInst *LI = NextIRB.CreateLoad(DFSF.getRetvalTLS());
1670  DFSF.SkipInsts.insert(LI);
1671  DFSF.setShadow(CS.getInstruction(), LI);
1672  DFSF.NonZeroChecks.push_back(LI);
1673  }
1674  }
1675 
1676  // Do all instrumentation for IA_Args down here to defer tampering with the
1677  // CFG in a way that SplitEdge may be able to detect.
1678  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) {
1679  FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT);
1680  Value *Func =
1681  IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT));
1682  std::vector<Value *> Args;
1683 
1684  CallSite::arg_iterator i = CS.arg_begin(), e = CS.arg_end();
1685  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1686  Args.push_back(*i);
1687 
1688  i = CS.arg_begin();
1689  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1690  Args.push_back(DFSF.getShadow(*i));
1691 
1692  if (FT->isVarArg()) {
1693  unsigned VarArgSize = CS.arg_size() - FT->getNumParams();
1694  ArrayType *VarArgArrayTy = ArrayType::get(DFSF.DFS.ShadowTy, VarArgSize);
1695  AllocaInst *VarArgShadow =
1696  new AllocaInst(VarArgArrayTy, getDataLayout().getAllocaAddrSpace(),
1697  "", &DFSF.F->getEntryBlock().front());
1698  Args.push_back(IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, 0));
1699  for (unsigned n = 0; i != e; ++i, ++n) {
1700  IRB.CreateStore(
1701  DFSF.getShadow(*i),
1702  IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, n));
1703  Args.push_back(*i);
1704  }
1705  }
1706 
1707  CallSite NewCS;
1708  if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) {
1709  NewCS = IRB.CreateInvoke(Func, II->getNormalDest(), II->getUnwindDest(),
1710  Args);
1711  } else {
1712  NewCS = IRB.CreateCall(Func, Args);
1713  }
1714  NewCS.setCallingConv(CS.getCallingConv());
1716  *DFSF.DFS.Ctx, AttributeList::ReturnIndex,
1718 
1719  if (Next) {
1720  ExtractValueInst *ExVal =
1721  ExtractValueInst::Create(NewCS.getInstruction(), 0, "", Next);
1722  DFSF.SkipInsts.insert(ExVal);
1723  ExtractValueInst *ExShadow =
1724  ExtractValueInst::Create(NewCS.getInstruction(), 1, "", Next);
1725  DFSF.SkipInsts.insert(ExShadow);
1726  DFSF.setShadow(ExVal, ExShadow);
1727  DFSF.NonZeroChecks.push_back(ExShadow);
1728 
1729  CS.getInstruction()->replaceAllUsesWith(ExVal);
1730  }
1731 
1733  }
1734 }
1735 
1736 void DFSanVisitor::visitPHINode(PHINode &PN) {
1737  PHINode *ShadowPN =
1738  PHINode::Create(DFSF.DFS.ShadowTy, PN.getNumIncomingValues(), "", &PN);
1739 
1740  // Give the shadow phi node valid predecessors to fool SplitEdge into working.
1741  Value *UndefShadow = UndefValue::get(DFSF.DFS.ShadowTy);
1742  for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e;
1743  ++i) {
1744  ShadowPN->addIncoming(UndefShadow, *i);
1745  }
1746 
1747  DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN));
1748  DFSF.setShadow(&PN, ShadowPN);
1749 }
size_t size() const
Definition: Function.h:661
bool isVarArg() const
isVarArg - Return true if this function takes a variable number of arguments.
Definition: Function.h:177
uint64_t CallInst * C
Return a value (possibly void), from a function.
Value * getValueOperand()
Definition: Instructions.h:399
User::op_iterator arg_iterator
The type of iterator to use when looping over actual arguments at this call site. ...
Definition: CallSite.h:213
bool isIntrinsic() const
isIntrinsic - Returns true if the function&#39;s name starts with "llvm.".
Definition: Function.h:199
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks &#39;this&#39; from the containing basic block and deletes it.
Definition: Instruction.cpp:68
static cl::list< std::string > ClABIListFiles("dfsan-abilist", cl::desc("File listing native ABI functions and how the pass treats them"), cl::Hidden)
void push_back(const T &Elt)
Definition: SmallVector.h:218
A parsed version of the target data layout string in and methods for querying it. ...
Definition: DataLayout.h:111
constexpr char Align[]
Key for Kernel::Arg::Metadata::mAlign.
const std::string & getTargetTriple() const
Get the target triple which is a string describing the target host.
Definition: Module.h:239
BranchInst * CreateCondBr(Value *Cond, BasicBlock *True, BasicBlock *False, MDNode *BranchWeights=nullptr, MDNode *Unpredictable=nullptr)
Create a conditional &#39;br Cond, TrueDest, FalseDest&#39; instruction.
Definition: IRBuilder.h:842
const GlobalObject * getBaseObject() const
void ReplaceInstWithInst(BasicBlock::InstListType &BIL, BasicBlock::iterator &BI, Instruction *I)
Replace the instruction specified by BI with the instruction specified by I.
This class is the base class for the comparison instructions.
Definition: InstrTypes.h:675
Value * CreateConstGEP1_32(Value *Ptr, unsigned Idx0, const Twine &Name="")
Definition: IRBuilder.h:1432
static bool isConstant(const MachineInstr &MI)
bool hasLocalLinkage() const
Definition: GlobalValue.h:436
void addIncoming(Value *V, BasicBlock *BB)
Add an incoming value to the end of the PHI list.
This instruction extracts a struct member or array element value from an aggregate value...
This class represents an incoming formal argument to a Function.
Definition: Argument.h:30
AllocaInst * CreateAlloca(Type *Ty, unsigned AddrSpace, Value *ArraySize=nullptr, const Twine &Name="")
Definition: IRBuilder.h:1292
Base class for instruction visitors.
Definition: InstVisitor.h:81
unsigned arg_size() const
Definition: CallSite.h:219
Value * CreateICmpNE(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1740
CallingConv::ID getCallingConv() const
Get the calling convention of the call.
Definition: CallSite.h:312
NodeTy * getNextNode()
Get the next node, or nullptr for the list tail.
Definition: ilist_node.h:289
void addAttribute(unsigned i, Attribute::AttrKind Kind)
adds the attribute to the list of attributes.
LLVM_ATTRIBUTE_NORETURN void report_fatal_error(Error Err, bool gen_crash_diag=true)
Report a serious error, calling any installed error handler.
Definition: Error.cpp:139
Compute iterated dominance frontiers using a linear time algorithm.
Definition: AllocatorList.h:24
Type * getParamType(unsigned i) const
Parameter type accessors.
Definition: DerivedTypes.h:135
void addParamAttr(unsigned ArgNo, Attribute::AttrKind Kind)
adds the attribute to the list of attributes for the given arg.
Definition: Function.cpp:387
A Module instance is used to store all the information related to an LLVM module. ...
Definition: Module.h:64
Implements a dense probed hash-table based set.
Definition: DenseSet.h:221
void recalculate(ParentType &Func)
recalculate - compute a dominator tree for the given function
bool removeUnreachableBlocks(Function &F, LazyValueInfo *LVI=nullptr, DomTreeUpdater *DTU=nullptr, MemorySSAUpdater *MSSAU=nullptr)
Remove all blocks that can not be reached from the function&#39;s entry.
Definition: Local.cpp:2218
This class represents a function call, abstracting a target machine&#39;s calling convention.
unsigned getSourceAlignment() const
const Value * getTrueValue() const
Value * getValue() const
static Constant * getIntToPtr(Constant *C, Type *Ty, bool OnlyIfReduced=false)
Definition: Constants.cpp:1737
This instruction constructs a fixed permutation of two input vectors.
static SelectInst * Create(Value *C, Value *S1, Value *S2, const Twine &NameStr="", Instruction *InsertBefore=nullptr, Instruction *MDFrom=nullptr)
LLVMContext & getContext() const
All values hold a context through their type.
Definition: Value.cpp:714
bool isTerminator() const
Definition: Instruction.h:129
This class wraps the llvm.memset intrinsic.
BasicBlock * getSuccessor(unsigned i) const
arg_iterator arg_end()
Definition: Function.h:680
static cl::opt< bool > ClCombinePointerLabelsOnStore("dfsan-combine-pointer-labels-on-store", cl::desc("Combine the label of the pointer with the label of the data when " "storing in memory."), cl::Hidden, cl::init(false))
Metadata node.
Definition: Metadata.h:864
F(f)
static CallInst * Create(Value *Func, ArrayRef< Value *> Args, ArrayRef< OperandBundleDef > Bundles=None, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
param_iterator param_end() const
Definition: DerivedTypes.h:129
An instruction for reading from memory.
Definition: Instructions.h:168
static IntegerType * getInt64Ty(LLVMContext &C)
Definition: Type.cpp:177
Value * getLength() const
INITIALIZE_PASS(DataFlowSanitizer, "dfsan", "DataFlowSanitizer: dynamic data flow analysis.", false, false) ModulePass *llvm
void addParamAttr(unsigned ArgNo, Attribute::AttrKind Kind)
Adds the attribute to the indicated argument.
static PointerType * getInt64PtrTy(LLVMContext &C, unsigned AS=0)
Definition: Type.cpp:232
static std::unique_ptr< SpecialCaseList > createOrDie(const std::vector< std::string > &Paths)
Parses the special case list entries from files.
void eraseFromParent()
eraseFromParent - This method unlinks &#39;this&#39; from the containing module and deletes it...
Definition: Globals.cpp:456
block_iterator block_end()
Value * getDest() const
This is just like getRawDest, but it strips off any cast instructions (including addrspacecast) that ...
StoreInst * CreateAlignedStore(Value *Val, Value *Ptr, unsigned Align, bool isVolatile=false)
Definition: IRBuilder.h:1346
iterator begin()
Instruction iterator methods.
Definition: BasicBlock.h:264
BasicBlock * SplitEdge(BasicBlock *From, BasicBlock *To, DominatorTree *DT=nullptr, LoopInfo *LI=nullptr, MemorySSAUpdater *MSSAU=nullptr)
Split the edge connecting specified block.
static ReturnInst * Create(LLVMContext &C, Value *retVal=nullptr, Instruction *InsertBefore=nullptr)
static cl::opt< bool > ClArgsABI("dfsan-args-abi", cl::desc("Use the argument ABI rather than the TLS ABI"), cl::Hidden)
The address of a basic block.
Definition: Constants.h:836
Definition: BitVector.h:938
This class represents the LLVM &#39;select&#39; instruction.
Type * getPointerElementType() const
Definition: Type.h:376
const DataLayout & getDataLayout() const
Get the data layout for the module&#39;s target platform.
Definition: Module.cpp:364
This is the base class for all instructions that perform data casts.
Definition: InstrTypes.h:392
ArrayRef< T > makeArrayRef(const T &OneElt)
Construct an ArrayRef from a single element.
Definition: ArrayRef.h:451
Class to represent struct types.
Definition: DerivedTypes.h:201
LLVMContext & getContext() const
Get the global data context.
Definition: Module.h:243
PointerType * getPointerTo(unsigned AddrSpace=0) const
Return a pointer to the current type.
Definition: Type.cpp:639
IterTy arg_end() const
Definition: CallSite.h:575
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:731
This file contains the simple types necessary to represent the attributes associated with functions a...
AttributeSet getRetAttributes() const
The attributes for the ret value are returned.
InstrTy * getInstruction() const
Definition: CallSite.h:92
void setModuleInlineAsm(StringRef Asm)
Set the module-scope inline assembly blocks.
Definition: Module.h:286
void setName(const Twine &Name)
Change the name of the value.
Definition: Value.cpp:295
unsigned getDestAlignment() const
block_iterator block_begin()
static StructType * get(LLVMContext &Context, ArrayRef< Type *> Elements, bool isPacked=false)
This static method is the primary way to create a literal StructType.
Definition: Type.cpp:336
StoreInst * CreateStore(Value *Val, Value *Ptr, bool isVolatile=false)
Definition: IRBuilder.h:1321
Value * CreateIntToPtr(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1624
ValTy * getCalledValue() const
Return the pointer to function that is being called.
Definition: CallSite.h:100
Key
PAL metadata keys.
Class to represent function types.
Definition: DerivedTypes.h:103
Value * CreateBitCast(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1629
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:245
AttributeList removeAttributes(LLVMContext &C, unsigned Index, const AttrBuilder &AttrsToRemove) const
Remove the specified attributes at the specified index from this attribute list.
ArchType getArch() const
getArch - Get the parsed architecture type of this triple.
Definition: Triple.h:286
Class to represent array types.
Definition: DerivedTypes.h:369
AttributeSet getParamAttributes(unsigned ArgNo) const
The attributes for the argument or parameter at the given index are returned.
void setAttributes(AttributeList A)
Set the parameter attributes for this call.
bool isVarArg() const
Definition: DerivedTypes.h:123
BasicBlock * getBasicBlock() const
Definition: Constants.h:863
An instruction for storing to memory.
Definition: Instructions.h:310
LinkageTypes getLinkage() const
Definition: GlobalValue.h:451
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:439
void takeName(Value *V)
Transfer the name from V to this value.
Definition: Value.cpp:301
iterator begin()
Definition: Function.h:656
Concrete subclass of DominatorTreeBase that is used to compute a normal dominator tree...
Definition: Dominators.h:145
Value * getOperand(unsigned i) const
Definition: User.h:170
Class to represent pointers.
Definition: DerivedTypes.h:467
Value * CreateOr(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1130
iterator find(const_arg_type_t< KeyT > Val)
Definition: DenseMap.h:146
static Constant * getBitCast(Constant *C, Type *Ty, bool OnlyIfReduced=false)
Definition: Constants.cpp:1750
bool isVoidTy() const
Return true if this is &#39;void&#39;.
Definition: Type.h:141
const BasicBlock & getEntryBlock() const
Definition: Function.h:640
an instruction for type-safe pointer arithmetic to access elements of arrays and structs ...
Definition: Instructions.h:841
LoadInst * CreateLoad(Value *Ptr, const char *Name)
Provided to resolve &#39;CreateLoad(Ptr, "...")&#39; correctly, instead of converting the string to &#39;bool&#39; fo...
Definition: IRBuilder.h:1305
IntegerType * getIntPtrType(LLVMContext &C, unsigned AddressSpace=0) const
Returns an integer type with size at least as big as that of a pointer in the given address space...
Definition: DataLayout.cpp:742
void setAttributes(AttributeList PAL)
Set the parameter attributes of the call.
Definition: CallSite.h:333
Same, but only replaced by something equivalent.
Definition: GlobalValue.h:52
initializer< Ty > init(const Ty &Val)
Definition: CommandLine.h:410
This instruction inserts a single (scalar) element into a VectorType value.
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:136
LLVM Basic Block Representation.
Definition: BasicBlock.h:59
The instances of the Type class are immutable: once they are created, they are never changed...
Definition: Type.h:46
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:69
Conditional or Unconditional Branch instruction.
static ExtractValueInst * Create(Value *Agg, ArrayRef< unsigned > Idxs, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
static BlockAddress * get(Function *F, BasicBlock *BB)
Return a BlockAddress for the specified function and basic block.
Definition: Constants.cpp:1411
This function has undefined behavior.
This is an important base class in LLVM.
Definition: Constant.h:42
void copyAttributesFrom(const Function *Src)
copyAttributesFrom - copy all additional attributes (those not needed to create a Function) from the ...
Definition: Function.cpp:485
This file contains the declarations for the subclasses of Constant, which represent the different fla...
const Instruction & front() const
Definition: BasicBlock.h:276
static const char *const kDFSanExternShadowPtrMask
unsigned getNumParams() const
Return the number of fixed parameters this function type requires.
Definition: DerivedTypes.h:139
std::pair< iterator, bool > insert(PtrType Ptr)
Inserts Ptr if and only if there is no element in the container equal to Ptr.
Definition: SmallPtrSet.h:371
Value * CreateConstGEP2_64(Value *Ptr, uint64_t Idx0, uint64_t Idx1, const Twine &Name="")
Definition: IRBuilder.h:1501
param_iterator param_begin() const
Definition: DerivedTypes.h:128
void addAttribute(unsigned i, Attribute::AttrKind Kind)
adds the attribute to the list of attributes.
Definition: Function.cpp:369
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:161
void splice(iterator where, iplist_impl &L2)
Definition: ilist.h:329
static cl::opt< bool > ClDebugNonzeroLabels("dfsan-debug-nonzero-labels", cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " "load or return with a nonzero label"), cl::Hidden)
unsigned getAddressSpace() const
Definition: Globals.cpp:111
void setCallingConv(CallingConv::ID CC)
Set the calling convention of the call.
Definition: CallSite.h:316
static FunctionType * get(Type *Result, ArrayRef< Type *> Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:297
size_t arg_size() const
Definition: Function.h:698
Value * getPointerOperand()
Definition: Instructions.h:274
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:101
arg_iterator arg_begin()
Definition: Function.h:671
Value * CreateICmpEQ(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1736
size_type count(ConstPtrType Ptr) const
count - Return 1 if the specified pointer is in the set, 0 otherwise.
Definition: SmallPtrSet.h:382
self_iterator getIterator()
Definition: ilist_node.h:82
Class to represent integer types.
Definition: DerivedTypes.h:40
void setAlignment(unsigned Align)
const Value * getCondition() const
static UndefValue * get(Type *T)
Static factory methods - Return an &#39;undef&#39; object of the specified type.
Definition: Constants.cpp:1392
size_t size() const
Definition: SmallVector.h:53
static PointerType * getInt8PtrTy(LLVMContext &C, unsigned AS=0)
Definition: Type.cpp:220
const std::string & getModuleIdentifier() const
Get the module identifier which is, essentially, the name of the module.
Definition: Module.h:209
MDNode * createBranchWeights(uint32_t TrueWeight, uint32_t FalseWeight)
Return metadata containing two branch weights.
Definition: MDBuilder.cpp:38
Value * CreateMul(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:996
Value * CreateTrunc(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1552
Triple - Helper class for working with autoconf configuration names.
Definition: Triple.h:44
ConstantInt * getVolatileCst() const
void setSuccessor(unsigned idx, BasicBlock *NewSucc)
void setCallingConv(CallingConv::ID CC)
Value * CreateGEP(Value *Ptr, ArrayRef< Value *> IdxList, const Twine &Name="")
Definition: IRBuilder.h:1374
static IntegerType * get(LLVMContext &C, unsigned NumBits)
This static method is the primary way of constructing an IntegerType.
Definition: Type.cpp:240
Iterator for intrusive lists based on ilist_node.
unsigned getNumOperands() const
Definition: User.h:192
SmallPtrSet - This class implements a set which is optimized for holding SmallSize or less elements...
Definition: SmallPtrSet.h:418
static PointerType * getUnqual(Type *ElementType)
This constructs a pointer to an object of the specified type in the generic address space (address sp...
Definition: DerivedTypes.h:482
This is the shared class of boolean and integer constants.
Definition: Constants.h:84
ValTy * getArgument(unsigned ArgNo) const
Definition: CallSite.h:186
iterator end()
Definition: BasicBlock.h:266
IterTy arg_begin() const
Definition: CallSite.h:571
This is a &#39;vector&#39; (really, a variable-sized array), optimized for the case when the array is small...
Definition: SmallVector.h:847
Module.h This file contains the declarations for the Module class.
Value * CreateInsertElement(Value *Vec, Value *NewElt, Value *Idx, const Twine &Name="")
Definition: IRBuilder.h:1934
const DataFlowGraph & G
Definition: RDFGraph.cpp:211
TerminatorInst * SplitBlockAndInsertIfThen(Value *Cond, Instruction *SplitBefore, bool Unreachable, MDNode *BranchWeights=nullptr, DominatorTree *DT=nullptr, LoopInfo *LI=nullptr)
Split the containing block at the specified instruction - everything before SplitBefore stays in the ...
Type * getReturnType() const
Definition: DerivedTypes.h:124
static Constant * get(Type *Ty, uint64_t V, bool isSigned=false)
If Ty is a vector type, return a Constant with a splat of the given value.
Definition: Constants.cpp:621
static ConstantInt * getSigned(IntegerType *Ty, int64_t V)
Return a ConstantInt with the specified value for the specified type.
Definition: Constants.cpp:635
static BranchInst * Create(BasicBlock *IfTrue, Instruction *InsertBefore=nullptr)
static PHINode * Create(Type *Ty, unsigned NumReservedValues, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
Constructors - NumReservedValues is a hint for the number of incoming edges that this phi node will h...
std::string utostr(uint64_t X, bool isNeg=false)
Definition: StringExtras.h:224
unsigned getNumIncomingValues() const
Return the number of incoming edges.
BBTy * getParent() const
Get the basic block containing the call site.
Definition: CallSite.h:97
void setLinkage(LinkageTypes LT)
Definition: GlobalValue.h:445
void setOperand(unsigned i, Value *Val)
Definition: User.h:175
The access may modify the value stored in memory.
void swap(llvm::BitVector &LHS, llvm::BitVector &RHS)
Implement std::swap in terms of BitVector swap.
Definition: BitVector.h:941
static cl::opt< bool > ClPreserveAlignment("dfsan-preserve-alignment", cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::init(false))
FunctionType * getFunctionType() const
Returns the FunctionType for me.
Definition: Function.h:164
Class to represent vector types.
Definition: DerivedTypes.h:393
const Module * getModule() const
Return the module owning the function this instruction belongs to or nullptr it the function does not...
Definition: Instruction.cpp:56
unsigned getNumAttrSets() const
LinkageTypes
An enumeration for the kinds of linkage for global values.
Definition: GlobalValue.h:48
iterator_range< user_iterator > users()
Definition: Value.h:400
static void DFS(BasicBlock *Root, SetVector< BasicBlock *> &Set)
Value * CreateShl(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1051
const Value * getFalseValue() const
void append(in_iter in_start, in_iter in_end)
Add the specified range to the end of the SmallVector.
Definition: SmallVector.h:394
void removeAttributes(unsigned i, const AttrBuilder &Attrs)
removes the attributes from the list of attributes.
Definition: Function.cpp:417
This class wraps the llvm.memcpy/memmove intrinsics.
unsigned getAlignment() const
Return the alignment of the access that is being performed.
Definition: Instructions.h:230
static IntegerType * getInt32Ty(LLVMContext &C)
Definition: Type.cpp:176
static cl::opt< bool > ClCombinePointerLabelsOnLoad("dfsan-combine-pointer-labels-on-load", cl::desc("Combine the label of the pointer with the label of the data when " "loading from memory."), cl::Hidden, cl::init(true))
StringRef getName() const
Return a constant reference to the value&#39;s name.
Definition: Value.cpp:224
const NodeList & List
Definition: RDFGraph.cpp:210
#define I(x, y, z)
Definition: MD5.cpp:58
#define N
user_iterator_impl< User > user_iterator
Definition: Value.h:369
ModulePass class - This class is used to implement unstructured interprocedural optimizations and ana...
Definition: Pass.h:225
static ArrayType * get(Type *ElementType, uint64_t NumElements)
This static method is the primary way to construct an ArrayType.
Definition: Type.cpp:568
LLVM_NODISCARD std::enable_if<!is_simple_type< Y >::value, typename cast_retty< X, const Y >::ret_type >::type dyn_cast(const Y &Val)
Definition: Casting.h:323
Type * getValueType() const
Definition: GlobalValue.h:276
This instruction extracts a single (scalar) element from a VectorType value.
const BasicBlockListType & getBasicBlockList() const
Get the underlying elements of the Function...
Definition: Function.h:633
uint32_t Size
Definition: Profile.cpp:47
void eraseFromParent()
eraseFromParent - This method unlinks &#39;this&#39; from the containing module and deletes it...
Definition: Function.cpp:215
BasicBlock * splitBasicBlock(iterator I, const Twine &BBName="")
Split the basic block into two basic blocks at the specified instruction.
Definition: BasicBlock.cpp:401
Value * getReturnValue() const
Convenience accessor. Returns null if there is no return value.
unsigned getAlignment() const
Return the alignment of the access that is being performed.
Definition: Instructions.h:355
static StringRef GetGlobalTypeString(const GlobalValue &G)
Type * getType() const
Return the type of the instruction that generated this call site.
Definition: CallSite.h:264
Value * CreateAnd(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1112
Value * CreatePtrToInt(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1619
const std::string & getModuleInlineAsm() const
Get any module-scope inline assembly blocks.
Definition: Module.h:247
bool isDeclaration() const
Return true if the primary definition of this global value is outside of the current translation unit...
Definition: Globals.cpp:206
FunTy * getCalledFunction() const
Return the function being called if this is a direct call, otherwise return null (if it&#39;s an indirect...
Definition: CallSite.h:107
void GetUnderlyingObjects(Value *V, SmallVectorImpl< Value *> &Objects, const DataLayout &DL, LoopInfo *LI=nullptr, unsigned MaxLookup=6)
This method is similar to GetUnderlyingObject except that it can look through phi and select instruct...
iterator_range< df_iterator< T > > depth_first(const T &G)
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
user_iterator user_begin()
Definition: Value.h:376
Value * getArgOperand(unsigned i) const
getArgOperand/setArgOperand - Return/set the i-th call argument.
LoadInst * CreateAlignedLoad(Value *Ptr, unsigned Align, const char *Name)
Provided to resolve &#39;CreateAlignedLoad(Ptr, Align, "...")&#39; correctly, instead of converting the strin...
Definition: IRBuilder.h:1328
aarch64 promote const
Module * getParent()
Get the module that this global value is contained inside of...
Definition: GlobalValue.h:566
LLVM Value Representation.
Definition: Value.h:73
uint64_t getTypeStoreSize(Type *Ty) const
Returns the maximum number of bytes that may be overwritten by storing the specified type...
Definition: DataLayout.h:411
BranchInst * CreateBr(BasicBlock *Dest)
Create an unconditional &#39;br label X&#39; instruction.
Definition: IRBuilder.h:836
static VectorType * get(Type *ElementType, unsigned NumElements)
This static method is the primary way to construct an VectorType.
Definition: Type.cpp:593
AttrBuilder typeIncompatible(Type *Ty)
Which attributes cannot be applied to a type.
AttributeSet getFnAttributes() const
The function attributes are returned.
ModulePass * createDataFlowSanitizerPass(const std::vector< std::string > &ABIListFiles=std::vector< std::string >(), void *(*getArgTLS)()=nullptr, void *(*getRetValTLS)()=nullptr)
Value * CreateLShr(Value *LHS, Value *RHS, const Twine &Name="", bool isExact=false)
Definition: IRBuilder.h:1072
const Value * getCalledValue() const
Get a pointer to the function that is invoked by this instruction.
Invoke instruction.
Value * getSource() const
This is just like getRawSource, but it strips off any cast instructions that feed it...
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:49
AttributeList getAttributes() const
Get the parameter attributes of the call.
Definition: CallSite.h:329
const TerminatorInst * getTerminator() const LLVM_READONLY
Returns the terminator instruction if the block is well formed or null if the block is not well forme...
Definition: BasicBlock.cpp:138
Value * CreateInsertValue(Value *Agg, Value *Val, ArrayRef< unsigned > Idxs, const Twine &Name="")
Definition: IRBuilder.h:1971
Value * getPointerOperand()
Definition: Instructions.h:402
void setCalledFunction(Value *V)
Set the callee to the specified value.
Definition: CallSite.h:126
constexpr char Args[]
Key for Kernel::Metadata::mArgs.
PointerType * getType() const
Global values are always pointers.
Definition: GlobalValue.h:274
static AttributeList get(LLVMContext &C, ArrayRef< std::pair< unsigned, Attribute >> Attrs)
Create an AttributeList with the specified parameters in it.
Definition: Attributes.cpp:873
const BasicBlock * getParent() const
Definition: Instruction.h:67
an instruction to allocate memory on the stack
Definition: Instructions.h:60
This instruction inserts a struct field of array element value into an aggregate value.
CallInst * CreateCall(Value *Callee, ArrayRef< Value *> Args=None, const Twine &Name="", MDNode *FPMathTag=nullptr)
Definition: IRBuilder.h:1871
user_iterator user_end()
Definition: Value.h:384