LLVM  9.0.0svn
DataFlowSanitizer.cpp
Go to the documentation of this file.
1 //===- DataFlowSanitizer.cpp - dynamic data flow analysis -----------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 /// \file
10 /// This file is a part of DataFlowSanitizer, a generalised dynamic data flow
11 /// analysis.
12 ///
13 /// Unlike other Sanitizer tools, this tool is not designed to detect a specific
14 /// class of bugs on its own. Instead, it provides a generic dynamic data flow
15 /// analysis framework to be used by clients to help detect application-specific
16 /// issues within their own code.
17 ///
18 /// The analysis is based on automatic propagation of data flow labels (also
19 /// known as taint labels) through a program as it performs computation. Each
20 /// byte of application memory is backed by two bytes of shadow memory which
21 /// hold the label. On Linux/x86_64, memory is laid out as follows:
22 ///
23 /// +--------------------+ 0x800000000000 (top of memory)
24 /// | application memory |
25 /// +--------------------+ 0x700000008000 (kAppAddr)
26 /// | |
27 /// | unused |
28 /// | |
29 /// +--------------------+ 0x200200000000 (kUnusedAddr)
30 /// | union table |
31 /// +--------------------+ 0x200000000000 (kUnionTableAddr)
32 /// | shadow memory |
33 /// +--------------------+ 0x000000010000 (kShadowAddr)
34 /// | reserved by kernel |
35 /// +--------------------+ 0x000000000000
36 ///
37 /// To derive a shadow memory address from an application memory address,
38 /// bits 44-46 are cleared to bring the address into the range
39 /// [0x000000008000,0x100000000000). Then the address is shifted left by 1 to
40 /// account for the double byte representation of shadow labels and move the
41 /// address into the shadow memory range. See the function
42 /// DataFlowSanitizer::getShadowAddress below.
43 ///
44 /// For more information, please refer to the design document:
45 /// http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
46 //
47 //===----------------------------------------------------------------------===//
48 
49 #include "llvm/ADT/DenseMap.h"
50 #include "llvm/ADT/DenseSet.h"
52 #include "llvm/ADT/None.h"
53 #include "llvm/ADT/SmallPtrSet.h"
54 #include "llvm/ADT/SmallVector.h"
55 #include "llvm/ADT/StringExtras.h"
56 #include "llvm/ADT/StringRef.h"
57 #include "llvm/ADT/Triple.h"
60 #include "llvm/IR/Argument.h"
61 #include "llvm/IR/Attributes.h"
62 #include "llvm/IR/BasicBlock.h"
63 #include "llvm/IR/CallSite.h"
64 #include "llvm/IR/Constant.h"
65 #include "llvm/IR/Constants.h"
66 #include "llvm/IR/DataLayout.h"
67 #include "llvm/IR/DerivedTypes.h"
68 #include "llvm/IR/Dominators.h"
69 #include "llvm/IR/Function.h"
70 #include "llvm/IR/GlobalAlias.h"
71 #include "llvm/IR/GlobalValue.h"
72 #include "llvm/IR/GlobalVariable.h"
73 #include "llvm/IR/IRBuilder.h"
74 #include "llvm/IR/InlineAsm.h"
75 #include "llvm/IR/InstVisitor.h"
76 #include "llvm/IR/InstrTypes.h"
77 #include "llvm/IR/Instruction.h"
78 #include "llvm/IR/Instructions.h"
79 #include "llvm/IR/IntrinsicInst.h"
80 #include "llvm/IR/LLVMContext.h"
81 #include "llvm/IR/MDBuilder.h"
82 #include "llvm/IR/Module.h"
83 #include "llvm/IR/Type.h"
84 #include "llvm/IR/User.h"
85 #include "llvm/IR/Value.h"
86 #include "llvm/Pass.h"
87 #include "llvm/Support/Casting.h"
93 #include <algorithm>
94 #include <cassert>
95 #include <cstddef>
96 #include <cstdint>
97 #include <iterator>
98 #include <memory>
99 #include <set>
100 #include <string>
101 #include <utility>
102 #include <vector>
103 
104 using namespace llvm;
105 
106 // External symbol to be used when generating the shadow address for
107 // architectures with multiple VMAs. Instead of using a constant integer
108 // the runtime will set the external mask based on the VMA range.
109 static const char *const kDFSanExternShadowPtrMask = "__dfsan_shadow_ptr_mask";
110 
111 // The -dfsan-preserve-alignment flag controls whether this pass assumes that
112 // alignment requirements provided by the input IR are correct. For example,
113 // if the input IR contains a load with alignment 8, this flag will cause
114 // the shadow load to have alignment 16. This flag is disabled by default as
115 // we have unfortunately encountered too much code (including Clang itself;
116 // see PR14291) which performs misaligned access.
118  "dfsan-preserve-alignment",
119  cl::desc("respect alignment requirements provided by input IR"), cl::Hidden,
120  cl::init(false));
121 
122 // The ABI list files control how shadow parameters are passed. The pass treats
123 // every function labelled "uninstrumented" in the ABI list file as conforming
124 // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains
125 // additional annotations for those functions, a call to one of those functions
126 // will produce a warning message, as the labelling behaviour of the function is
127 // unknown. The other supported annotations are "functional" and "discard",
128 // which are described below under DataFlowSanitizer::WrapperKind.
130  "dfsan-abilist",
131  cl::desc("File listing native ABI functions and how the pass treats them"),
132  cl::Hidden);
133 
134 // Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented
135 // functions (see DataFlowSanitizer::InstrumentedABI below).
136 static cl::opt<bool> ClArgsABI(
137  "dfsan-args-abi",
138  cl::desc("Use the argument ABI rather than the TLS ABI"),
139  cl::Hidden);
140 
141 // Controls whether the pass includes or ignores the labels of pointers in load
142 // instructions.
144  "dfsan-combine-pointer-labels-on-load",
145  cl::desc("Combine the label of the pointer with the label of the data when "
146  "loading from memory."),
147  cl::Hidden, cl::init(true));
148 
149 // Controls whether the pass includes or ignores the labels of pointers in
150 // stores instructions.
152  "dfsan-combine-pointer-labels-on-store",
153  cl::desc("Combine the label of the pointer with the label of the data when "
154  "storing in memory."),
155  cl::Hidden, cl::init(false));
156 
158  "dfsan-debug-nonzero-labels",
159  cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, "
160  "load or return with a nonzero label"),
161  cl::Hidden);
162 
164  // Types of GlobalVariables are always pointer types.
165  Type *GType = G.getValueType();
166  // For now we support blacklisting struct types only.
167  if (StructType *SGType = dyn_cast<StructType>(GType)) {
168  if (!SGType->isLiteral())
169  return SGType->getName();
170  }
171  return "<unknown type>";
172 }
173 
174 namespace {
175 
176 class DFSanABIList {
177  std::unique_ptr<SpecialCaseList> SCL;
178 
179  public:
180  DFSanABIList() = default;
181 
182  void set(std::unique_ptr<SpecialCaseList> List) { SCL = std::move(List); }
183 
184  /// Returns whether either this function or its source file are listed in the
185  /// given category.
186  bool isIn(const Function &F, StringRef Category) const {
187  return isIn(*F.getParent(), Category) ||
188  SCL->inSection("dataflow", "fun", F.getName(), Category);
189  }
190 
191  /// Returns whether this global alias is listed in the given category.
192  ///
193  /// If GA aliases a function, the alias's name is matched as a function name
194  /// would be. Similarly, aliases of globals are matched like globals.
195  bool isIn(const GlobalAlias &GA, StringRef Category) const {
196  if (isIn(*GA.getParent(), Category))
197  return true;
198 
199  if (isa<FunctionType>(GA.getValueType()))
200  return SCL->inSection("dataflow", "fun", GA.getName(), Category);
201 
202  return SCL->inSection("dataflow", "global", GA.getName(), Category) ||
203  SCL->inSection("dataflow", "type", GetGlobalTypeString(GA),
204  Category);
205  }
206 
207  /// Returns whether this module is listed in the given category.
208  bool isIn(const Module &M, StringRef Category) const {
209  return SCL->inSection("dataflow", "src", M.getModuleIdentifier(), Category);
210  }
211 };
212 
213 /// TransformedFunction is used to express the result of transforming one
214 /// function type into another. This struct is immutable. It holds metadata
215 /// useful for updating calls of the old function to the new type.
216 struct TransformedFunction {
217  TransformedFunction(FunctionType* OriginalType,
218  FunctionType* TransformedType,
219  std::vector<unsigned> ArgumentIndexMapping)
220  : OriginalType(OriginalType),
221  TransformedType(TransformedType),
222  ArgumentIndexMapping(ArgumentIndexMapping) {}
223 
224  // Disallow copies.
225  TransformedFunction(const TransformedFunction&) = delete;
226  TransformedFunction& operator=(const TransformedFunction&) = delete;
227 
228  // Allow moves.
229  TransformedFunction(TransformedFunction&&) = default;
230  TransformedFunction& operator=(TransformedFunction&&) = default;
231 
232  /// Type of the function before the transformation.
233  FunctionType *OriginalType;
234 
235  /// Type of the function after the transformation.
236  FunctionType *TransformedType;
237 
238  /// Transforming a function may change the position of arguments. This
239  /// member records the mapping from each argument's old position to its new
240  /// position. Argument positions are zero-indexed. If the transformation
241  /// from F to F' made the first argument of F into the third argument of F',
242  /// then ArgumentIndexMapping[0] will equal 2.
243  std::vector<unsigned> ArgumentIndexMapping;
244 };
245 
246 /// Given function attributes from a call site for the original function,
247 /// return function attributes appropriate for a call to the transformed
248 /// function.
249 AttributeList TransformFunctionAttributes(
250  const TransformedFunction& TransformedFunction,
251  LLVMContext& Ctx, AttributeList CallSiteAttrs) {
252 
253  // Construct a vector of AttributeSet for each function argument.
254  std::vector<llvm::AttributeSet> ArgumentAttributes(
255  TransformedFunction.TransformedType->getNumParams());
256 
257  // Copy attributes from the parameter of the original function to the
258  // transformed version. 'ArgumentIndexMapping' holds the mapping from
259  // old argument position to new.
260  for (unsigned i=0, ie = TransformedFunction.ArgumentIndexMapping.size();
261  i < ie; ++i) {
262  unsigned TransformedIndex = TransformedFunction.ArgumentIndexMapping[i];
263  ArgumentAttributes[TransformedIndex] = CallSiteAttrs.getParamAttributes(i);
264  }
265 
266  // Copy annotations on varargs arguments.
267  for (unsigned i = TransformedFunction.OriginalType->getNumParams(),
268  ie = CallSiteAttrs.getNumAttrSets(); i<ie; ++i) {
269  ArgumentAttributes.push_back(CallSiteAttrs.getParamAttributes(i));
270  }
271 
272  return AttributeList::get(
273  Ctx,
274  CallSiteAttrs.getFnAttributes(),
275  CallSiteAttrs.getRetAttributes(),
276  llvm::makeArrayRef(ArgumentAttributes));
277 }
278 
279 class DataFlowSanitizer : public ModulePass {
280  friend struct DFSanFunction;
281  friend class DFSanVisitor;
282 
283  enum {
284  ShadowWidth = 16
285  };
286 
287  /// Which ABI should be used for instrumented functions?
288  enum InstrumentedABI {
289  /// Argument and return value labels are passed through additional
290  /// arguments and by modifying the return type.
291  IA_Args,
292 
293  /// Argument and return value labels are passed through TLS variables
294  /// __dfsan_arg_tls and __dfsan_retval_tls.
295  IA_TLS
296  };
297 
298  /// How should calls to uninstrumented functions be handled?
299  enum WrapperKind {
300  /// This function is present in an uninstrumented form but we don't know
301  /// how it should be handled. Print a warning and call the function anyway.
302  /// Don't label the return value.
303  WK_Warning,
304 
305  /// This function does not write to (user-accessible) memory, and its return
306  /// value is unlabelled.
307  WK_Discard,
308 
309  /// This function does not write to (user-accessible) memory, and the label
310  /// of its return value is the union of the label of its arguments.
311  WK_Functional,
312 
313  /// Instead of calling the function, a custom wrapper __dfsw_F is called,
314  /// where F is the name of the function. This function may wrap the
315  /// original function or provide its own implementation. This is similar to
316  /// the IA_Args ABI, except that IA_Args uses a struct return type to
317  /// pass the return value shadow in a register, while WK_Custom uses an
318  /// extra pointer argument to return the shadow. This allows the wrapped
319  /// form of the function type to be expressed in C.
320  WK_Custom
321  };
322 
323  Module *Mod;
324  LLVMContext *Ctx;
325  IntegerType *ShadowTy;
326  PointerType *ShadowPtrTy;
327  IntegerType *IntptrTy;
328  ConstantInt *ZeroShadow;
329  ConstantInt *ShadowPtrMask;
330  ConstantInt *ShadowPtrMul;
331  Constant *ArgTLS;
332  Constant *RetvalTLS;
333  void *(*GetArgTLSPtr)();
334  void *(*GetRetvalTLSPtr)();
335  FunctionType *GetArgTLSTy;
336  FunctionType *GetRetvalTLSTy;
337  Constant *GetArgTLS;
338  Constant *GetRetvalTLS;
339  Constant *ExternalShadowMask;
340  FunctionType *DFSanUnionFnTy;
341  FunctionType *DFSanUnionLoadFnTy;
342  FunctionType *DFSanUnimplementedFnTy;
343  FunctionType *DFSanSetLabelFnTy;
344  FunctionType *DFSanNonzeroLabelFnTy;
345  FunctionType *DFSanVarargWrapperFnTy;
346  FunctionCallee DFSanUnionFn;
347  FunctionCallee DFSanCheckedUnionFn;
348  FunctionCallee DFSanUnionLoadFn;
349  FunctionCallee DFSanUnimplementedFn;
350  FunctionCallee DFSanSetLabelFn;
351  FunctionCallee DFSanNonzeroLabelFn;
352  FunctionCallee DFSanVarargWrapperFn;
353  MDNode *ColdCallWeights;
354  DFSanABIList ABIList;
355  DenseMap<Value *, Function *> UnwrappedFnMap;
356  AttrBuilder ReadOnlyNoneAttrs;
357  bool DFSanRuntimeShadowMask = false;
358 
359  Value *getShadowAddress(Value *Addr, Instruction *Pos);
360  bool isInstrumented(const Function *F);
361  bool isInstrumented(const GlobalAlias *GA);
362  FunctionType *getArgsFunctionType(FunctionType *T);
363  FunctionType *getTrampolineFunctionType(FunctionType *T);
364  TransformedFunction getCustomFunctionType(FunctionType *T);
365  InstrumentedABI getInstrumentedABI();
366  WrapperKind getWrapperKind(Function *F);
367  void addGlobalNamePrefix(GlobalValue *GV);
368  Function *buildWrapperFunction(Function *F, StringRef NewFName,
369  GlobalValue::LinkageTypes NewFLink,
370  FunctionType *NewFT);
371  Constant *getOrBuildTrampolineFunction(FunctionType *FT, StringRef FName);
372 
373 public:
374  static char ID;
375 
376  DataFlowSanitizer(
377  const std::vector<std::string> &ABIListFiles = std::vector<std::string>(),
378  void *(*getArgTLS)() = nullptr, void *(*getRetValTLS)() = nullptr);
379 
380  bool doInitialization(Module &M) override;
381  bool runOnModule(Module &M) override;
382 };
383 
384 struct DFSanFunction {
385  DataFlowSanitizer &DFS;
386  Function *F;
387  DominatorTree DT;
388  DataFlowSanitizer::InstrumentedABI IA;
389  bool IsNativeABI;
390  Value *ArgTLSPtr = nullptr;
391  Value *RetvalTLSPtr = nullptr;
392  AllocaInst *LabelReturnAlloca = nullptr;
393  DenseMap<Value *, Value *> ValShadowMap;
394  DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap;
395  std::vector<std::pair<PHINode *, PHINode *>> PHIFixups;
396  DenseSet<Instruction *> SkipInsts;
397  std::vector<Value *> NonZeroChecks;
398  bool AvoidNewBlocks;
399 
400  struct CachedCombinedShadow {
401  BasicBlock *Block;
402  Value *Shadow;
403  };
404  DenseMap<std::pair<Value *, Value *>, CachedCombinedShadow>
405  CachedCombinedShadows;
406  DenseMap<Value *, std::set<Value *>> ShadowElements;
407 
408  DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI)
409  : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()), IsNativeABI(IsNativeABI) {
410  DT.recalculate(*F);
411  // FIXME: Need to track down the register allocator issue which causes poor
412  // performance in pathological cases with large numbers of basic blocks.
413  AvoidNewBlocks = F->size() > 1000;
414  }
415 
416  Value *getArgTLSPtr();
417  Value *getArgTLS(unsigned Index, Instruction *Pos);
418  Value *getRetvalTLS();
419  Value *getShadow(Value *V);
420  void setShadow(Instruction *I, Value *Shadow);
421  Value *combineShadows(Value *V1, Value *V2, Instruction *Pos);
422  Value *combineOperandShadows(Instruction *Inst);
423  Value *loadShadow(Value *ShadowAddr, uint64_t Size, uint64_t Align,
424  Instruction *Pos);
425  void storeShadow(Value *Addr, uint64_t Size, uint64_t Align, Value *Shadow,
426  Instruction *Pos);
427 };
428 
429 class DFSanVisitor : public InstVisitor<DFSanVisitor> {
430 public:
431  DFSanFunction &DFSF;
432 
433  DFSanVisitor(DFSanFunction &DFSF) : DFSF(DFSF) {}
434 
435  const DataLayout &getDataLayout() const {
436  return DFSF.F->getParent()->getDataLayout();
437  }
438 
439  void visitOperandShadowInst(Instruction &I);
440  void visitBinaryOperator(BinaryOperator &BO);
441  void visitCastInst(CastInst &CI);
442  void visitCmpInst(CmpInst &CI);
443  void visitGetElementPtrInst(GetElementPtrInst &GEPI);
444  void visitLoadInst(LoadInst &LI);
445  void visitStoreInst(StoreInst &SI);
446  void visitReturnInst(ReturnInst &RI);
447  void visitCallSite(CallSite CS);
448  void visitPHINode(PHINode &PN);
449  void visitExtractElementInst(ExtractElementInst &I);
450  void visitInsertElementInst(InsertElementInst &I);
451  void visitShuffleVectorInst(ShuffleVectorInst &I);
452  void visitExtractValueInst(ExtractValueInst &I);
453  void visitInsertValueInst(InsertValueInst &I);
454  void visitAllocaInst(AllocaInst &I);
455  void visitSelectInst(SelectInst &I);
456  void visitMemSetInst(MemSetInst &I);
457  void visitMemTransferInst(MemTransferInst &I);
458 };
459 
460 } // end anonymous namespace
461 
463 
464 INITIALIZE_PASS(DataFlowSanitizer, "dfsan",
465  "DataFlowSanitizer: dynamic data flow analysis.", false, false)
466 
467 ModulePass *
468 llvm::createDataFlowSanitizerPass(const std::vector<std::string> &ABIListFiles,
469  void *(*getArgTLS)(),
470  void *(*getRetValTLS)()) {
471  return new DataFlowSanitizer(ABIListFiles, getArgTLS, getRetValTLS);
472 }
473 
474 DataFlowSanitizer::DataFlowSanitizer(
475  const std::vector<std::string> &ABIListFiles, void *(*getArgTLS)(),
476  void *(*getRetValTLS)())
477  : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS) {
478  std::vector<std::string> AllABIListFiles(std::move(ABIListFiles));
479  AllABIListFiles.insert(AllABIListFiles.end(), ClABIListFiles.begin(),
480  ClABIListFiles.end());
481  ABIList.set(SpecialCaseList::createOrDie(AllABIListFiles));
482 }
483 
484 FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) {
485  SmallVector<Type *, 4> ArgTypes(T->param_begin(), T->param_end());
486  ArgTypes.append(T->getNumParams(), ShadowTy);
487  if (T->isVarArg())
488  ArgTypes.push_back(ShadowPtrTy);
489  Type *RetType = T->getReturnType();
490  if (!RetType->isVoidTy())
491  RetType = StructType::get(RetType, ShadowTy);
492  return FunctionType::get(RetType, ArgTypes, T->isVarArg());
493 }
494 
495 FunctionType *DataFlowSanitizer::getTrampolineFunctionType(FunctionType *T) {
496  assert(!T->isVarArg());
497  SmallVector<Type *, 4> ArgTypes;
498  ArgTypes.push_back(T->getPointerTo());
499  ArgTypes.append(T->param_begin(), T->param_end());
500  ArgTypes.append(T->getNumParams(), ShadowTy);
501  Type *RetType = T->getReturnType();
502  if (!RetType->isVoidTy())
503  ArgTypes.push_back(ShadowPtrTy);
504  return FunctionType::get(T->getReturnType(), ArgTypes, false);
505 }
506 
507 TransformedFunction DataFlowSanitizer::getCustomFunctionType(FunctionType *T) {
508  SmallVector<Type *, 4> ArgTypes;
509 
510  // Some parameters of the custom function being constructed are
511  // parameters of T. Record the mapping from parameters of T to
512  // parameters of the custom function, so that parameter attributes
513  // at call sites can be updated.
514  std::vector<unsigned> ArgumentIndexMapping;
515  for (unsigned i = 0, ie = T->getNumParams(); i != ie; ++i) {
516  Type* param_type = T->getParamType(i);
517  FunctionType *FT;
518  if (isa<PointerType>(param_type) && (FT = dyn_cast<FunctionType>(
519  cast<PointerType>(param_type)->getElementType()))) {
520  ArgumentIndexMapping.push_back(ArgTypes.size());
521  ArgTypes.push_back(getTrampolineFunctionType(FT)->getPointerTo());
522  ArgTypes.push_back(Type::getInt8PtrTy(*Ctx));
523  } else {
524  ArgumentIndexMapping.push_back(ArgTypes.size());
525  ArgTypes.push_back(param_type);
526  }
527  }
528  for (unsigned i = 0, e = T->getNumParams(); i != e; ++i)
529  ArgTypes.push_back(ShadowTy);
530  if (T->isVarArg())
531  ArgTypes.push_back(ShadowPtrTy);
532  Type *RetType = T->getReturnType();
533  if (!RetType->isVoidTy())
534  ArgTypes.push_back(ShadowPtrTy);
535  return TransformedFunction(
536  T, FunctionType::get(T->getReturnType(), ArgTypes, T->isVarArg()),
537  ArgumentIndexMapping);
538 }
539 
540 bool DataFlowSanitizer::doInitialization(Module &M) {
541  Triple TargetTriple(M.getTargetTriple());
542  bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
543  bool IsMIPS64 = TargetTriple.isMIPS64();
544  bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 ||
545  TargetTriple.getArch() == Triple::aarch64_be;
546 
547  const DataLayout &DL = M.getDataLayout();
548 
549  Mod = &M;
550  Ctx = &M.getContext();
551  ShadowTy = IntegerType::get(*Ctx, ShadowWidth);
552  ShadowPtrTy = PointerType::getUnqual(ShadowTy);
553  IntptrTy = DL.getIntPtrType(*Ctx);
554  ZeroShadow = ConstantInt::getSigned(ShadowTy, 0);
555  ShadowPtrMul = ConstantInt::getSigned(IntptrTy, ShadowWidth / 8);
556  if (IsX86_64)
557  ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0x700000000000LL);
558  else if (IsMIPS64)
559  ShadowPtrMask = ConstantInt::getSigned(IntptrTy, ~0xF000000000LL);
560  // AArch64 supports multiple VMAs and the shadow mask is set at runtime.
561  else if (IsAArch64)
562  DFSanRuntimeShadowMask = true;
563  else
564  report_fatal_error("unsupported triple");
565 
566  Type *DFSanUnionArgs[2] = { ShadowTy, ShadowTy };
567  DFSanUnionFnTy =
568  FunctionType::get(ShadowTy, DFSanUnionArgs, /*isVarArg=*/ false);
569  Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy };
570  DFSanUnionLoadFnTy =
571  FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false);
572  DFSanUnimplementedFnTy = FunctionType::get(
573  Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
574  Type *DFSanSetLabelArgs[3] = { ShadowTy, Type::getInt8PtrTy(*Ctx), IntptrTy };
575  DFSanSetLabelFnTy = FunctionType::get(Type::getVoidTy(*Ctx),
576  DFSanSetLabelArgs, /*isVarArg=*/false);
577  DFSanNonzeroLabelFnTy = FunctionType::get(
578  Type::getVoidTy(*Ctx), None, /*isVarArg=*/false);
579  DFSanVarargWrapperFnTy = FunctionType::get(
580  Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
581 
582  if (GetArgTLSPtr) {
583  Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
584  ArgTLS = nullptr;
585  GetArgTLSTy = FunctionType::get(PointerType::getUnqual(ArgTLSTy), false);
586  GetArgTLS = ConstantExpr::getIntToPtr(
587  ConstantInt::get(IntptrTy, uintptr_t(GetArgTLSPtr)),
588  PointerType::getUnqual(GetArgTLSTy));
589  }
590  if (GetRetvalTLSPtr) {
591  RetvalTLS = nullptr;
592  GetRetvalTLSTy = FunctionType::get(PointerType::getUnqual(ShadowTy), false);
593  GetRetvalTLS = ConstantExpr::getIntToPtr(
594  ConstantInt::get(IntptrTy, uintptr_t(GetRetvalTLSPtr)),
595  PointerType::getUnqual(GetRetvalTLSTy));
596  }
597 
598  ColdCallWeights = MDBuilder(*Ctx).createBranchWeights(1, 1000);
599  return true;
600 }
601 
602 bool DataFlowSanitizer::isInstrumented(const Function *F) {
603  return !ABIList.isIn(*F, "uninstrumented");
604 }
605 
606 bool DataFlowSanitizer::isInstrumented(const GlobalAlias *GA) {
607  return !ABIList.isIn(*GA, "uninstrumented");
608 }
609 
610 DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() {
611  return ClArgsABI ? IA_Args : IA_TLS;
612 }
613 
614 DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) {
615  if (ABIList.isIn(*F, "functional"))
616  return WK_Functional;
617  if (ABIList.isIn(*F, "discard"))
618  return WK_Discard;
619  if (ABIList.isIn(*F, "custom"))
620  return WK_Custom;
621 
622  return WK_Warning;
623 }
624 
625 void DataFlowSanitizer::addGlobalNamePrefix(GlobalValue *GV) {
626  std::string GVName = GV->getName(), Prefix = "dfs$";
627  GV->setName(Prefix + GVName);
628 
629  // Try to change the name of the function in module inline asm. We only do
630  // this for specific asm directives, currently only ".symver", to try to avoid
631  // corrupting asm which happens to contain the symbol name as a substring.
632  // Note that the substitution for .symver assumes that the versioned symbol
633  // also has an instrumented name.
634  std::string Asm = GV->getParent()->getModuleInlineAsm();
635  std::string SearchStr = ".symver " + GVName + ",";
636  size_t Pos = Asm.find(SearchStr);
637  if (Pos != std::string::npos) {
638  Asm.replace(Pos, SearchStr.size(),
639  ".symver " + Prefix + GVName + "," + Prefix);
640  GV->getParent()->setModuleInlineAsm(Asm);
641  }
642 }
643 
644 Function *
645 DataFlowSanitizer::buildWrapperFunction(Function *F, StringRef NewFName,
646  GlobalValue::LinkageTypes NewFLink,
647  FunctionType *NewFT) {
648  FunctionType *FT = F->getFunctionType();
649  Function *NewF = Function::Create(NewFT, NewFLink, F->getAddressSpace(),
650  NewFName, F->getParent());
651  NewF->copyAttributesFrom(F);
652  NewF->removeAttributes(
655 
656  BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF);
657  if (F->isVarArg()) {
659  AttrBuilder().addAttribute("split-stack"));
660  CallInst::Create(DFSanVarargWrapperFn,
661  IRBuilder<>(BB).CreateGlobalStringPtr(F->getName()), "",
662  BB);
663  new UnreachableInst(*Ctx, BB);
664  } else {
665  std::vector<Value *> Args;
666  unsigned n = FT->getNumParams();
667  for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n)
668  Args.push_back(&*ai);
669  CallInst *CI = CallInst::Create(F, Args, "", BB);
670  if (FT->getReturnType()->isVoidTy())
671  ReturnInst::Create(*Ctx, BB);
672  else
673  ReturnInst::Create(*Ctx, CI, BB);
674  }
675 
676  return NewF;
677 }
678 
679 Constant *DataFlowSanitizer::getOrBuildTrampolineFunction(FunctionType *FT,
680  StringRef FName) {
681  FunctionType *FTT = getTrampolineFunctionType(FT);
682  FunctionCallee C = Mod->getOrInsertFunction(FName, FTT);
683  Function *F = dyn_cast<Function>(C.getCallee());
684  if (F && F->isDeclaration()) {
686  BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", F);
687  std::vector<Value *> Args;
688  Function::arg_iterator AI = F->arg_begin(); ++AI;
689  for (unsigned N = FT->getNumParams(); N != 0; ++AI, --N)
690  Args.push_back(&*AI);
691  CallInst *CI = CallInst::Create(FT, &*F->arg_begin(), Args, "", BB);
692  ReturnInst *RI;
693  if (FT->getReturnType()->isVoidTy())
694  RI = ReturnInst::Create(*Ctx, BB);
695  else
696  RI = ReturnInst::Create(*Ctx, CI, BB);
697 
698  DFSanFunction DFSF(*this, F, /*IsNativeABI=*/true);
699  Function::arg_iterator ValAI = F->arg_begin(), ShadowAI = AI; ++ValAI;
700  for (unsigned N = FT->getNumParams(); N != 0; ++ValAI, ++ShadowAI, --N)
701  DFSF.ValShadowMap[&*ValAI] = &*ShadowAI;
702  DFSanVisitor(DFSF).visitCallInst(*CI);
703  if (!FT->getReturnType()->isVoidTy())
704  new StoreInst(DFSF.getShadow(RI->getReturnValue()),
705  &*std::prev(F->arg_end()), RI);
706  }
707 
708  return cast<Constant>(C.getCallee());
709 }
710 
711 bool DataFlowSanitizer::runOnModule(Module &M) {
712  if (ABIList.isIn(M, "skip"))
713  return false;
714 
715  if (!GetArgTLSPtr) {
716  Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
717  ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy);
718  if (GlobalVariable *G = dyn_cast<GlobalVariable>(ArgTLS))
719  G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
720  }
721  if (!GetRetvalTLSPtr) {
722  RetvalTLS = Mod->getOrInsertGlobal("__dfsan_retval_tls", ShadowTy);
723  if (GlobalVariable *G = dyn_cast<GlobalVariable>(RetvalTLS))
724  G->setThreadLocalMode(GlobalVariable::InitialExecTLSModel);
725  }
726 
727  ExternalShadowMask =
728  Mod->getOrInsertGlobal(kDFSanExternShadowPtrMask, IntptrTy);
729 
730  {
733  Attribute::NoUnwind);
735  Attribute::ReadNone);
737  Attribute::ZExt);
738  AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
739  AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt);
740  DFSanUnionFn =
741  Mod->getOrInsertFunction("__dfsan_union", DFSanUnionFnTy, AL);
742  }
743 
744  {
747  Attribute::NoUnwind);
749  Attribute::ReadNone);
751  Attribute::ZExt);
752  AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
753  AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt);
754  DFSanCheckedUnionFn =
755  Mod->getOrInsertFunction("dfsan_union", DFSanUnionFnTy, AL);
756  }
757  {
760  Attribute::NoUnwind);
762  Attribute::ReadOnly);
764  Attribute::ZExt);
765  DFSanUnionLoadFn =
766  Mod->getOrInsertFunction("__dfsan_union_load", DFSanUnionLoadFnTy, AL);
767  }
768  DFSanUnimplementedFn =
769  Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy);
770  {
772  AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt);
773  DFSanSetLabelFn =
774  Mod->getOrInsertFunction("__dfsan_set_label", DFSanSetLabelFnTy, AL);
775  }
776  DFSanNonzeroLabelFn =
777  Mod->getOrInsertFunction("__dfsan_nonzero_label", DFSanNonzeroLabelFnTy);
778  DFSanVarargWrapperFn = Mod->getOrInsertFunction("__dfsan_vararg_wrapper",
779  DFSanVarargWrapperFnTy);
780 
781  std::vector<Function *> FnsToInstrument;
782  SmallPtrSet<Function *, 2> FnsWithNativeABI;
783  for (Function &i : M) {
784  if (!i.isIntrinsic() &&
785  &i != DFSanUnionFn.getCallee()->stripPointerCasts() &&
786  &i != DFSanCheckedUnionFn.getCallee()->stripPointerCasts() &&
787  &i != DFSanUnionLoadFn.getCallee()->stripPointerCasts() &&
788  &i != DFSanUnimplementedFn.getCallee()->stripPointerCasts() &&
789  &i != DFSanSetLabelFn.getCallee()->stripPointerCasts() &&
790  &i != DFSanNonzeroLabelFn.getCallee()->stripPointerCasts() &&
791  &i != DFSanVarargWrapperFn.getCallee()->stripPointerCasts())
792  FnsToInstrument.push_back(&i);
793  }
794 
795  // Give function aliases prefixes when necessary, and build wrappers where the
796  // instrumentedness is inconsistent.
797  for (Module::alias_iterator i = M.alias_begin(), e = M.alias_end(); i != e;) {
798  GlobalAlias *GA = &*i;
799  ++i;
800  // Don't stop on weak. We assume people aren't playing games with the
801  // instrumentedness of overridden weak aliases.
802  if (auto F = dyn_cast<Function>(GA->getBaseObject())) {
803  bool GAInst = isInstrumented(GA), FInst = isInstrumented(F);
804  if (GAInst && FInst) {
805  addGlobalNamePrefix(GA);
806  } else if (GAInst != FInst) {
807  // Non-instrumented alias of an instrumented function, or vice versa.
808  // Replace the alias with a native-ABI wrapper of the aliasee. The pass
809  // below will take care of instrumenting it.
810  Function *NewF =
811  buildWrapperFunction(F, "", GA->getLinkage(), F->getFunctionType());
813  NewF->takeName(GA);
814  GA->eraseFromParent();
815  FnsToInstrument.push_back(NewF);
816  }
817  }
818  }
819 
820  ReadOnlyNoneAttrs.addAttribute(Attribute::ReadOnly)
821  .addAttribute(Attribute::ReadNone);
822 
823  // First, change the ABI of every function in the module. ABI-listed
824  // functions keep their original ABI and get a wrapper function.
825  for (std::vector<Function *>::iterator i = FnsToInstrument.begin(),
826  e = FnsToInstrument.end();
827  i != e; ++i) {
828  Function &F = **i;
829  FunctionType *FT = F.getFunctionType();
830 
831  bool IsZeroArgsVoidRet = (FT->getNumParams() == 0 && !FT->isVarArg() &&
832  FT->getReturnType()->isVoidTy());
833 
834  if (isInstrumented(&F)) {
835  // Instrumented functions get a 'dfs$' prefix. This allows us to more
836  // easily identify cases of mismatching ABIs.
837  if (getInstrumentedABI() == IA_Args && !IsZeroArgsVoidRet) {
838  FunctionType *NewFT = getArgsFunctionType(FT);
839  Function *NewF = Function::Create(NewFT, F.getLinkage(),
840  F.getAddressSpace(), "", &M);
841  NewF->copyAttributesFrom(&F);
842  NewF->removeAttributes(
845  for (Function::arg_iterator FArg = F.arg_begin(),
846  NewFArg = NewF->arg_begin(),
847  FArgEnd = F.arg_end();
848  FArg != FArgEnd; ++FArg, ++NewFArg) {
849  FArg->replaceAllUsesWith(&*NewFArg);
850  }
851  NewF->getBasicBlockList().splice(NewF->begin(), F.getBasicBlockList());
852 
853  for (Function::user_iterator UI = F.user_begin(), UE = F.user_end();
854  UI != UE;) {
855  BlockAddress *BA = dyn_cast<BlockAddress>(*UI);
856  ++UI;
857  if (BA) {
858  BA->replaceAllUsesWith(
859  BlockAddress::get(NewF, BA->getBasicBlock()));
860  delete BA;
861  }
862  }
865  NewF->takeName(&F);
866  F.eraseFromParent();
867  *i = NewF;
868  addGlobalNamePrefix(NewF);
869  } else {
870  addGlobalNamePrefix(&F);
871  }
872  } else if (!IsZeroArgsVoidRet || getWrapperKind(&F) == WK_Custom) {
873  // Build a wrapper function for F. The wrapper simply calls F, and is
874  // added to FnsToInstrument so that any instrumentation according to its
875  // WrapperKind is done in the second pass below.
876  FunctionType *NewFT = getInstrumentedABI() == IA_Args
877  ? getArgsFunctionType(FT)
878  : FT;
879 
880  // If the function being wrapped has local linkage, then preserve the
881  // function's linkage in the wrapper function.
882  GlobalValue::LinkageTypes wrapperLinkage =
883  F.hasLocalLinkage()
884  ? F.getLinkage()
886 
887  Function *NewF = buildWrapperFunction(
888  &F, std::string("dfsw$") + std::string(F.getName()),
889  wrapperLinkage, NewFT);
890  if (getInstrumentedABI() == IA_TLS)
891  NewF->removeAttributes(AttributeList::FunctionIndex, ReadOnlyNoneAttrs);
892 
893  Value *WrappedFnCst =
895  F.replaceAllUsesWith(WrappedFnCst);
896 
897  UnwrappedFnMap[WrappedFnCst] = &F;
898  *i = NewF;
899 
900  if (!F.isDeclaration()) {
901  // This function is probably defining an interposition of an
902  // uninstrumented function and hence needs to keep the original ABI.
903  // But any functions it may call need to use the instrumented ABI, so
904  // we instrument it in a mode which preserves the original ABI.
905  FnsWithNativeABI.insert(&F);
906 
907  // This code needs to rebuild the iterators, as they may be invalidated
908  // by the push_back, taking care that the new range does not include
909  // any functions added by this code.
910  size_t N = i - FnsToInstrument.begin(),
911  Count = e - FnsToInstrument.begin();
912  FnsToInstrument.push_back(&F);
913  i = FnsToInstrument.begin() + N;
914  e = FnsToInstrument.begin() + Count;
915  }
916  // Hopefully, nobody will try to indirectly call a vararg
917  // function... yet.
918  } else if (FT->isVarArg()) {
919  UnwrappedFnMap[&F] = &F;
920  *i = nullptr;
921  }
922  }
923 
924  for (Function *i : FnsToInstrument) {
925  if (!i || i->isDeclaration())
926  continue;
927 
929 
930  DFSanFunction DFSF(*this, i, FnsWithNativeABI.count(i));
931 
932  // DFSanVisitor may create new basic blocks, which confuses df_iterator.
933  // Build a copy of the list before iterating over it.
934  SmallVector<BasicBlock *, 4> BBList(depth_first(&i->getEntryBlock()));
935 
936  for (BasicBlock *i : BBList) {
937  Instruction *Inst = &i->front();
938  while (true) {
939  // DFSanVisitor may split the current basic block, changing the current
940  // instruction's next pointer and moving the next instruction to the
941  // tail block from which we should continue.
942  Instruction *Next = Inst->getNextNode();
943  // DFSanVisitor may delete Inst, so keep track of whether it was a
944  // terminator.
945  bool IsTerminator = Inst->isTerminator();
946  if (!DFSF.SkipInsts.count(Inst))
947  DFSanVisitor(DFSF).visit(Inst);
948  if (IsTerminator)
949  break;
950  Inst = Next;
951  }
952  }
953 
954  // We will not necessarily be able to compute the shadow for every phi node
955  // until we have visited every block. Therefore, the code that handles phi
956  // nodes adds them to the PHIFixups list so that they can be properly
957  // handled here.
958  for (std::vector<std::pair<PHINode *, PHINode *>>::iterator
959  i = DFSF.PHIFixups.begin(),
960  e = DFSF.PHIFixups.end();
961  i != e; ++i) {
962  for (unsigned val = 0, n = i->first->getNumIncomingValues(); val != n;
963  ++val) {
964  i->second->setIncomingValue(
965  val, DFSF.getShadow(i->first->getIncomingValue(val)));
966  }
967  }
968 
969  // -dfsan-debug-nonzero-labels will split the CFG in all kinds of crazy
970  // places (i.e. instructions in basic blocks we haven't even begun visiting
971  // yet). To make our life easier, do this work in a pass after the main
972  // instrumentation.
973  if (ClDebugNonzeroLabels) {
974  for (Value *V : DFSF.NonZeroChecks) {
975  Instruction *Pos;
976  if (Instruction *I = dyn_cast<Instruction>(V))
977  Pos = I->getNextNode();
978  else
979  Pos = &DFSF.F->getEntryBlock().front();
980  while (isa<PHINode>(Pos) || isa<AllocaInst>(Pos))
981  Pos = Pos->getNextNode();
982  IRBuilder<> IRB(Pos);
983  Value *Ne = IRB.CreateICmpNE(V, DFSF.DFS.ZeroShadow);
984  BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
985  Ne, Pos, /*Unreachable=*/false, ColdCallWeights));
986  IRBuilder<> ThenIRB(BI);
987  ThenIRB.CreateCall(DFSF.DFS.DFSanNonzeroLabelFn, {});
988  }
989  }
990  }
991 
992  return false;
993 }
994 
995 Value *DFSanFunction::getArgTLSPtr() {
996  if (ArgTLSPtr)
997  return ArgTLSPtr;
998  if (DFS.ArgTLS)
999  return ArgTLSPtr = DFS.ArgTLS;
1000 
1001  IRBuilder<> IRB(&F->getEntryBlock().front());
1002  return ArgTLSPtr = IRB.CreateCall(DFS.GetArgTLSTy, DFS.GetArgTLS, {});
1003 }
1004 
1005 Value *DFSanFunction::getRetvalTLS() {
1006  if (RetvalTLSPtr)
1007  return RetvalTLSPtr;
1008  if (DFS.RetvalTLS)
1009  return RetvalTLSPtr = DFS.RetvalTLS;
1010 
1011  IRBuilder<> IRB(&F->getEntryBlock().front());
1012  return RetvalTLSPtr =
1013  IRB.CreateCall(DFS.GetRetvalTLSTy, DFS.GetRetvalTLS, {});
1014 }
1015 
1016 Value *DFSanFunction::getArgTLS(unsigned Idx, Instruction *Pos) {
1017  IRBuilder<> IRB(Pos);
1018  return IRB.CreateConstGEP2_64(ArrayType::get(DFS.ShadowTy, 64),
1019  getArgTLSPtr(), 0, Idx);
1020 }
1021 
1022 Value *DFSanFunction::getShadow(Value *V) {
1023  if (!isa<Argument>(V) && !isa<Instruction>(V))
1024  return DFS.ZeroShadow;
1025  Value *&Shadow = ValShadowMap[V];
1026  if (!Shadow) {
1027  if (Argument *A = dyn_cast<Argument>(V)) {
1028  if (IsNativeABI)
1029  return DFS.ZeroShadow;
1030  switch (IA) {
1031  case DataFlowSanitizer::IA_TLS: {
1032  Value *ArgTLSPtr = getArgTLSPtr();
1033  Instruction *ArgTLSPos =
1034  DFS.ArgTLS ? &*F->getEntryBlock().begin()
1035  : cast<Instruction>(ArgTLSPtr)->getNextNode();
1036  IRBuilder<> IRB(ArgTLSPos);
1037  Shadow =
1038  IRB.CreateLoad(DFS.ShadowTy, getArgTLS(A->getArgNo(), ArgTLSPos));
1039  break;
1040  }
1041  case DataFlowSanitizer::IA_Args: {
1042  unsigned ArgIdx = A->getArgNo() + F->arg_size() / 2;
1044  while (ArgIdx--)
1045  ++i;
1046  Shadow = &*i;
1047  assert(Shadow->getType() == DFS.ShadowTy);
1048  break;
1049  }
1050  }
1051  NonZeroChecks.push_back(Shadow);
1052  } else {
1053  Shadow = DFS.ZeroShadow;
1054  }
1055  }
1056  return Shadow;
1057 }
1058 
1059 void DFSanFunction::setShadow(Instruction *I, Value *Shadow) {
1060  assert(!ValShadowMap.count(I));
1061  assert(Shadow->getType() == DFS.ShadowTy);
1062  ValShadowMap[I] = Shadow;
1063 }
1064 
1065 Value *DataFlowSanitizer::getShadowAddress(Value *Addr, Instruction *Pos) {
1066  assert(Addr != RetvalTLS && "Reinstrumenting?");
1067  IRBuilder<> IRB(Pos);
1068  Value *ShadowPtrMaskValue;
1069  if (DFSanRuntimeShadowMask)
1070  ShadowPtrMaskValue = IRB.CreateLoad(IntptrTy, ExternalShadowMask);
1071  else
1072  ShadowPtrMaskValue = ShadowPtrMask;
1073  return IRB.CreateIntToPtr(
1074  IRB.CreateMul(
1075  IRB.CreateAnd(IRB.CreatePtrToInt(Addr, IntptrTy),
1076  IRB.CreatePtrToInt(ShadowPtrMaskValue, IntptrTy)),
1077  ShadowPtrMul),
1078  ShadowPtrTy);
1079 }
1080 
1081 // Generates IR to compute the union of the two given shadows, inserting it
1082 // before Pos. Returns the computed union Value.
1083 Value *DFSanFunction::combineShadows(Value *V1, Value *V2, Instruction *Pos) {
1084  if (V1 == DFS.ZeroShadow)
1085  return V2;
1086  if (V2 == DFS.ZeroShadow)
1087  return V1;
1088  if (V1 == V2)
1089  return V1;
1090 
1091  auto V1Elems = ShadowElements.find(V1);
1092  auto V2Elems = ShadowElements.find(V2);
1093  if (V1Elems != ShadowElements.end() && V2Elems != ShadowElements.end()) {
1094  if (std::includes(V1Elems->second.begin(), V1Elems->second.end(),
1095  V2Elems->second.begin(), V2Elems->second.end())) {
1096  return V1;
1097  } else if (std::includes(V2Elems->second.begin(), V2Elems->second.end(),
1098  V1Elems->second.begin(), V1Elems->second.end())) {
1099  return V2;
1100  }
1101  } else if (V1Elems != ShadowElements.end()) {
1102  if (V1Elems->second.count(V2))
1103  return V1;
1104  } else if (V2Elems != ShadowElements.end()) {
1105  if (V2Elems->second.count(V1))
1106  return V2;
1107  }
1108 
1109  auto Key = std::make_pair(V1, V2);
1110  if (V1 > V2)
1111  std::swap(Key.first, Key.second);
1112  CachedCombinedShadow &CCS = CachedCombinedShadows[Key];
1113  if (CCS.Block && DT.dominates(CCS.Block, Pos->getParent()))
1114  return CCS.Shadow;
1115 
1116  IRBuilder<> IRB(Pos);
1117  if (AvoidNewBlocks) {
1118  CallInst *Call = IRB.CreateCall(DFS.DFSanCheckedUnionFn, {V1, V2});
1119  Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1120  Call->addParamAttr(0, Attribute::ZExt);
1121  Call->addParamAttr(1, Attribute::ZExt);
1122 
1123  CCS.Block = Pos->getParent();
1124  CCS.Shadow = Call;
1125  } else {
1126  BasicBlock *Head = Pos->getParent();
1127  Value *Ne = IRB.CreateICmpNE(V1, V2);
1128  BranchInst *BI = cast<BranchInst>(SplitBlockAndInsertIfThen(
1129  Ne, Pos, /*Unreachable=*/false, DFS.ColdCallWeights, &DT));
1130  IRBuilder<> ThenIRB(BI);
1131  CallInst *Call = ThenIRB.CreateCall(DFS.DFSanUnionFn, {V1, V2});
1132  Call->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1133  Call->addParamAttr(0, Attribute::ZExt);
1134  Call->addParamAttr(1, Attribute::ZExt);
1135 
1136  BasicBlock *Tail = BI->getSuccessor(0);
1137  PHINode *Phi = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front());
1138  Phi->addIncoming(Call, Call->getParent());
1139  Phi->addIncoming(V1, Head);
1140 
1141  CCS.Block = Tail;
1142  CCS.Shadow = Phi;
1143  }
1144 
1145  std::set<Value *> UnionElems;
1146  if (V1Elems != ShadowElements.end()) {
1147  UnionElems = V1Elems->second;
1148  } else {
1149  UnionElems.insert(V1);
1150  }
1151  if (V2Elems != ShadowElements.end()) {
1152  UnionElems.insert(V2Elems->second.begin(), V2Elems->second.end());
1153  } else {
1154  UnionElems.insert(V2);
1155  }
1156  ShadowElements[CCS.Shadow] = std::move(UnionElems);
1157 
1158  return CCS.Shadow;
1159 }
1160 
1161 // A convenience function which folds the shadows of each of the operands
1162 // of the provided instruction Inst, inserting the IR before Inst. Returns
1163 // the computed union Value.
1164 Value *DFSanFunction::combineOperandShadows(Instruction *Inst) {
1165  if (Inst->getNumOperands() == 0)
1166  return DFS.ZeroShadow;
1167 
1168  Value *Shadow = getShadow(Inst->getOperand(0));
1169  for (unsigned i = 1, n = Inst->getNumOperands(); i != n; ++i) {
1170  Shadow = combineShadows(Shadow, getShadow(Inst->getOperand(i)), Inst);
1171  }
1172  return Shadow;
1173 }
1174 
1175 void DFSanVisitor::visitOperandShadowInst(Instruction &I) {
1176  Value *CombinedShadow = DFSF.combineOperandShadows(&I);
1177  DFSF.setShadow(&I, CombinedShadow);
1178 }
1179 
1180 // Generates IR to load shadow corresponding to bytes [Addr, Addr+Size), where
1181 // Addr has alignment Align, and take the union of each of those shadows.
1182 Value *DFSanFunction::loadShadow(Value *Addr, uint64_t Size, uint64_t Align,
1183  Instruction *Pos) {
1184  if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1185  const auto i = AllocaShadowMap.find(AI);
1186  if (i != AllocaShadowMap.end()) {
1187  IRBuilder<> IRB(Pos);
1188  return IRB.CreateLoad(DFS.ShadowTy, i->second);
1189  }
1190  }
1191 
1192  uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8;
1194  GetUnderlyingObjects(Addr, Objs, Pos->getModule()->getDataLayout());
1195  bool AllConstants = true;
1196  for (Value *Obj : Objs) {
1197  if (isa<Function>(Obj) || isa<BlockAddress>(Obj))
1198  continue;
1199  if (isa<GlobalVariable>(Obj) && cast<GlobalVariable>(Obj)->isConstant())
1200  continue;
1201 
1202  AllConstants = false;
1203  break;
1204  }
1205  if (AllConstants)
1206  return DFS.ZeroShadow;
1207 
1208  Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1209  switch (Size) {
1210  case 0:
1211  return DFS.ZeroShadow;
1212  case 1: {
1213  LoadInst *LI = new LoadInst(DFS.ShadowTy, ShadowAddr, "", Pos);
1214  LI->setAlignment(ShadowAlign);
1215  return LI;
1216  }
1217  case 2: {
1218  IRBuilder<> IRB(Pos);
1219  Value *ShadowAddr1 = IRB.CreateGEP(DFS.ShadowTy, ShadowAddr,
1220  ConstantInt::get(DFS.IntptrTy, 1));
1221  return combineShadows(
1222  IRB.CreateAlignedLoad(DFS.ShadowTy, ShadowAddr, ShadowAlign),
1223  IRB.CreateAlignedLoad(DFS.ShadowTy, ShadowAddr1, ShadowAlign), Pos);
1224  }
1225  }
1226  if (!AvoidNewBlocks && Size % (64 / DFS.ShadowWidth) == 0) {
1227  // Fast path for the common case where each byte has identical shadow: load
1228  // shadow 64 bits at a time, fall out to a __dfsan_union_load call if any
1229  // shadow is non-equal.
1230  BasicBlock *FallbackBB = BasicBlock::Create(*DFS.Ctx, "", F);
1231  IRBuilder<> FallbackIRB(FallbackBB);
1232  CallInst *FallbackCall = FallbackIRB.CreateCall(
1233  DFS.DFSanUnionLoadFn,
1234  {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1235  FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1236 
1237  // Compare each of the shadows stored in the loaded 64 bits to each other,
1238  // by computing (WideShadow rotl ShadowWidth) == WideShadow.
1239  IRBuilder<> IRB(Pos);
1240  Value *WideAddr =
1241  IRB.CreateBitCast(ShadowAddr, Type::getInt64PtrTy(*DFS.Ctx));
1242  Value *WideShadow =
1243  IRB.CreateAlignedLoad(IRB.getInt64Ty(), WideAddr, ShadowAlign);
1244  Value *TruncShadow = IRB.CreateTrunc(WideShadow, DFS.ShadowTy);
1245  Value *ShlShadow = IRB.CreateShl(WideShadow, DFS.ShadowWidth);
1246  Value *ShrShadow = IRB.CreateLShr(WideShadow, 64 - DFS.ShadowWidth);
1247  Value *RotShadow = IRB.CreateOr(ShlShadow, ShrShadow);
1248  Value *ShadowsEq = IRB.CreateICmpEQ(WideShadow, RotShadow);
1249 
1250  BasicBlock *Head = Pos->getParent();
1251  BasicBlock *Tail = Head->splitBasicBlock(Pos->getIterator());
1252 
1253  if (DomTreeNode *OldNode = DT.getNode(Head)) {
1254  std::vector<DomTreeNode *> Children(OldNode->begin(), OldNode->end());
1255 
1256  DomTreeNode *NewNode = DT.addNewBlock(Tail, Head);
1257  for (auto Child : Children)
1258  DT.changeImmediateDominator(Child, NewNode);
1259  }
1260 
1261  // In the following code LastBr will refer to the previous basic block's
1262  // conditional branch instruction, whose true successor is fixed up to point
1263  // to the next block during the loop below or to the tail after the final
1264  // iteration.
1265  BranchInst *LastBr = BranchInst::Create(FallbackBB, FallbackBB, ShadowsEq);
1266  ReplaceInstWithInst(Head->getTerminator(), LastBr);
1267  DT.addNewBlock(FallbackBB, Head);
1268 
1269  for (uint64_t Ofs = 64 / DFS.ShadowWidth; Ofs != Size;
1270  Ofs += 64 / DFS.ShadowWidth) {
1271  BasicBlock *NextBB = BasicBlock::Create(*DFS.Ctx, "", F);
1272  DT.addNewBlock(NextBB, LastBr->getParent());
1273  IRBuilder<> NextIRB(NextBB);
1274  WideAddr = NextIRB.CreateGEP(Type::getInt64Ty(*DFS.Ctx), WideAddr,
1275  ConstantInt::get(DFS.IntptrTy, 1));
1276  Value *NextWideShadow = NextIRB.CreateAlignedLoad(NextIRB.getInt64Ty(),
1277  WideAddr, ShadowAlign);
1278  ShadowsEq = NextIRB.CreateICmpEQ(WideShadow, NextWideShadow);
1279  LastBr->setSuccessor(0, NextBB);
1280  LastBr = NextIRB.CreateCondBr(ShadowsEq, FallbackBB, FallbackBB);
1281  }
1282 
1283  LastBr->setSuccessor(0, Tail);
1284  FallbackIRB.CreateBr(Tail);
1285  PHINode *Shadow = PHINode::Create(DFS.ShadowTy, 2, "", &Tail->front());
1286  Shadow->addIncoming(FallbackCall, FallbackBB);
1287  Shadow->addIncoming(TruncShadow, LastBr->getParent());
1288  return Shadow;
1289  }
1290 
1291  IRBuilder<> IRB(Pos);
1292  CallInst *FallbackCall = IRB.CreateCall(
1293  DFS.DFSanUnionLoadFn, {ShadowAddr, ConstantInt::get(DFS.IntptrTy, Size)});
1294  FallbackCall->addAttribute(AttributeList::ReturnIndex, Attribute::ZExt);
1295  return FallbackCall;
1296 }
1297 
1298 void DFSanVisitor::visitLoadInst(LoadInst &LI) {
1299  auto &DL = LI.getModule()->getDataLayout();
1300  uint64_t Size = DL.getTypeStoreSize(LI.getType());
1301  if (Size == 0) {
1302  DFSF.setShadow(&LI, DFSF.DFS.ZeroShadow);
1303  return;
1304  }
1305 
1306  uint64_t Align;
1307  if (ClPreserveAlignment) {
1308  Align = LI.getAlignment();
1309  if (Align == 0)
1310  Align = DL.getABITypeAlignment(LI.getType());
1311  } else {
1312  Align = 1;
1313  }
1314  IRBuilder<> IRB(&LI);
1315  Value *Shadow = DFSF.loadShadow(LI.getPointerOperand(), Size, Align, &LI);
1317  Value *PtrShadow = DFSF.getShadow(LI.getPointerOperand());
1318  Shadow = DFSF.combineShadows(Shadow, PtrShadow, &LI);
1319  }
1320  if (Shadow != DFSF.DFS.ZeroShadow)
1321  DFSF.NonZeroChecks.push_back(Shadow);
1322 
1323  DFSF.setShadow(&LI, Shadow);
1324 }
1325 
1326 void DFSanFunction::storeShadow(Value *Addr, uint64_t Size, uint64_t Align,
1327  Value *Shadow, Instruction *Pos) {
1328  if (AllocaInst *AI = dyn_cast<AllocaInst>(Addr)) {
1329  const auto i = AllocaShadowMap.find(AI);
1330  if (i != AllocaShadowMap.end()) {
1331  IRBuilder<> IRB(Pos);
1332  IRB.CreateStore(Shadow, i->second);
1333  return;
1334  }
1335  }
1336 
1337  uint64_t ShadowAlign = Align * DFS.ShadowWidth / 8;
1338  IRBuilder<> IRB(Pos);
1339  Value *ShadowAddr = DFS.getShadowAddress(Addr, Pos);
1340  if (Shadow == DFS.ZeroShadow) {
1341  IntegerType *ShadowTy = IntegerType::get(*DFS.Ctx, Size * DFS.ShadowWidth);
1342  Value *ExtZeroShadow = ConstantInt::get(ShadowTy, 0);
1343  Value *ExtShadowAddr =
1344  IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowTy));
1345  IRB.CreateAlignedStore(ExtZeroShadow, ExtShadowAddr, ShadowAlign);
1346  return;
1347  }
1348 
1349  const unsigned ShadowVecSize = 128 / DFS.ShadowWidth;
1350  uint64_t Offset = 0;
1351  if (Size >= ShadowVecSize) {
1352  VectorType *ShadowVecTy = VectorType::get(DFS.ShadowTy, ShadowVecSize);
1353  Value *ShadowVec = UndefValue::get(ShadowVecTy);
1354  for (unsigned i = 0; i != ShadowVecSize; ++i) {
1355  ShadowVec = IRB.CreateInsertElement(
1356  ShadowVec, Shadow, ConstantInt::get(Type::getInt32Ty(*DFS.Ctx), i));
1357  }
1358  Value *ShadowVecAddr =
1359  IRB.CreateBitCast(ShadowAddr, PointerType::getUnqual(ShadowVecTy));
1360  do {
1361  Value *CurShadowVecAddr =
1362  IRB.CreateConstGEP1_32(ShadowVecTy, ShadowVecAddr, Offset);
1363  IRB.CreateAlignedStore(ShadowVec, CurShadowVecAddr, ShadowAlign);
1364  Size -= ShadowVecSize;
1365  ++Offset;
1366  } while (Size >= ShadowVecSize);
1367  Offset *= ShadowVecSize;
1368  }
1369  while (Size > 0) {
1370  Value *CurShadowAddr =
1371  IRB.CreateConstGEP1_32(DFS.ShadowTy, ShadowAddr, Offset);
1372  IRB.CreateAlignedStore(Shadow, CurShadowAddr, ShadowAlign);
1373  --Size;
1374  ++Offset;
1375  }
1376 }
1377 
1378 void DFSanVisitor::visitStoreInst(StoreInst &SI) {
1379  auto &DL = SI.getModule()->getDataLayout();
1380  uint64_t Size = DL.getTypeStoreSize(SI.getValueOperand()->getType());
1381  if (Size == 0)
1382  return;
1383 
1384  uint64_t Align;
1385  if (ClPreserveAlignment) {
1386  Align = SI.getAlignment();
1387  if (Align == 0)
1388  Align = DL.getABITypeAlignment(SI.getValueOperand()->getType());
1389  } else {
1390  Align = 1;
1391  }
1392 
1393  Value* Shadow = DFSF.getShadow(SI.getValueOperand());
1395  Value *PtrShadow = DFSF.getShadow(SI.getPointerOperand());
1396  Shadow = DFSF.combineShadows(Shadow, PtrShadow, &SI);
1397  }
1398  DFSF.storeShadow(SI.getPointerOperand(), Size, Align, Shadow, &SI);
1399 }
1400 
1401 void DFSanVisitor::visitBinaryOperator(BinaryOperator &BO) {
1402  visitOperandShadowInst(BO);
1403 }
1404 
1405 void DFSanVisitor::visitCastInst(CastInst &CI) { visitOperandShadowInst(CI); }
1406 
1407 void DFSanVisitor::visitCmpInst(CmpInst &CI) { visitOperandShadowInst(CI); }
1408 
1409 void DFSanVisitor::visitGetElementPtrInst(GetElementPtrInst &GEPI) {
1410  visitOperandShadowInst(GEPI);
1411 }
1412 
1413 void DFSanVisitor::visitExtractElementInst(ExtractElementInst &I) {
1414  visitOperandShadowInst(I);
1415 }
1416 
1417 void DFSanVisitor::visitInsertElementInst(InsertElementInst &I) {
1418  visitOperandShadowInst(I);
1419 }
1420 
1421 void DFSanVisitor::visitShuffleVectorInst(ShuffleVectorInst &I) {
1422  visitOperandShadowInst(I);
1423 }
1424 
1425 void DFSanVisitor::visitExtractValueInst(ExtractValueInst &I) {
1426  visitOperandShadowInst(I);
1427 }
1428 
1429 void DFSanVisitor::visitInsertValueInst(InsertValueInst &I) {
1430  visitOperandShadowInst(I);
1431 }
1432 
1433 void DFSanVisitor::visitAllocaInst(AllocaInst &I) {
1434  bool AllLoadsStores = true;
1435  for (User *U : I.users()) {
1436  if (isa<LoadInst>(U))
1437  continue;
1438 
1439  if (StoreInst *SI = dyn_cast<StoreInst>(U)) {
1440  if (SI->getPointerOperand() == &I)
1441  continue;
1442  }
1443 
1444  AllLoadsStores = false;
1445  break;
1446  }
1447  if (AllLoadsStores) {
1448  IRBuilder<> IRB(&I);
1449  DFSF.AllocaShadowMap[&I] = IRB.CreateAlloca(DFSF.DFS.ShadowTy);
1450  }
1451  DFSF.setShadow(&I, DFSF.DFS.ZeroShadow);
1452 }
1453 
1454 void DFSanVisitor::visitSelectInst(SelectInst &I) {
1455  Value *CondShadow = DFSF.getShadow(I.getCondition());
1456  Value *TrueShadow = DFSF.getShadow(I.getTrueValue());
1457  Value *FalseShadow = DFSF.getShadow(I.getFalseValue());
1458 
1459  if (isa<VectorType>(I.getCondition()->getType())) {
1460  DFSF.setShadow(
1461  &I,
1462  DFSF.combineShadows(
1463  CondShadow, DFSF.combineShadows(TrueShadow, FalseShadow, &I), &I));
1464  } else {
1465  Value *ShadowSel;
1466  if (TrueShadow == FalseShadow) {
1467  ShadowSel = TrueShadow;
1468  } else {
1469  ShadowSel =
1470  SelectInst::Create(I.getCondition(), TrueShadow, FalseShadow, "", &I);
1471  }
1472  DFSF.setShadow(&I, DFSF.combineShadows(CondShadow, ShadowSel, &I));
1473  }
1474 }
1475 
1476 void DFSanVisitor::visitMemSetInst(MemSetInst &I) {
1477  IRBuilder<> IRB(&I);
1478  Value *ValShadow = DFSF.getShadow(I.getValue());
1479  IRB.CreateCall(DFSF.DFS.DFSanSetLabelFn,
1480  {ValShadow, IRB.CreateBitCast(I.getDest(), Type::getInt8PtrTy(
1481  *DFSF.DFS.Ctx)),
1482  IRB.CreateZExtOrTrunc(I.getLength(), DFSF.DFS.IntptrTy)});
1483 }
1484 
1485 void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) {
1486  IRBuilder<> IRB(&I);
1487  Value *DestShadow = DFSF.DFS.getShadowAddress(I.getDest(), &I);
1488  Value *SrcShadow = DFSF.DFS.getShadowAddress(I.getSource(), &I);
1489  Value *LenShadow = IRB.CreateMul(
1490  I.getLength(),
1491  ConstantInt::get(I.getLength()->getType(), DFSF.DFS.ShadowWidth / 8));
1492  Type *Int8Ptr = Type::getInt8PtrTy(*DFSF.DFS.Ctx);
1493  DestShadow = IRB.CreateBitCast(DestShadow, Int8Ptr);
1494  SrcShadow = IRB.CreateBitCast(SrcShadow, Int8Ptr);
1495  auto *MTI = cast<MemTransferInst>(
1497  {DestShadow, SrcShadow, LenShadow, I.getVolatileCst()}));
1498  if (ClPreserveAlignment) {
1499  MTI->setDestAlignment(I.getDestAlignment() * (DFSF.DFS.ShadowWidth / 8));
1500  MTI->setSourceAlignment(I.getSourceAlignment() * (DFSF.DFS.ShadowWidth / 8));
1501  } else {
1502  MTI->setDestAlignment(DFSF.DFS.ShadowWidth / 8);
1503  MTI->setSourceAlignment(DFSF.DFS.ShadowWidth / 8);
1504  }
1505 }
1506 
1507 void DFSanVisitor::visitReturnInst(ReturnInst &RI) {
1508  if (!DFSF.IsNativeABI && RI.getReturnValue()) {
1509  switch (DFSF.IA) {
1510  case DataFlowSanitizer::IA_TLS: {
1511  Value *S = DFSF.getShadow(RI.getReturnValue());
1512  IRBuilder<> IRB(&RI);
1513  IRB.CreateStore(S, DFSF.getRetvalTLS());
1514  break;
1515  }
1516  case DataFlowSanitizer::IA_Args: {
1517  IRBuilder<> IRB(&RI);
1518  Type *RT = DFSF.F->getFunctionType()->getReturnType();
1519  Value *InsVal =
1521  Value *InsShadow =
1522  IRB.CreateInsertValue(InsVal, DFSF.getShadow(RI.getReturnValue()), 1);
1523  RI.setOperand(0, InsShadow);
1524  break;
1525  }
1526  }
1527  }
1528 }
1529 
1530 void DFSanVisitor::visitCallSite(CallSite CS) {
1531  Function *F = CS.getCalledFunction();
1532  if ((F && F->isIntrinsic()) || isa<InlineAsm>(CS.getCalledValue())) {
1533  visitOperandShadowInst(*CS.getInstruction());
1534  return;
1535  }
1536 
1537  // Calls to this function are synthesized in wrappers, and we shouldn't
1538  // instrument them.
1539  if (F == DFSF.DFS.DFSanVarargWrapperFn.getCallee()->stripPointerCasts())
1540  return;
1541 
1542  IRBuilder<> IRB(CS.getInstruction());
1543 
1545  DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue());
1546  if (i != DFSF.DFS.UnwrappedFnMap.end()) {
1547  Function *F = i->second;
1548  switch (DFSF.DFS.getWrapperKind(F)) {
1549  case DataFlowSanitizer::WK_Warning:
1550  CS.setCalledFunction(F);
1551  IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn,
1552  IRB.CreateGlobalStringPtr(F->getName()));
1553  DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
1554  return;
1555  case DataFlowSanitizer::WK_Discard:
1556  CS.setCalledFunction(F);
1557  DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
1558  return;
1559  case DataFlowSanitizer::WK_Functional:
1560  CS.setCalledFunction(F);
1561  visitOperandShadowInst(*CS.getInstruction());
1562  return;
1563  case DataFlowSanitizer::WK_Custom:
1564  // Don't try to handle invokes of custom functions, it's too complicated.
1565  // Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_
1566  // wrapper.
1567  if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) {
1568  FunctionType *FT = F->getFunctionType();
1569  TransformedFunction CustomFn = DFSF.DFS.getCustomFunctionType(FT);
1570  std::string CustomFName = "__dfsw_";
1571  CustomFName += F->getName();
1572  FunctionCallee CustomF = DFSF.DFS.Mod->getOrInsertFunction(
1573  CustomFName, CustomFn.TransformedType);
1574  if (Function *CustomFn = dyn_cast<Function>(CustomF.getCallee())) {
1575  CustomFn->copyAttributesFrom(F);
1576 
1577  // Custom functions returning non-void will write to the return label.
1578  if (!FT->getReturnType()->isVoidTy()) {
1579  CustomFn->removeAttributes(AttributeList::FunctionIndex,
1580  DFSF.DFS.ReadOnlyNoneAttrs);
1581  }
1582  }
1583 
1584  std::vector<Value *> Args;
1585 
1587  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n) {
1588  Type *T = (*i)->getType();
1589  FunctionType *ParamFT;
1590  if (isa<PointerType>(T) &&
1591  (ParamFT = dyn_cast<FunctionType>(
1592  cast<PointerType>(T)->getElementType()))) {
1593  std::string TName = "dfst";
1594  TName += utostr(FT->getNumParams() - n);
1595  TName += "$";
1596  TName += F->getName();
1597  Constant *T = DFSF.DFS.getOrBuildTrampolineFunction(ParamFT, TName);
1598  Args.push_back(T);
1599  Args.push_back(
1600  IRB.CreateBitCast(*i, Type::getInt8PtrTy(*DFSF.DFS.Ctx)));
1601  } else {
1602  Args.push_back(*i);
1603  }
1604  }
1605 
1606  i = CS.arg_begin();
1607  const unsigned ShadowArgStart = Args.size();
1608  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1609  Args.push_back(DFSF.getShadow(*i));
1610 
1611  if (FT->isVarArg()) {
1612  auto *LabelVATy = ArrayType::get(DFSF.DFS.ShadowTy,
1613  CS.arg_size() - FT->getNumParams());
1614  auto *LabelVAAlloca = new AllocaInst(
1615  LabelVATy, getDataLayout().getAllocaAddrSpace(),
1616  "labelva", &DFSF.F->getEntryBlock().front());
1617 
1618  for (unsigned n = 0; i != CS.arg_end(); ++i, ++n) {
1619  auto LabelVAPtr = IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, n);
1620  IRB.CreateStore(DFSF.getShadow(*i), LabelVAPtr);
1621  }
1622 
1623  Args.push_back(IRB.CreateStructGEP(LabelVATy, LabelVAAlloca, 0));
1624  }
1625 
1626  if (!FT->getReturnType()->isVoidTy()) {
1627  if (!DFSF.LabelReturnAlloca) {
1628  DFSF.LabelReturnAlloca =
1629  new AllocaInst(DFSF.DFS.ShadowTy,
1630  getDataLayout().getAllocaAddrSpace(),
1631  "labelreturn", &DFSF.F->getEntryBlock().front());
1632  }
1633  Args.push_back(DFSF.LabelReturnAlloca);
1634  }
1635 
1636  for (i = CS.arg_begin() + FT->getNumParams(); i != CS.arg_end(); ++i)
1637  Args.push_back(*i);
1638 
1639  CallInst *CustomCI = IRB.CreateCall(CustomF, Args);
1640  CustomCI->setCallingConv(CI->getCallingConv());
1641  CustomCI->setAttributes(TransformFunctionAttributes(CustomFn,
1642  CI->getContext(), CI->getAttributes()));
1643 
1644  // Update the parameter attributes of the custom call instruction to
1645  // zero extend the shadow parameters. This is required for targets
1646  // which consider ShadowTy an illegal type.
1647  for (unsigned n = 0; n < FT->getNumParams(); n++) {
1648  const unsigned ArgNo = ShadowArgStart + n;
1649  if (CustomCI->getArgOperand(ArgNo)->getType() == DFSF.DFS.ShadowTy)
1650  CustomCI->addParamAttr(ArgNo, Attribute::ZExt);
1651  }
1652 
1653  if (!FT->getReturnType()->isVoidTy()) {
1654  LoadInst *LabelLoad =
1655  IRB.CreateLoad(DFSF.DFS.ShadowTy, DFSF.LabelReturnAlloca);
1656  DFSF.setShadow(CustomCI, LabelLoad);
1657  }
1658 
1659  CI->replaceAllUsesWith(CustomCI);
1660  CI->eraseFromParent();
1661  return;
1662  }
1663  break;
1664  }
1665  }
1666 
1667  FunctionType *FT = cast<FunctionType>(
1669  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1670  for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) {
1671  IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)),
1672  DFSF.getArgTLS(i, CS.getInstruction()));
1673  }
1674  }
1675 
1676  Instruction *Next = nullptr;
1677  if (!CS.getType()->isVoidTy()) {
1678  if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) {
1679  if (II->getNormalDest()->getSinglePredecessor()) {
1680  Next = &II->getNormalDest()->front();
1681  } else {
1682  BasicBlock *NewBB =
1683  SplitEdge(II->getParent(), II->getNormalDest(), &DFSF.DT);
1684  Next = &NewBB->front();
1685  }
1686  } else {
1687  assert(CS->getIterator() != CS->getParent()->end());
1688  Next = CS->getNextNode();
1689  }
1690 
1691  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
1692  IRBuilder<> NextIRB(Next);
1693  LoadInst *LI = NextIRB.CreateLoad(DFSF.DFS.ShadowTy, DFSF.getRetvalTLS());
1694  DFSF.SkipInsts.insert(LI);
1695  DFSF.setShadow(CS.getInstruction(), LI);
1696  DFSF.NonZeroChecks.push_back(LI);
1697  }
1698  }
1699 
1700  // Do all instrumentation for IA_Args down here to defer tampering with the
1701  // CFG in a way that SplitEdge may be able to detect.
1702  if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) {
1703  FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT);
1704  Value *Func =
1705  IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT));
1706  std::vector<Value *> Args;
1707 
1708  CallSite::arg_iterator i = CS.arg_begin(), e = CS.arg_end();
1709  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1710  Args.push_back(*i);
1711 
1712  i = CS.arg_begin();
1713  for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
1714  Args.push_back(DFSF.getShadow(*i));
1715 
1716  if (FT->isVarArg()) {
1717  unsigned VarArgSize = CS.arg_size() - FT->getNumParams();
1718  ArrayType *VarArgArrayTy = ArrayType::get(DFSF.DFS.ShadowTy, VarArgSize);
1719  AllocaInst *VarArgShadow =
1720  new AllocaInst(VarArgArrayTy, getDataLayout().getAllocaAddrSpace(),
1721  "", &DFSF.F->getEntryBlock().front());
1722  Args.push_back(IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, 0));
1723  for (unsigned n = 0; i != e; ++i, ++n) {
1724  IRB.CreateStore(
1725  DFSF.getShadow(*i),
1726  IRB.CreateConstGEP2_32(VarArgArrayTy, VarArgShadow, 0, n));
1727  Args.push_back(*i);
1728  }
1729  }
1730 
1731  CallSite NewCS;
1732  if (InvokeInst *II = dyn_cast<InvokeInst>(CS.getInstruction())) {
1733  NewCS = IRB.CreateInvoke(NewFT, Func, II->getNormalDest(),
1734  II->getUnwindDest(), Args);
1735  } else {
1736  NewCS = IRB.CreateCall(NewFT, Func, Args);
1737  }
1738  NewCS.setCallingConv(CS.getCallingConv());
1740  *DFSF.DFS.Ctx, AttributeList::ReturnIndex,
1742 
1743  if (Next) {
1744  ExtractValueInst *ExVal =
1745  ExtractValueInst::Create(NewCS.getInstruction(), 0, "", Next);
1746  DFSF.SkipInsts.insert(ExVal);
1747  ExtractValueInst *ExShadow =
1748  ExtractValueInst::Create(NewCS.getInstruction(), 1, "", Next);
1749  DFSF.SkipInsts.insert(ExShadow);
1750  DFSF.setShadow(ExVal, ExShadow);
1751  DFSF.NonZeroChecks.push_back(ExShadow);
1752 
1753  CS.getInstruction()->replaceAllUsesWith(ExVal);
1754  }
1755 
1757  }
1758 }
1759 
1760 void DFSanVisitor::visitPHINode(PHINode &PN) {
1761  PHINode *ShadowPN =
1762  PHINode::Create(DFSF.DFS.ShadowTy, PN.getNumIncomingValues(), "", &PN);
1763 
1764  // Give the shadow phi node valid predecessors to fool SplitEdge into working.
1765  Value *UndefShadow = UndefValue::get(DFSF.DFS.ShadowTy);
1766  for (PHINode::block_iterator i = PN.block_begin(), e = PN.block_end(); i != e;
1767  ++i) {
1768  ShadowPN->addIncoming(UndefShadow, *i);
1769  }
1770 
1771  DFSF.PHIFixups.push_back(std::make_pair(&PN, ShadowPN));
1772  DFSF.setShadow(&PN, ShadowPN);
1773 }
size_t size() const
Definition: Function.h:660
bool isVarArg() const
isVarArg - Return true if this function takes a variable number of arguments.
Definition: Function.h:176
IterTy arg_end() const
Definition: CallSite.h:583
uint64_t CallInst * C
Return a value (possibly void), from a function.
Value * getValueOperand()
Definition: Instructions.h:409
bool isIntrinsic() const
isIntrinsic - Returns true if the function&#39;s name starts with "llvm.".
Definition: Function.h:198
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks &#39;this&#39; from the containing basic block and deletes it.
Definition: Instruction.cpp:67
static cl::list< std::string > ClABIListFiles("dfsan-abilist", cl::desc("File listing native ABI functions and how the pass treats them"), cl::Hidden)
A parsed version of the target data layout string in and methods for querying it. ...
Definition: DataLayout.h:110
constexpr char Align[]
Key for Kernel::Arg::Metadata::mAlign.
const std::string & getTargetTriple() const
Get the target triple which is a string describing the target host.
Definition: Module.h:240
BranchInst * CreateCondBr(Value *Cond, BasicBlock *True, BasicBlock *False, MDNode *BranchWeights=nullptr, MDNode *Unpredictable=nullptr)
Create a conditional &#39;br Cond, TrueDest, FalseDest&#39; instruction.
Definition: IRBuilder.h:853
const GlobalObject * getBaseObject() const
void ReplaceInstWithInst(BasicBlock::InstListType &BIL, BasicBlock::iterator &BI, Instruction *I)
Replace the instruction specified by BI with the instruction specified by I.
This class is the base class for the comparison instructions.
Definition: InstrTypes.h:636
Value * CreateConstGEP1_32(Value *Ptr, unsigned Idx0, const Twine &Name="")
Definition: IRBuilder.h:1551
static bool isConstant(const MachineInstr &MI)
bool hasLocalLinkage() const
Definition: GlobalValue.h:435
void addIncoming(Value *V, BasicBlock *BB)
Add an incoming value to the end of the PHI list.
This instruction extracts a struct member or array element value from an aggregate value...
This class represents an incoming formal argument to a Function.
Definition: Argument.h:29
AllocaInst * CreateAlloca(Type *Ty, unsigned AddrSpace, Value *ArraySize=nullptr, const Twine &Name="")
Definition: IRBuilder.h:1379
Base class for instruction visitors.
Definition: InstVisitor.h:80
Value * CreateICmpNE(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1878
NodeTy * getNextNode()
Get the next node, or nullptr for the list tail.
Definition: ilist_node.h:288
IterTy arg_begin() const
Definition: CallSite.h:579
LLVM_ATTRIBUTE_NORETURN void report_fatal_error(Error Err, bool gen_crash_diag=true)
Report a serious error, calling any installed error handler.
Definition: Error.cpp:139
This class represents lattice values for constants.
Definition: AllocatorList.h:23
Type * getParamType(unsigned i) const
Parameter type accessors.
Definition: DerivedTypes.h:134
void setAttributes(AttributeList PAL)
Set the parameter attributes of the call.
Definition: CallSite.h:341
LoadInst * CreateLoad(Type *Ty, Value *Ptr, const char *Name)
Provided to resolve &#39;CreateLoad(Ty, Ptr, "...")&#39; correctly, instead of converting the string to &#39;bool...
Definition: IRBuilder.h:1392
A Module instance is used to store all the information related to an LLVM module. ...
Definition: Module.h:65
LoadInst * CreateAlignedLoad(Type *Ty, Value *Ptr, unsigned Align, const char *Name)
Provided to resolve &#39;CreateAlignedLoad(Ptr, Align, "...")&#39; correctly, instead of converting the strin...
Definition: IRBuilder.h:1428
static CallInst * Create(FunctionType *Ty, Value *F, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
A handy container for a FunctionType+Callee-pointer pair, which can be passed around as a single enti...
Definition: DerivedTypes.h:164
Implements a dense probed hash-table based set.
Definition: DenseSet.h:249
void push_back(const T &Elt)
Definition: SmallVector.h:211
void recalculate(ParentType &Func)
recalculate - compute a dominator tree for the given function
bool removeUnreachableBlocks(Function &F, LazyValueInfo *LVI=nullptr, DomTreeUpdater *DTU=nullptr, MemorySSAUpdater *MSSAU=nullptr)
Remove all blocks that can not be reached from the function&#39;s entry.
Definition: Local.cpp:2204
This class represents a function call, abstracting a target machine&#39;s calling convention.
unsigned getSourceAlignment() const
const Value * getTrueValue() const
Value * getValue() const
static Constant * getIntToPtr(Constant *C, Type *Ty, bool OnlyIfReduced=false)
Definition: Constants.cpp:1769
void setCallingConv(CallingConv::ID CC)
Set the calling convention of the call.
Definition: CallSite.h:324
This instruction constructs a fixed permutation of two input vectors.
static SelectInst * Create(Value *C, Value *S1, Value *S2, const Twine &NameStr="", Instruction *InsertBefore=nullptr, Instruction *MDFrom=nullptr)
LLVMContext & getContext() const
All values hold a context through their type.
Definition: Value.cpp:709
bool isTerminator() const
Definition: Instruction.h:128
This class wraps the llvm.memset intrinsic.
BasicBlock * getSuccessor(unsigned i) const
arg_iterator arg_end()
Definition: Function.h:679
static cl::opt< bool > ClCombinePointerLabelsOnStore("dfsan-combine-pointer-labels-on-store", cl::desc("Combine the label of the pointer with the label of the data when " "storing in memory."), cl::Hidden, cl::init(false))
Metadata node.
Definition: Metadata.h:863
F(f)
param_iterator param_end() const
Definition: DerivedTypes.h:128
An instruction for reading from memory.
Definition: Instructions.h:167
FunTy * getCalledFunction() const
Return the function being called if this is a direct call, otherwise return null (if it&#39;s an indirect...
Definition: CallSite.h:111
static IntegerType * getInt64Ty(LLVMContext &C)
Definition: Type.cpp:176
const Instruction * getTerminator() const LLVM_READONLY
Returns the terminator instruction if the block is well formed or null if the block is not well forme...
Definition: BasicBlock.cpp:137
void addAttribute(unsigned i, Attribute::AttrKind Kind)
adds the attribute to the list of attributes.
Definition: InstrTypes.h:1297
Value * getLength() const
INITIALIZE_PASS(DataFlowSanitizer, "dfsan", "DataFlowSanitizer: dynamic data flow analysis.", false, false) ModulePass *llvm
static PointerType * getInt64PtrTy(LLVMContext &C, unsigned AS=0)
Definition: Type.cpp:231
static std::unique_ptr< SpecialCaseList > createOrDie(const std::vector< std::string > &Paths)
Parses the special case list entries from files.
void eraseFromParent()
eraseFromParent - This method unlinks &#39;this&#39; from the containing module and deletes it...
Definition: Globals.cpp:455
CallingConv::ID getCallingConv() const
Get the calling convention of the call.
Definition: CallSite.h:320
block_iterator block_end()
Value * getDest() const
This is just like getRawDest, but it strips off any cast instructions (including addrspacecast) that ...
StoreInst * CreateAlignedStore(Value *Val, Value *Ptr, unsigned Align, bool isVolatile=false)
Definition: IRBuilder.h:1465
iterator begin()
Instruction iterator methods.
Definition: BasicBlock.h:268
BasicBlock * SplitEdge(BasicBlock *From, BasicBlock *To, DominatorTree *DT=nullptr, LoopInfo *LI=nullptr, MemorySSAUpdater *MSSAU=nullptr)
Split the edge connecting specified block.
static ReturnInst * Create(LLVMContext &C, Value *retVal=nullptr, Instruction *InsertBefore=nullptr)
Value * getArgOperand(unsigned i) const
Definition: InstrTypes.h:1155
static cl::opt< bool > ClArgsABI("dfsan-args-abi", cl::desc("Use the argument ABI rather than the TLS ABI"), cl::Hidden)
The address of a basic block.
Definition: Constants.h:839
Definition: BitVector.h:937
This class represents the LLVM &#39;select&#39; instruction.
Type * getPointerElementType() const
Definition: Type.h:375
const DataLayout & getDataLayout() const
Get the data layout for the module&#39;s target platform.
Definition: Module.cpp:369
IntegerType * getInt64Ty()
Fetch the type representing a 64-bit integer.
Definition: IRBuilder.h:351
This is the base class for all instructions that perform data casts.
Definition: InstrTypes.h:353
ArrayRef< T > makeArrayRef(const T &OneElt)
Construct an ArrayRef from a single element.
Definition: ArrayRef.h:450
Class to represent struct types.
Definition: DerivedTypes.h:232
LLVMContext & getContext() const
Get the global data context.
Definition: Module.h:244
ValTy * getCalledValue() const
Return the pointer to function that is being called.
Definition: CallSite.h:104
PointerType * getPointerTo(unsigned AddrSpace=0) const
Return a pointer to the current type.
Definition: Type.cpp:651
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:742
This file contains the simple types necessary to represent the attributes associated with functions a...
AttributeSet getRetAttributes() const
The attributes for the ret value are returned.
void setModuleInlineAsm(StringRef Asm)
Set the module-scope inline assembly blocks.
Definition: Module.h:287
void setName(const Twine &Name)
Change the name of the value.
Definition: Value.cpp:285
unsigned getDestAlignment() const
Type * getType() const
Return the type of the instruction that generated this call site.
Definition: CallSite.h:272
block_iterator block_begin()
static StructType * get(LLVMContext &Context, ArrayRef< Type *> Elements, bool isPacked=false)
This static method is the primary way to create a literal StructType.
Definition: Type.cpp:341
StoreInst * CreateStore(Value *Val, Value *Ptr, bool isVolatile=false)
Definition: IRBuilder.h:1421
InstrTy * getInstruction() const
Definition: CallSite.h:96
Value * CreateIntToPtr(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1762
Key
PAL metadata keys.
Class to represent function types.
Definition: DerivedTypes.h:102
Value * CreateBitCast(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1767
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:244
LLVM_NODISCARD AttributeList removeAttributes(LLVMContext &C, unsigned Index, const AttrBuilder &AttrsToRemove) const
Remove the specified attributes at the specified index from this attribute list.
ArchType getArch() const
getArch - Get the parsed architecture type of this triple.
Definition: Triple.h:290
Class to represent array types.
Definition: DerivedTypes.h:400
AttributeSet getParamAttributes(unsigned ArgNo) const
The attributes for the argument or parameter at the given index are returned.
bool isVarArg() const
Definition: DerivedTypes.h:122
BasicBlock * getBasicBlock() const
Definition: Constants.h:866
An instruction for storing to memory.
Definition: Instructions.h:320
LinkageTypes getLinkage() const
Definition: GlobalValue.h:450
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:429
void takeName(Value *V)
Transfer the name from V to this value.
Definition: Value.cpp:291
iterator begin()
Definition: Function.h:655
Concrete subclass of DominatorTreeBase that is used to compute a normal dominator tree...
Definition: Dominators.h:144
Value * getOperand(unsigned i) const
Definition: User.h:169
Class to represent pointers.
Definition: DerivedTypes.h:498
Value * CreateOr(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1217
iterator find(const_arg_type_t< KeyT > Val)
Definition: DenseMap.h:176
static Constant * getBitCast(Constant *C, Type *Ty, bool OnlyIfReduced=false)
Definition: Constants.cpp:1782
bool isVoidTy() const
Return true if this is &#39;void&#39;.
Definition: Type.h:140
const BasicBlock & getEntryBlock() const
Definition: Function.h:639
an instruction for type-safe pointer arithmetic to access elements of arrays and structs ...
Definition: Instructions.h:873
IntegerType * getIntPtrType(LLVMContext &C, unsigned AddressSpace=0) const
Returns an integer type with size at least as big as that of a pointer in the given address space...
Definition: DataLayout.cpp:769
Same, but only replaced by something equivalent.
Definition: GlobalValue.h:51
initializer< Ty > init(const Ty &Val)
Definition: CommandLine.h:423
This instruction inserts a single (scalar) element into a VectorType value.
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:135
void setCalledFunction(Value *V)
Set the callee to the specified value.
Definition: CallSite.h:130
Value * getCalledValue() const
Definition: InstrTypes.h:1194
LLVM Basic Block Representation.
Definition: BasicBlock.h:57
LLVM_NODISCARD AttributeList addParamAttribute(LLVMContext &C, unsigned ArgNo, Attribute::AttrKind Kind) const
Add an argument attribute to the list.
Definition: Attributes.h:402
The instances of the Type class are immutable: once they are created, they are never changed...
Definition: Type.h:45
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:64
Conditional or Unconditional Branch instruction.
static ExtractValueInst * Create(Value *Agg, ArrayRef< unsigned > Idxs, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
static BlockAddress * get(Function *F, BasicBlock *BB)
Return a BlockAddress for the specified function and basic block.
Definition: Constants.cpp:1443
This function has undefined behavior.
This is an important base class in LLVM.
Definition: Constant.h:41
void copyAttributesFrom(const Function *Src)
copyAttributesFrom - copy all additional attributes (those not needed to create a Function) from the ...
Definition: Function.cpp:483
This file contains the declarations for the subclasses of Constant, which represent the different fla...
const Instruction & front() const
Definition: BasicBlock.h:280
AttributeList getAttributes() const
Get the parameter attributes of the call.
Definition: CallSite.h:337
FunctionType * getFunctionType() const
Definition: InstrTypes.h:1058
static const char *const kDFSanExternShadowPtrMask
ValTy * getArgument(unsigned ArgNo) const
Definition: CallSite.h:193
unsigned getNumParams() const
Return the number of fixed parameters this function type requires.
Definition: DerivedTypes.h:138
std::pair< iterator, bool > insert(PtrType Ptr)
Inserts Ptr if and only if there is no element in the container equal to Ptr.
Definition: SmallPtrSet.h:370
param_iterator param_begin() const
Definition: DerivedTypes.h:127
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:160
void splice(iterator where, iplist_impl &L2)
Definition: ilist.h:327
static cl::opt< bool > ClDebugNonzeroLabels("dfsan-debug-nonzero-labels", cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " "load or return with a nonzero label"), cl::Hidden)
unsigned getAddressSpace() const
Definition: Globals.cpp:110
void setCallingConv(CallingConv::ID CC)
Definition: InstrTypes.h:1262
static FunctionType * get(Type *Result, ArrayRef< Type *> Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:296
size_t arg_size() const
Definition: Function.h:697
Value * getPointerOperand()
Definition: Instructions.h:284
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:99
arg_iterator arg_begin()
Definition: Function.h:670
Value * CreateICmpEQ(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1874
size_type count(ConstPtrType Ptr) const
count - Return 1 if the specified pointer is in the set, 0 otherwise.
Definition: SmallPtrSet.h:381
self_iterator getIterator()
Definition: ilist_node.h:81
Class to represent integer types.
Definition: DerivedTypes.h:39
void setAlignment(unsigned Align)
const Value * getCondition() const
static UndefValue * get(Type *T)
Static factory methods - Return an &#39;undef&#39; object of the specified type.
Definition: Constants.cpp:1424
const Constant * stripPointerCasts() const
Definition: Constant.h:177
size_t size() const
Definition: SmallVector.h:52
static PointerType * getInt8PtrTy(LLVMContext &C, unsigned AS=0)
Definition: Type.cpp:219
const std::string & getModuleIdentifier() const
Get the module identifier which is, essentially, the name of the module.
Definition: Module.h:210
MDNode * createBranchWeights(uint32_t TrueWeight, uint32_t FalseWeight)
Return metadata containing two branch weights.
Definition: MDBuilder.cpp:37
Value * CreateMul(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1083
Value * CreateTrunc(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1690
Triple - Helper class for working with autoconf configuration names.
Definition: Triple.h:43
ConstantInt * getVolatileCst() const
void setSuccessor(unsigned idx, BasicBlock *NewSucc)
Value * CreateGEP(Value *Ptr, ArrayRef< Value *> IdxList, const Twine &Name="")
Definition: IRBuilder.h:1493
static IntegerType * get(LLVMContext &C, unsigned NumBits)
This static method is the primary way of constructing an IntegerType.
Definition: Type.cpp:239
void addParamAttr(unsigned ArgNo, Attribute::AttrKind Kind)
Adds the attribute to the indicated argument.
Definition: InstrTypes.h:1311
Iterator for intrusive lists based on ilist_node.
unsigned getNumOperands() const
Definition: User.h:191
SmallPtrSet - This class implements a set which is optimized for holding SmallSize or less elements...
Definition: SmallPtrSet.h:417
static PointerType * getUnqual(Type *ElementType)
This constructs a pointer to an object of the specified type in the generic address space (address sp...
Definition: DerivedTypes.h:513
This is the shared class of boolean and integer constants.
Definition: Constants.h:83
iterator end()
Definition: BasicBlock.h:270
This is a &#39;vector&#39; (really, a variable-sized array), optimized for the case when the array is small...
Definition: SmallVector.h:841
Module.h This file contains the declarations for the Module class.
Value * CreateInsertElement(Value *Vec, Value *NewElt, Value *Idx, const Twine &Name="")
Definition: IRBuilder.h:2090
unsigned arg_size() const
Definition: CallSite.h:226
const DataFlowGraph & G
Definition: RDFGraph.cpp:202
Type * getReturnType() const
Definition: DerivedTypes.h:123
static Constant * get(Type *Ty, uint64_t V, bool isSigned=false)
If Ty is a vector type, return a Constant with a splat of the given value.
Definition: Constants.cpp:631
static ConstantInt * getSigned(IntegerType *Ty, int64_t V)
Return a ConstantInt with the specified value for the specified type.
Definition: Constants.cpp:645
static BranchInst * Create(BasicBlock *IfTrue, Instruction *InsertBefore=nullptr)
static PHINode * Create(Type *Ty, unsigned NumReservedValues, const Twine &NameStr="", Instruction *InsertBefore=nullptr)
Constructors - NumReservedValues is a hint for the number of incoming edges that this phi node will h...
std::string utostr(uint64_t X, bool isNeg=false)
Definition: StringExtras.h:223
User::op_iterator arg_iterator
The type of iterator to use when looping over actual arguments at this call site. ...
Definition: CallSite.h:220
unsigned getNumIncomingValues() const
Return the number of incoming edges.
void setLinkage(LinkageTypes LT)
Definition: GlobalValue.h:444
void setOperand(unsigned i, Value *Val)
Definition: User.h:174
The access may modify the value stored in memory.
void swap(llvm::BitVector &LHS, llvm::BitVector &RHS)
Implement std::swap in terms of BitVector swap.
Definition: BitVector.h:940
static cl::opt< bool > ClPreserveAlignment("dfsan-preserve-alignment", cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::init(false))
FunctionType * getFunctionType() const
Returns the FunctionType for me.
Definition: Function.h:163
Class to represent vector types.
Definition: DerivedTypes.h:424
const Module * getModule() const
Return the module owning the function this instruction belongs to or nullptr it the function does not...
Definition: Instruction.cpp:55
unsigned getNumAttrSets() const
LinkageTypes
An enumeration for the kinds of linkage for global values.
Definition: GlobalValue.h:47
BBTy * getParent() const
Get the basic block containing the call site.
Definition: CallSite.h:101
iterator_range< user_iterator > users()
Definition: Value.h:399
static void DFS(BasicBlock *Root, SetVector< BasicBlock *> &Set)
Value * CreateShl(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1138
const Value * getFalseValue() const
void append(in_iter in_start, in_iter in_end)
Add the specified range to the end of the SmallVector.
Definition: SmallVector.h:387
void removeAttributes(unsigned i, const AttrBuilder &Attrs)
removes the attributes from the list of attributes.
Definition: Function.cpp:415
This class wraps the llvm.memcpy/memmove intrinsics.
LLVM_NODISCARD AttributeList addAttribute(LLVMContext &C, unsigned Index, Attribute::AttrKind Kind) const
Add an attribute to the attribute set at the given index.
unsigned getAlignment() const
Return the alignment of the access that is being performed.
Definition: Instructions.h:240
static IntegerType * getInt32Ty(LLVMContext &C)
Definition: Type.cpp:175
static cl::opt< bool > ClCombinePointerLabelsOnLoad("dfsan-combine-pointer-labels-on-load", cl::desc("Combine the label of the pointer with the label of the data when " "loading from memory."), cl::Hidden, cl::init(true))
Value * CreateConstGEP2_64(Type *Ty, Value *Ptr, uint64_t Idx0, uint64_t Idx1, const Twine &Name="")
Definition: IRBuilder.h:1630
StringRef getName() const
Return a constant reference to the value&#39;s name.
Definition: Value.cpp:214
const NodeList & List
Definition: RDFGraph.cpp:201
#define I(x, y, z)
Definition: MD5.cpp:58
#define N
user_iterator_impl< User > user_iterator
Definition: Value.h:368
ModulePass class - This class is used to implement unstructured interprocedural optimizations and ana...
Definition: Pass.h:224
static ArrayType * get(Type *ElementType, uint64_t NumElements)
This static method is the primary way to construct an ArrayType.
Definition: Type.cpp:580
void setAttributes(AttributeList A)
Set the parameter attributes for this call.
Definition: InstrTypes.h:1284
LLVM_NODISCARD std::enable_if<!is_simple_type< Y >::value, typename cast_retty< X, const Y >::ret_type >::type dyn_cast(const Y &Val)
Definition: Casting.h:322
Type * getValueType() const
Definition: GlobalValue.h:275
This instruction extracts a single (scalar) element from a VectorType value.
const BasicBlockListType & getBasicBlockList() const
Get the underlying elements of the Function...
Definition: Function.h:632
uint32_t Size
Definition: Profile.cpp:46
CallInst * CreateCall(FunctionType *FTy, Value *Callee, ArrayRef< Value *> Args=None, const Twine &Name="", MDNode *FPMathTag=nullptr)
Definition: IRBuilder.h:2009
void eraseFromParent()
eraseFromParent - This method unlinks &#39;this&#39; from the containing module and deletes it...
Definition: Function.cpp:213
BasicBlock * splitBasicBlock(iterator I, const Twine &BBName="")
Split the basic block into two basic blocks at the specified instruction.
Definition: BasicBlock.cpp:407
Value * getReturnValue() const
Convenience accessor. Returns null if there is no return value.
unsigned getAlignment() const
Return the alignment of the access that is being performed.
Definition: Instructions.h:365
static StringRef GetGlobalTypeString(const GlobalValue &G)
Value * CreateAnd(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1199
Value * CreatePtrToInt(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:1757
const std::string & getModuleInlineAsm() const
Get any module-scope inline assembly blocks.
Definition: Module.h:248
bool isDeclaration() const
Return true if the primary definition of this global value is outside of the current translation unit...
Definition: Globals.cpp:205
void GetUnderlyingObjects(Value *V, SmallVectorImpl< Value *> &Objects, const DataLayout &DL, LoopInfo *LI=nullptr, unsigned MaxLookup=6)
This method is similar to GetUnderlyingObject except that it can look through phi and select instruct...
iterator_range< df_iterator< T > > depth_first(const T &G)
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
user_iterator user_begin()
Definition: Value.h:375
aarch64 promote const
Module * getParent()
Get the module that this global value is contained inside of...
Definition: GlobalValue.h:565
LLVM Value Representation.
Definition: Value.h:72
uint64_t getTypeStoreSize(Type *Ty) const
Returns the maximum number of bytes that may be overwritten by storing the specified type...
Definition: DataLayout.h:444
BranchInst * CreateBr(BasicBlock *Dest)
Create an unconditional &#39;br label X&#39; instruction.
Definition: IRBuilder.h:847
static VectorType * get(Type *ElementType, unsigned NumElements)
This static method is the primary way to construct an VectorType.
Definition: Type.cpp:605
AttrBuilder typeIncompatible(Type *Ty)
Which attributes cannot be applied to a type.
AttributeSet getFnAttributes() const
The function attributes are returned.
ModulePass * createDataFlowSanitizerPass(const std::vector< std::string > &ABIListFiles=std::vector< std::string >(), void *(*getArgTLS)()=nullptr, void *(*getRetValTLS)()=nullptr)
Value * CreateLShr(Value *LHS, Value *RHS, const Twine &Name="", bool isExact=false)
Definition: IRBuilder.h:1159
Invoke instruction.
Value * getSource() const
This is just like getRawSource, but it strips off any cast instructions that feed it...
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:48
Value * CreateInsertValue(Value *Agg, Value *Val, ArrayRef< unsigned > Idxs, const Twine &Name="")
Definition: IRBuilder.h:2127
Value * getPointerOperand()
Definition: Instructions.h:412
constexpr char Args[]
Key for Kernel::Metadata::mArgs.
Instruction * SplitBlockAndInsertIfThen(Value *Cond, Instruction *SplitBefore, bool Unreachable, MDNode *BranchWeights=nullptr, DominatorTree *DT=nullptr, LoopInfo *LI=nullptr, BasicBlock *ThenBlock=nullptr)
Split the containing block at the specified instruction - everything before SplitBefore stays in the ...
PointerType * getType() const
Global values are always pointers.
Definition: GlobalValue.h:273
static AttributeList get(LLVMContext &C, ArrayRef< std::pair< unsigned, Attribute >> Attrs)
Create an AttributeList with the specified parameters in it.
Definition: Attributes.cpp:874
const BasicBlock * getParent() const
Definition: Instruction.h:66
an instruction to allocate memory on the stack
Definition: Instructions.h:59
This instruction inserts a struct field of array element value into an aggregate value.
user_iterator user_end()
Definition: Value.h:383