LCOV - code coverage report
Current view: top level - lib/CodeGen - SafeStack.cpp (source / functions) Hit Total Coverage
Test: llvm-toolchain.info Lines: 297 313 94.9 %
Date: 2017-09-14 15:23:50 Functions: 19 20 95.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : //===-- SafeStack.cpp - Safe Stack Insertion ------------------------------===//
       2             : //
       3             : //                     The LLVM Compiler Infrastructure
       4             : //
       5             : // This file is distributed under the University of Illinois Open Source
       6             : // License. See LICENSE.TXT for details.
       7             : //
       8             : //===----------------------------------------------------------------------===//
       9             : //
      10             : // This pass splits the stack into the safe stack (kept as-is for LLVM backend)
      11             : // and the unsafe stack (explicitly allocated and managed through the runtime
      12             : // support library).
      13             : //
      14             : // http://clang.llvm.org/docs/SafeStack.html
      15             : //
      16             : //===----------------------------------------------------------------------===//
      17             : 
      18             : #include "SafeStackColoring.h"
      19             : #include "SafeStackLayout.h"
      20             : #include "llvm/ADT/Statistic.h"
      21             : #include "llvm/ADT/Triple.h"
      22             : #include "llvm/Analysis/AssumptionCache.h"
      23             : #include "llvm/Analysis/BranchProbabilityInfo.h"
      24             : #include "llvm/Analysis/ScalarEvolution.h"
      25             : #include "llvm/Analysis/ScalarEvolutionExpressions.h"
      26             : #include "llvm/CodeGen/Passes.h"
      27             : #include "llvm/CodeGen/TargetPassConfig.h"
      28             : #include "llvm/IR/Constants.h"
      29             : #include "llvm/IR/DIBuilder.h"
      30             : #include "llvm/IR/DataLayout.h"
      31             : #include "llvm/IR/DerivedTypes.h"
      32             : #include "llvm/IR/Function.h"
      33             : #include "llvm/IR/IRBuilder.h"
      34             : #include "llvm/IR/InstIterator.h"
      35             : #include "llvm/IR/Instructions.h"
      36             : #include "llvm/IR/IntrinsicInst.h"
      37             : #include "llvm/IR/Intrinsics.h"
      38             : #include "llvm/IR/MDBuilder.h"
      39             : #include "llvm/IR/Module.h"
      40             : #include "llvm/Pass.h"
      41             : #include "llvm/Support/CommandLine.h"
      42             : #include "llvm/Support/Debug.h"
      43             : #include "llvm/Support/Format.h"
      44             : #include "llvm/Support/MathExtras.h"
      45             : #include "llvm/Support/raw_os_ostream.h"
      46             : #include "llvm/Target/TargetLowering.h"
      47             : #include "llvm/Target/TargetSubtargetInfo.h"
      48             : #include "llvm/Transforms/Utils/BasicBlockUtils.h"
      49             : #include "llvm/Transforms/Utils/Local.h"
      50             : #include "llvm/Transforms/Utils/ModuleUtils.h"
      51             : 
      52             : using namespace llvm;
      53             : using namespace llvm::safestack;
      54             : 
      55             : #define DEBUG_TYPE "safe-stack"
      56             : 
      57             : namespace llvm {
      58             : 
      59             : STATISTIC(NumFunctions, "Total number of functions");
      60             : STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");
      61             : STATISTIC(NumUnsafeStackRestorePointsFunctions,
      62             :           "Number of functions that use setjmp or exceptions");
      63             : 
      64             : STATISTIC(NumAllocas, "Total number of allocas");
      65             : STATISTIC(NumUnsafeStaticAllocas, "Number of unsafe static allocas");
      66             : STATISTIC(NumUnsafeDynamicAllocas, "Number of unsafe dynamic allocas");
      67             : STATISTIC(NumUnsafeByValArguments, "Number of unsafe byval arguments");
      68             : STATISTIC(NumUnsafeStackRestorePoints, "Number of setjmps and landingpads");
      69             : 
      70             : } // namespace llvm
      71             : 
      72             : namespace {
      73             : 
      74             : /// Rewrite an SCEV expression for a memory access address to an expression that
      75             : /// represents offset from the given alloca.
      76             : ///
      77             : /// The implementation simply replaces all mentions of the alloca with zero.
      78         216 : class AllocaOffsetRewriter : public SCEVRewriteVisitor<AllocaOffsetRewriter> {
      79             :   const Value *AllocaPtr;
      80             : 
      81             : public:
      82             :   AllocaOffsetRewriter(ScalarEvolution &SE, const Value *AllocaPtr)
      83         216 :       : SCEVRewriteVisitor(SE), AllocaPtr(AllocaPtr) {}
      84             : 
      85             :   const SCEV *visitUnknown(const SCEVUnknown *Expr) {
      86         115 :     if (Expr->getValue() == AllocaPtr)
      87         318 :       return SE.getZero(Expr->getType());
      88           9 :     return Expr;
      89             :   }
      90             : };
      91             : 
      92             : /// The SafeStack pass splits the stack of each function into the safe
      93             : /// stack, which is only accessed through memory safe dereferences (as
      94             : /// determined statically), and the unsafe stack, which contains all
      95             : /// local variables that are accessed in ways that we can't prove to
      96             : /// be safe.
      97             : class SafeStack {
      98             :   Function &F;
      99             :   const TargetLoweringBase &TL;
     100             :   const DataLayout &DL;
     101             :   ScalarEvolution &SE;
     102             : 
     103             :   Type *StackPtrTy;
     104             :   Type *IntPtrTy;
     105             :   Type *Int32Ty;
     106             :   Type *Int8Ty;
     107             : 
     108             :   Value *UnsafeStackPtr = nullptr;
     109             : 
     110             :   /// Unsafe stack alignment. Each stack frame must ensure that the stack is
     111             :   /// aligned to this value. We need to re-align the unsafe stack if the
     112             :   /// alignment of any object on the stack exceeds this value.
     113             :   ///
     114             :   /// 16 seems like a reasonable upper bound on the alignment of objects that we
     115             :   /// might expect to appear on the stack on most common targets.
     116             :   enum { StackAlignment = 16 };
     117             : 
     118             :   /// \brief Return the value of the stack canary.
     119             :   Value *getStackGuard(IRBuilder<> &IRB, Function &F);
     120             : 
     121             :   /// \brief Load stack guard from the frame and check if it has changed.
     122             :   void checkStackGuard(IRBuilder<> &IRB, Function &F, ReturnInst &RI,
     123             :                        AllocaInst *StackGuardSlot, Value *StackGuard);
     124             : 
     125             :   /// \brief Find all static allocas, dynamic allocas, return instructions and
     126             :   /// stack restore points (exception unwind blocks and setjmp calls) in the
     127             :   /// given function and append them to the respective vectors.
     128             :   void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
     129             :                  SmallVectorImpl<AllocaInst *> &DynamicAllocas,
     130             :                  SmallVectorImpl<Argument *> &ByValArguments,
     131             :                  SmallVectorImpl<ReturnInst *> &Returns,
     132             :                  SmallVectorImpl<Instruction *> &StackRestorePoints);
     133             : 
     134             :   /// \brief Calculate the allocation size of a given alloca. Returns 0 if the
     135             :   /// size can not be statically determined.
     136             :   uint64_t getStaticAllocaAllocationSize(const AllocaInst* AI);
     137             : 
     138             :   /// \brief Allocate space for all static allocas in \p StaticAllocas,
     139             :   /// replace allocas with pointers into the unsafe stack and generate code to
     140             :   /// restore the stack pointer before all return instructions in \p Returns.
     141             :   ///
     142             :   /// \returns A pointer to the top of the unsafe stack after all unsafe static
     143             :   /// allocas are allocated.
     144             :   Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
     145             :                                         ArrayRef<AllocaInst *> StaticAllocas,
     146             :                                         ArrayRef<Argument *> ByValArguments,
     147             :                                         ArrayRef<ReturnInst *> Returns,
     148             :                                         Instruction *BasePointer,
     149             :                                         AllocaInst *StackGuardSlot);
     150             : 
     151             :   /// \brief Generate code to restore the stack after all stack restore points
     152             :   /// in \p StackRestorePoints.
     153             :   ///
     154             :   /// \returns A local variable in which to maintain the dynamic top of the
     155             :   /// unsafe stack if needed.
     156             :   AllocaInst *
     157             :   createStackRestorePoints(IRBuilder<> &IRB, Function &F,
     158             :                            ArrayRef<Instruction *> StackRestorePoints,
     159             :                            Value *StaticTop, bool NeedDynamicTop);
     160             : 
     161             :   /// \brief Replace all allocas in \p DynamicAllocas with code to allocate
     162             :   /// space dynamically on the unsafe stack and store the dynamic unsafe stack
     163             :   /// top to \p DynamicTop if non-null.
     164             :   void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
     165             :                                        AllocaInst *DynamicTop,
     166             :                                        ArrayRef<AllocaInst *> DynamicAllocas);
     167             : 
     168             :   bool IsSafeStackAlloca(const Value *AllocaPtr, uint64_t AllocaSize);
     169             : 
     170             :   bool IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
     171             :                           const Value *AllocaPtr, uint64_t AllocaSize);
     172             :   bool IsAccessSafe(Value *Addr, uint64_t Size, const Value *AllocaPtr,
     173             :                     uint64_t AllocaSize);
     174             : 
     175             : public:
     176         180 :   SafeStack(Function &F, const TargetLoweringBase &TL, const DataLayout &DL,
     177             :             ScalarEvolution &SE)
     178         180 :       : F(F), TL(TL), DL(DL), SE(SE),
     179         180 :         StackPtrTy(Type::getInt8PtrTy(F.getContext())),
     180         180 :         IntPtrTy(DL.getIntPtrType(F.getContext())),
     181         180 :         Int32Ty(Type::getInt32Ty(F.getContext())),
     182         720 :         Int8Ty(Type::getInt8Ty(F.getContext())) {}
     183             : 
     184             :   // Run the transformation on the associated function.
     185             :   // Returns whether the function was changed.
     186             :   bool run();
     187             : };
     188             : 
     189         761 : uint64_t SafeStack::getStaticAllocaAllocationSize(const AllocaInst* AI) {
     190         761 :   uint64_t Size = DL.getTypeAllocSize(AI->getAllocatedType());
     191         761 :   if (AI->isArrayAllocation()) {
     192          74 :     auto C = dyn_cast<ConstantInt>(AI->getArraySize());
     193             :     if (!C)
     194             :       return 0;
     195          33 :     Size *= C->getZExtValue();
     196             :   }
     197             :   return Size;
     198             : }
     199             : 
     200         108 : bool SafeStack::IsAccessSafe(Value *Addr, uint64_t AccessSize,
     201             :                              const Value *AllocaPtr, uint64_t AllocaSize) {
     202         324 :   AllocaOffsetRewriter Rewriter(SE, AllocaPtr);
     203         108 :   const SCEV *Expr = Rewriter.visit(SE.getSCEV(Addr));
     204             : 
     205         108 :   uint64_t BitWidth = SE.getTypeSizeInBits(Expr->getType());
     206         324 :   ConstantRange AccessStartRange = SE.getUnsignedRange(Expr);
     207             :   ConstantRange SizeRange =
     208         648 :       ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, AccessSize));
     209         216 :   ConstantRange AccessRange = AccessStartRange.add(SizeRange);
     210             :   ConstantRange AllocaRange =
     211         648 :       ConstantRange(APInt(BitWidth, 0), APInt(BitWidth, AllocaSize));
     212         108 :   bool Safe = AllocaRange.contains(AccessRange);
     213             : 
     214             :   DEBUG(dbgs() << "[SafeStack] "
     215             :                << (isa<AllocaInst>(AllocaPtr) ? "Alloca " : "ByValArgument ")
     216             :                << *AllocaPtr << "\n"
     217             :                << "            Access " << *Addr << "\n"
     218             :                << "            SCEV " << *Expr
     219             :                << " U: " << SE.getUnsignedRange(Expr)
     220             :                << ", S: " << SE.getSignedRange(Expr) << "\n"
     221             :                << "            Range " << AccessRange << "\n"
     222             :                << "            AllocaRange " << AllocaRange << "\n"
     223             :                << "            " << (Safe ? "safe" : "unsafe") << "\n");
     224             : 
     225         108 :   return Safe;
     226             : }
     227             : 
     228           9 : bool SafeStack::IsMemIntrinsicSafe(const MemIntrinsic *MI, const Use &U,
     229             :                                    const Value *AllocaPtr,
     230             :                                    uint64_t AllocaSize) {
     231             :   // All MemIntrinsics have destination address in Arg0 and size in Arg2.
     232           9 :   if (MI->getRawDest() != U) return true;
     233          14 :   const auto *Len = dyn_cast<ConstantInt>(MI->getLength());
     234             :   // Non-constant size => unsafe. FIXME: try SCEV getRange.
     235             :   if (!Len) return false;
     236           6 :   return IsAccessSafe(U, Len->getZExtValue(), AllocaPtr, AllocaSize);
     237             : }
     238             : 
     239             : /// Check whether a given allocation must be put on the safe
     240             : /// stack or not. The function analyzes all uses of AI and checks whether it is
     241             : /// only accessed in a memory safe way (as decided statically).
     242         306 : bool SafeStack::IsSafeStackAlloca(const Value *AllocaPtr, uint64_t AllocaSize) {
     243             :   // Go through all uses of this alloca and check whether all accesses to the
     244             :   // allocated object are statically known to be memory safe and, hence, the
     245             :   // object can be placed on the safe stack.
     246         612 :   SmallPtrSet<const Value *, 16> Visited;
     247         612 :   SmallVector<const Value *, 8> WorkList;
     248         306 :   WorkList.push_back(AllocaPtr);
     249             : 
     250             :   // A DFS search through all uses of the alloca in bitcasts/PHI/GEPs/etc.
     251         510 :   while (!WorkList.empty()) {
     252         443 :     const Value *V = WorkList.pop_back_val();
     253        1126 :     for (const Use &UI : V->uses()) {
     254         958 :       auto I = cast<const Instruction>(UI.getUser());
     255             :       assert(V == UI.get());
     256             : 
     257         479 :       switch (I->getOpcode()) {
     258          51 :       case Instruction::Load: {
     259         102 :         if (!IsAccessSafe(UI, DL.getTypeStoreSize(I->getType()), AllocaPtr,
     260             :                           AllocaSize))
     261             :           return false;
     262             :         break;
     263             :       }
     264             :       case Instruction::VAArg:
     265             :         // "va-arg" from a pointer is safe.
     266             :         break;
     267          63 :       case Instruction::Store: {
     268         126 :         if (V == I->getOperand(0)) {
     269             :           // Stored the pointer - conservatively assume it may be unsafe.
     270             :           DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AllocaPtr
     271             :                        << "\n            store of address: " << *I << "\n");
     272             :           return false;
     273             :         }
     274             : 
     275         153 :         if (!IsAccessSafe(UI, DL.getTypeStoreSize(I->getOperand(0)->getType()),
     276             :                           AllocaPtr, AllocaSize))
     277             :           return false;
     278             :         break;
     279             :       }
     280             :       case Instruction::Ret: {
     281             :         // Information leak.
     282             :         return false;
     283             :       }
     284             : 
     285         220 :       case Instruction::Call:
     286             :       case Instruction::Invoke: {
     287         220 :         ImmutableCallSite CS(I);
     288             : 
     289          18 :         if (const IntrinsicInst *II = dyn_cast<IntrinsicInst>(I)) {
     290          36 :           if (II->getIntrinsicID() == Intrinsic::lifetime_start ||
     291          18 :               II->getIntrinsicID() == Intrinsic::lifetime_end)
     292          25 :             continue;
     293             :         }
     294             : 
     295          12 :         if (const MemIntrinsic *MI = dyn_cast<MemIntrinsic>(I)) {
     296           9 :           if (!IsMemIntrinsicSafe(MI, UI, AllocaPtr, AllocaSize)) {
     297             :             DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AllocaPtr
     298             :                          << "\n            unsafe memintrinsic: " << *I
     299             :                          << "\n");
     300         204 :             return false;
     301             :           }
     302           3 :           continue;
     303             :         }
     304             : 
     305             :         // LLVM 'nocapture' attribute is only set for arguments whose address
     306             :         // is not stored, passed around, or used in any other non-trivial way.
     307             :         // We assume that passing a pointer to an object as a 'nocapture
     308             :         // readnone' argument is safe.
     309             :         // FIXME: a more precise solution would require an interprocedural
     310             :         // analysis here, which would look at all uses of an argument inside
     311             :         // the function being called.
     312         202 :         ImmutableCallSite::arg_iterator B = CS.arg_begin(), E = CS.arg_end();
     313         222 :         for (ImmutableCallSite::arg_iterator A = B; A != E; ++A)
     314         218 :           if (A->get() == V)
     315         426 :             if (!(CS.doesNotCapture(A - B) && (CS.doesNotAccessMemory(A - B) ||
     316          10 :                                                CS.doesNotAccessMemory()))) {
     317             :               DEBUG(dbgs() << "[SafeStack] Unsafe alloca: " << *AllocaPtr
     318             :                            << "\n            unsafe call: " << *I << "\n");
     319             :               return false;
     320             :             }
     321           4 :         continue;
     322             :       }
     323             : 
     324         143 :       default:
     325         143 :         if (Visited.insert(I).second)
     326         141 :           WorkList.push_back(cast<const Instruction>(I));
     327             :       }
     328             :     }
     329             :   }
     330             : 
     331             :   // All uses of the alloca are safe, we can place it on the safe stack.
     332             :   return true;
     333             : }
     334             : 
     335          13 : Value *SafeStack::getStackGuard(IRBuilder<> &IRB, Function &F) {
     336          13 :   Value *StackGuardVar = TL.getIRStackGuard(IRB);
     337          13 :   if (!StackGuardVar)
     338           2 :     StackGuardVar =
     339           6 :         F.getParent()->getOrInsertGlobal("__stack_chk_guard", StackPtrTy);
     340          13 :   return IRB.CreateLoad(StackGuardVar, "StackGuard");
     341             : }
     342             : 
     343         180 : void SafeStack::findInsts(Function &F,
     344             :                           SmallVectorImpl<AllocaInst *> &StaticAllocas,
     345             :                           SmallVectorImpl<AllocaInst *> &DynamicAllocas,
     346             :                           SmallVectorImpl<Argument *> &ByValArguments,
     347             :                           SmallVectorImpl<ReturnInst *> &Returns,
     348             :                           SmallVectorImpl<Instruction *> &StackRestorePoints) {
     349        3124 :   for (Instruction &I : instructions(&F)) {
     350        1382 :     if (auto AI = dyn_cast<AllocaInst>(&I)) {
     351         298 :       ++NumAllocas;
     352             : 
     353         298 :       uint64_t Size = getStaticAllocaAllocationSize(AI);
     354         298 :       if (IsSafeStackAlloca(AI, Size))
     355          64 :         continue;
     356             : 
     357         234 :       if (AI->isStaticAlloca()) {
     358         225 :         ++NumUnsafeStaticAllocas;
     359         225 :         StaticAllocas.push_back(AI);
     360             :       } else {
     361           9 :         ++NumUnsafeDynamicAllocas;
     362           9 :         DynamicAllocas.push_back(AI);
     363             :       }
     364        1084 :     } else if (auto RI = dyn_cast<ReturnInst>(&I)) {
     365         190 :       Returns.push_back(RI);
     366         431 :     } else if (auto CI = dyn_cast<CallInst>(&I)) {
     367             :       // setjmps require stack restore.
     368         862 :       if (CI->getCalledFunction() && CI->canReturnTwice())
     369           5 :         StackRestorePoints.push_back(CI);
     370           4 :     } else if (auto LP = dyn_cast<LandingPadInst>(&I)) {
     371             :       // Exception landing pads require stack restore.
     372           4 :       StackRestorePoints.push_back(LP);
     373           0 :     } else if (auto II = dyn_cast<IntrinsicInst>(&I)) {
     374           0 :       if (II->getIntrinsicID() == Intrinsic::gcroot)
     375           0 :         llvm::report_fatal_error(
     376             :             "gcroot intrinsic not compatible with safestack attribute");
     377             :     }
     378             :   }
     379         254 :   for (Argument &Arg : F.args()) {
     380          74 :     if (!Arg.hasByValAttr())
     381          66 :       continue;
     382             :     uint64_t Size =
     383          24 :         DL.getTypeStoreSize(Arg.getType()->getPointerElementType());
     384           8 :     if (IsSafeStackAlloca(&Arg, Size))
     385           3 :       continue;
     386             : 
     387           5 :     ++NumUnsafeByValArguments;
     388           5 :     ByValArguments.push_back(&Arg);
     389             :   }
     390         180 : }
     391             : 
     392             : AllocaInst *
     393         152 : SafeStack::createStackRestorePoints(IRBuilder<> &IRB, Function &F,
     394             :                                     ArrayRef<Instruction *> StackRestorePoints,
     395             :                                     Value *StaticTop, bool NeedDynamicTop) {
     396             :   assert(StaticTop && "The stack top isn't set.");
     397             : 
     398         152 :   if (StackRestorePoints.empty())
     399             :     return nullptr;
     400             : 
     401             :   // We need the current value of the shadow stack pointer to restore
     402             :   // after longjmp or exception catching.
     403             : 
     404             :   // FIXME: On some platforms this could be handled by the longjmp/exception
     405             :   // runtime itself.
     406             : 
     407           9 :   AllocaInst *DynamicTop = nullptr;
     408           9 :   if (NeedDynamicTop) {
     409             :     // If we also have dynamic alloca's, the stack pointer value changes
     410             :     // throughout the function. For now we store it in an alloca.
     411           3 :     DynamicTop = IRB.CreateAlloca(StackPtrTy, /*ArraySize=*/nullptr,
     412             :                                   "unsafe_stack_dynamic_ptr");
     413           3 :     IRB.CreateStore(StaticTop, DynamicTop);
     414             :   }
     415             : 
     416             :   // Restore current stack pointer after longjmp/exception catch.
     417          27 :   for (Instruction *I : StackRestorePoints) {
     418           9 :     ++NumUnsafeStackRestorePoints;
     419             : 
     420          18 :     IRB.SetInsertPoint(I->getNextNode());
     421          12 :     Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop;
     422           9 :     IRB.CreateStore(CurrentTop, UnsafeStackPtr);
     423             :   }
     424             : 
     425             :   return DynamicTop;
     426             : }
     427             : 
     428          13 : void SafeStack::checkStackGuard(IRBuilder<> &IRB, Function &F, ReturnInst &RI,
     429             :                                 AllocaInst *StackGuardSlot, Value *StackGuard) {
     430          13 :   Value *V = IRB.CreateLoad(StackGuardSlot);
     431          26 :   Value *Cmp = IRB.CreateICmpNE(StackGuard, V);
     432             : 
     433          13 :   auto SuccessProb = BranchProbabilityInfo::getBranchProbStackProtector(true);
     434          13 :   auto FailureProb = BranchProbabilityInfo::getBranchProbStackProtector(false);
     435          39 :   MDNode *Weights = MDBuilder(F.getContext())
     436          26 :                         .createBranchWeights(SuccessProb.getNumerator(),
     437          13 :                                              FailureProb.getNumerator());
     438             :   Instruction *CheckTerm =
     439          13 :       SplitBlockAndInsertIfThen(Cmp, &RI,
     440          13 :                                 /* Unreachable */ true, Weights);
     441          26 :   IRBuilder<> IRBFail(CheckTerm);
     442             :   // FIXME: respect -fsanitize-trap / -ftrap-function here?
     443          39 :   Constant *StackChkFail = F.getParent()->getOrInsertFunction(
     444          13 :       "__stack_chk_fail", IRB.getVoidTy());
     445          26 :   IRBFail.CreateCall(StackChkFail, {});
     446          13 : }
     447             : 
     448             : /// We explicitly compute and set the unsafe stack layout for all unsafe
     449             : /// static alloca instructions. We save the unsafe "base pointer" in the
     450             : /// prologue into a local variable and restore it in the epilogue.
     451         152 : Value *SafeStack::moveStaticAllocasToUnsafeStack(
     452             :     IRBuilder<> &IRB, Function &F, ArrayRef<AllocaInst *> StaticAllocas,
     453             :     ArrayRef<Argument *> ByValArguments, ArrayRef<ReturnInst *> Returns,
     454             :     Instruction *BasePointer, AllocaInst *StackGuardSlot) {
     455         152 :   if (StaticAllocas.empty() && ByValArguments.empty())
     456             :     return BasePointer;
     457             : 
     458         286 :   DIBuilder DIB(*F.getParent());
     459             : 
     460         286 :   StackColoring SSC(F, StaticAllocas);
     461         143 :   SSC.run();
     462         143 :   SSC.removeAllMarkers();
     463             : 
     464             :   // Unsafe stack always grows down.
     465         286 :   StackLayout SSL(StackAlignment);
     466         143 :   if (StackGuardSlot) {
     467          13 :     Type *Ty = StackGuardSlot->getAllocatedType();
     468             :     unsigned Align =
     469          26 :         std::max(DL.getPrefTypeAlignment(Ty), StackGuardSlot->getAlignment());
     470          13 :     SSL.addObject(StackGuardSlot, getStaticAllocaAllocationSize(StackGuardSlot),
     471          26 :                   Align, SSC.getFullLiveRange());
     472             :   }
     473             : 
     474         291 :   for (Argument *Arg : ByValArguments) {
     475          10 :     Type *Ty = Arg->getType()->getPointerElementType();
     476          10 :     uint64_t Size = DL.getTypeStoreSize(Ty);
     477           5 :     if (Size == 0)
     478           0 :       Size = 1; // Don't create zero-sized stack objects.
     479             : 
     480             :     // Ensure the object is properly aligned.
     481          10 :     unsigned Align = std::max((unsigned)DL.getPrefTypeAlignment(Ty),
     482          15 :                               Arg->getParamAlignment());
     483          10 :     SSL.addObject(Arg, Size, Align, SSC.getFullLiveRange());
     484             :   }
     485             : 
     486         511 :   for (AllocaInst *AI : StaticAllocas) {
     487         225 :     Type *Ty = AI->getAllocatedType();
     488         225 :     uint64_t Size = getStaticAllocaAllocationSize(AI);
     489         225 :     if (Size == 0)
     490           0 :       Size = 1; // Don't create zero-sized stack objects.
     491             : 
     492             :     // Ensure the object is properly aligned.
     493             :     unsigned Align =
     494         450 :         std::max((unsigned)DL.getPrefTypeAlignment(Ty), AI->getAlignment());
     495             : 
     496         225 :     SSL.addObject(AI, Size, Align, SSC.getLiveRange(AI));
     497             :   }
     498             : 
     499         143 :   SSL.computeLayout();
     500         143 :   unsigned FrameAlignment = SSL.getFrameAlignment();
     501             : 
     502             :   // FIXME: tell SSL that we start at a less-then-MaxAlignment aligned location
     503             :   // (AlignmentSkew).
     504         143 :   if (FrameAlignment > StackAlignment) {
     505             :     // Re-align the base pointer according to the max requested alignment.
     506             :     assert(isPowerOf2_32(FrameAlignment));
     507           4 :     IRB.SetInsertPoint(BasePointer->getNextNode());
     508          12 :     BasePointer = cast<Instruction>(IRB.CreateIntToPtr(
     509             :         IRB.CreateAnd(IRB.CreatePtrToInt(BasePointer, IntPtrTy),
     510           2 :                       ConstantInt::get(IntPtrTy, ~uint64_t(FrameAlignment - 1))),
     511             :         StackPtrTy));
     512             :   }
     513             : 
     514         286 :   IRB.SetInsertPoint(BasePointer->getNextNode());
     515             : 
     516         143 :   if (StackGuardSlot) {
     517          13 :     unsigned Offset = SSL.getObjectOffset(StackGuardSlot);
     518          26 :     Value *Off = IRB.CreateGEP(BasePointer, // BasePointer is i8*
     519          26 :                                ConstantInt::get(Int32Ty, -Offset));
     520             :     Value *NewAI =
     521          39 :         IRB.CreateBitCast(Off, StackGuardSlot->getType(), "StackGuardSlot");
     522             : 
     523             :     // Replace alloc with the new location.
     524          13 :     StackGuardSlot->replaceAllUsesWith(NewAI);
     525          13 :     StackGuardSlot->eraseFromParent();
     526             :   }
     527             : 
     528         153 :   for (Argument *Arg : ByValArguments) {
     529           5 :     unsigned Offset = SSL.getObjectOffset(Arg);
     530          10 :     Type *Ty = Arg->getType()->getPointerElementType();
     531             : 
     532          10 :     uint64_t Size = DL.getTypeStoreSize(Ty);
     533           5 :     if (Size == 0)
     534           0 :       Size = 1; // Don't create zero-sized stack objects.
     535             : 
     536          10 :     Value *Off = IRB.CreateGEP(BasePointer, // BasePointer is i8*
     537          10 :                                ConstantInt::get(Int32Ty, -Offset));
     538           5 :     Value *NewArg = IRB.CreateBitCast(Off, Arg->getType(),
     539          15 :                                      Arg->getName() + ".unsafe-byval");
     540             : 
     541             :     // Replace alloc with the new location.
     542          10 :     replaceDbgDeclare(Arg, BasePointer, BasePointer->getNextNode(), DIB,
     543             :                       /*Deref=*/false, -Offset);
     544           5 :     Arg->replaceAllUsesWith(NewArg);
     545          15 :     IRB.SetInsertPoint(cast<Instruction>(NewArg)->getNextNode());
     546           5 :     IRB.CreateMemCpy(Off, Arg, Size, Arg->getParamAlignment());
     547             :   }
     548             : 
     549             :   // Allocate space for every unsafe static AllocaInst on the unsafe stack.
     550         593 :   for (AllocaInst *AI : StaticAllocas) {
     551         225 :     IRB.SetInsertPoint(AI);
     552         225 :     unsigned Offset = SSL.getObjectOffset(AI);
     553             : 
     554         225 :     uint64_t Size = getStaticAllocaAllocationSize(AI);
     555             :     if (Size == 0)
     556             :       Size = 1; // Don't create zero-sized stack objects.
     557             : 
     558         225 :     replaceDbgDeclareForAlloca(AI, BasePointer, DIB, /*Deref=*/false, -Offset);
     559         225 :     replaceDbgValueForAlloca(AI, BasePointer, DIB, -Offset);
     560             : 
     561             :     // Replace uses of the alloca with the new location.
     562             :     // Insert address calculation close to each use to work around PR27844.
     563         900 :     std::string Name = std::string(AI->getName()) + ".unsafe";
     564         972 :     while (!AI->use_empty()) {
     565         522 :       Use &U = *AI->use_begin();
     566         522 :       Instruction *User = cast<Instruction>(U.getUser());
     567             : 
     568             :       Instruction *InsertBefore;
     569           6 :       if (auto *PHI = dyn_cast<PHINode>(User))
     570          12 :         InsertBefore = PHI->getIncomingBlock(U)->getTerminator();
     571             :       else
     572             :         InsertBefore = User;
     573             : 
     574         522 :       IRBuilder<> IRBUser(InsertBefore);
     575         522 :       Value *Off = IRBUser.CreateGEP(BasePointer, // BasePointer is i8*
     576         522 :                                      ConstantInt::get(Int32Ty, -Offset));
     577         783 :       Value *Replacement = IRBUser.CreateBitCast(Off, AI->getType(), Name);
     578             : 
     579           6 :       if (auto *PHI = dyn_cast<PHINode>(User)) {
     580             :         // PHI nodes may have multiple incoming edges from the same BB (why??),
     581             :         // all must be updated at once with the same incoming value.
     582           6 :         auto *BB = PHI->getIncomingBlock(U);
     583          48 :         for (unsigned I = 0; I < PHI->getNumIncomingValues(); ++I)
     584          18 :           if (PHI->getIncomingBlock(I) == BB)
     585             :             PHI->setIncomingValue(I, Replacement);
     586             :       } else {
     587         255 :         U.set(Replacement);
     588             :       }
     589             :     }
     590             : 
     591         225 :     AI->eraseFromParent();
     592             :   }
     593             : 
     594             :   // Re-align BasePointer so that our callees would see it aligned as
     595             :   // expected.
     596             :   // FIXME: no need to update BasePointer in leaf functions.
     597         286 :   unsigned FrameSize = alignTo(SSL.getFrameSize(), StackAlignment);
     598             : 
     599             :   // Update shadow stack pointer in the function epilogue.
     600         286 :   IRB.SetInsertPoint(BasePointer->getNextNode());
     601             : 
     602             :   Value *StaticTop =
     603         286 :       IRB.CreateGEP(BasePointer, ConstantInt::get(Int32Ty, -FrameSize),
     604         143 :                     "unsafe_stack_static_top");
     605         143 :   IRB.CreateStore(StaticTop, UnsafeStackPtr);
     606             :   return StaticTop;
     607             : }
     608             : 
     609         152 : void SafeStack::moveDynamicAllocasToUnsafeStack(
     610             :     Function &F, Value *UnsafeStackPtr, AllocaInst *DynamicTop,
     611             :     ArrayRef<AllocaInst *> DynamicAllocas) {
     612         304 :   DIBuilder DIB(*F.getParent());
     613             : 
     614         313 :   for (AllocaInst *AI : DynamicAllocas) {
     615          18 :     IRBuilder<> IRB(AI);
     616             : 
     617             :     // Compute the new SP value (after AI).
     618           9 :     Value *ArraySize = AI->getArraySize();
     619           9 :     if (ArraySize->getType() != IntPtrTy)
     620           6 :       ArraySize = IRB.CreateIntCast(ArraySize, IntPtrTy, false);
     621             : 
     622           9 :     Type *Ty = AI->getAllocatedType();
     623           9 :     uint64_t TySize = DL.getTypeAllocSize(Ty);
     624           9 :     Value *Size = IRB.CreateMul(ArraySize, ConstantInt::get(IntPtrTy, TySize));
     625             : 
     626          27 :     Value *SP = IRB.CreatePtrToInt(IRB.CreateLoad(UnsafeStackPtr), IntPtrTy);
     627           9 :     SP = IRB.CreateSub(SP, Size);
     628             : 
     629             :     // Align the SP value to satisfy the AllocaInst, type and stack alignments.
     630             :     unsigned Align = std::max(
     631          18 :         std::max((unsigned)DL.getPrefTypeAlignment(Ty), AI->getAlignment()),
     632          36 :         (unsigned)StackAlignment);
     633             : 
     634             :     assert(isPowerOf2_32(Align));
     635          36 :     Value *NewTop = IRB.CreateIntToPtr(
     636           9 :         IRB.CreateAnd(SP, ConstantInt::get(IntPtrTy, ~uint64_t(Align - 1))),
     637           9 :         StackPtrTy);
     638             : 
     639             :     // Save the stack pointer.
     640           9 :     IRB.CreateStore(NewTop, UnsafeStackPtr);
     641           9 :     if (DynamicTop)
     642           3 :       IRB.CreateStore(NewTop, DynamicTop);
     643             : 
     644          18 :     Value *NewAI = IRB.CreatePointerCast(NewTop, AI->getType());
     645          24 :     if (AI->hasName() && isa<Instruction>(NewAI))
     646           6 :       NewAI->takeName(AI);
     647             : 
     648           9 :     replaceDbgDeclareForAlloca(AI, NewAI, DIB, /*Deref=*/false);
     649           9 :     AI->replaceAllUsesWith(NewAI);
     650           9 :     AI->eraseFromParent();
     651             :   }
     652             : 
     653         152 :   if (!DynamicAllocas.empty()) {
     654             :     // Now go through the instructions again, replacing stacksave/stackrestore.
     655           9 :     for (inst_iterator It = inst_begin(&F), Ie = inst_end(&F); It != Ie;) {
     656         414 :       Instruction *I = &*(It++);
     657           2 :       auto II = dyn_cast<IntrinsicInst>(I);
     658         136 :       if (!II)
     659         136 :         continue;
     660             : 
     661           2 :       if (II->getIntrinsicID() == Intrinsic::stacksave) {
     662           0 :         IRBuilder<> IRB(II);
     663           0 :         Instruction *LI = IRB.CreateLoad(UnsafeStackPtr);
     664           0 :         LI->takeName(II);
     665           0 :         II->replaceAllUsesWith(LI);
     666           0 :         II->eraseFromParent();
     667           2 :       } else if (II->getIntrinsicID() == Intrinsic::stackrestore) {
     668           0 :         IRBuilder<> IRB(II);
     669           0 :         Instruction *SI = IRB.CreateStore(II->getArgOperand(0), UnsafeStackPtr);
     670           0 :         SI->takeName(II);
     671             :         assert(II->use_empty());
     672           0 :         II->eraseFromParent();
     673             :       }
     674             :     }
     675             :   }
     676         152 : }
     677             : 
     678         180 : bool SafeStack::run() {
     679             :   assert(F.hasFnAttribute(Attribute::SafeStack) &&
     680             :          "Can't run SafeStack on a function without the attribute");
     681             :   assert(!F.isDeclaration() && "Can't run SafeStack on a function declaration");
     682             : 
     683         180 :   ++NumFunctions;
     684             : 
     685         360 :   SmallVector<AllocaInst *, 16> StaticAllocas;
     686         360 :   SmallVector<AllocaInst *, 4> DynamicAllocas;
     687         360 :   SmallVector<Argument *, 4> ByValArguments;
     688         360 :   SmallVector<ReturnInst *, 4> Returns;
     689             : 
     690             :   // Collect all points where stack gets unwound and needs to be restored
     691             :   // This is only necessary because the runtime (setjmp and unwind code) is
     692             :   // not aware of the unsafe stack and won't unwind/restore it properly.
     693             :   // To work around this problem without changing the runtime, we insert
     694             :   // instrumentation to restore the unsafe stack pointer when necessary.
     695         360 :   SmallVector<Instruction *, 4> StackRestorePoints;
     696             : 
     697             :   // Find all static and dynamic alloca instructions that must be moved to the
     698             :   // unsafe stack, all return instructions and stack restore points.
     699         180 :   findInsts(F, StaticAllocas, DynamicAllocas, ByValArguments, Returns,
     700             :             StackRestorePoints);
     701             : 
     702         253 :   if (StaticAllocas.empty() && DynamicAllocas.empty() &&
     703         240 :       ByValArguments.empty() && StackRestorePoints.empty())
     704             :     return false; // Nothing to do in this function.
     705             : 
     706         152 :   if (!StaticAllocas.empty() || !DynamicAllocas.empty() ||
     707             :       !ByValArguments.empty())
     708             :     ++NumUnsafeStackFunctions; // This function has the unsafe stack.
     709             : 
     710         152 :   if (!StackRestorePoints.empty())
     711             :     ++NumUnsafeStackRestorePointsFunctions;
     712             : 
     713         760 :   IRBuilder<> IRB(&F.front(), F.begin()->getFirstInsertionPt());
     714         152 :   UnsafeStackPtr = TL.getSafeStackPointerLocation(IRB);
     715             : 
     716             :   // Load the current stack pointer (we'll also use it as a base pointer).
     717             :   // FIXME: use a dedicated register for it ?
     718             :   Instruction *BasePointer =
     719         152 :       IRB.CreateLoad(UnsafeStackPtr, false, "unsafe_stack_ptr");
     720             :   assert(BasePointer->getType() == StackPtrTy);
     721             : 
     722         152 :   AllocaInst *StackGuardSlot = nullptr;
     723             :   // FIXME: implement weaker forms of stack protector.
     724         456 :   if (F.hasFnAttribute(Attribute::StackProtect) ||
     725         456 :       F.hasFnAttribute(Attribute::StackProtectStrong) ||
     726         304 :       F.hasFnAttribute(Attribute::StackProtectReq)) {
     727          13 :     Value *StackGuard = getStackGuard(IRB, F);
     728          13 :     StackGuardSlot = IRB.CreateAlloca(StackPtrTy, nullptr);
     729          13 :     IRB.CreateStore(StackGuard, StackGuardSlot);
     730             : 
     731          52 :     for (ReturnInst *RI : Returns) {
     732          26 :       IRBuilder<> IRBRet(RI);
     733          13 :       checkStackGuard(IRBRet, F, *RI, StackGuardSlot, StackGuard);
     734             :     }
     735             :   }
     736             : 
     737             :   // The top of the unsafe stack after all unsafe static allocas are
     738             :   // allocated.
     739             :   Value *StaticTop =
     740         608 :       moveStaticAllocasToUnsafeStack(IRB, F, StaticAllocas, ByValArguments,
     741         152 :                                      Returns, BasePointer, StackGuardSlot);
     742             : 
     743             :   // Safe stack object that stores the current unsafe stack top. It is updated
     744             :   // as unsafe dynamic (non-constant-sized) allocas are allocated and freed.
     745             :   // This is only needed if we need to restore stack pointer after longjmp
     746             :   // or exceptions, and we have dynamic allocations.
     747             :   // FIXME: a better alternative might be to store the unsafe stack pointer
     748             :   // before setjmp / invoke instructions.
     749         456 :   AllocaInst *DynamicTop = createStackRestorePoints(
     750         304 :       IRB, F, StackRestorePoints, StaticTop, !DynamicAllocas.empty());
     751             : 
     752             :   // Handle dynamic allocas.
     753         152 :   moveDynamicAllocasToUnsafeStack(F, UnsafeStackPtr, DynamicTop,
     754             :                                   DynamicAllocas);
     755             : 
     756             :   // Restore the unsafe stack pointer before each return.
     757         618 :   for (ReturnInst *RI : Returns) {
     758         162 :     IRB.SetInsertPoint(RI);
     759         162 :     IRB.CreateStore(BasePointer, UnsafeStackPtr);
     760             :   }
     761             : 
     762             :   DEBUG(dbgs() << "[SafeStack]     safestack applied\n");
     763         152 :   return true;
     764             : }
     765             : 
     766       33826 : class SafeStackLegacyPass : public FunctionPass {
     767             :   const TargetMachine *TM;
     768             : 
     769             : public:
     770             :   static char ID; // Pass identification, replacement for typeid..
     771       34032 :   SafeStackLegacyPass() : FunctionPass(ID), TM(nullptr) {
     772       17016 :     initializeSafeStackLegacyPassPass(*PassRegistry::getPassRegistry());
     773       17016 :   }
     774             : 
     775       16981 :   void getAnalysisUsage(AnalysisUsage &AU) const override {
     776       16981 :     AU.addRequired<TargetPassConfig>();
     777       16981 :     AU.addRequired<TargetLibraryInfoWrapperPass>();
     778       16981 :     AU.addRequired<AssumptionCacheTracker>();
     779       16981 :   }
     780             : 
     781      143356 :   bool runOnFunction(Function &F) override {
     782             :     DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");
     783             : 
     784      143356 :     if (!F.hasFnAttribute(Attribute::SafeStack)) {
     785             :       DEBUG(dbgs() << "[SafeStack]     safestack is not requested"
     786             :                       " for this function\n");
     787             :       return false;
     788             :     }
     789             : 
     790         180 :     if (F.isDeclaration()) {
     791             :       DEBUG(dbgs() << "[SafeStack]     function definition"
     792             :                       " is not available\n");
     793             :       return false;
     794             :     }
     795             : 
     796         180 :     TM = &getAnalysis<TargetPassConfig>().getTM<TargetMachine>();
     797         180 :     auto *TL = TM->getSubtargetImpl(F)->getTargetLowering();
     798         180 :     if (!TL)
     799           0 :       report_fatal_error("TargetLowering instance is required");
     800             : 
     801         180 :     auto *DL = &F.getParent()->getDataLayout();
     802         360 :     auto &TLI = getAnalysis<TargetLibraryInfoWrapperPass>().getTLI();
     803         180 :     auto &ACT = getAnalysis<AssumptionCacheTracker>().getAssumptionCache(F);
     804             : 
     805             :     // Compute DT and LI only for functions that have the attribute.
     806             :     // This is only useful because the legacy pass manager doesn't let us
     807             :     // compute analyzes lazily.
     808             :     // In the backend pipeline, nothing preserves DT before SafeStack, so we
     809             :     // would otherwise always compute it wastefully, even if there is no
     810             :     // function with the safestack attribute.
     811         180 :     DominatorTree DT(F);
     812         360 :     LoopInfo LI(DT);
     813             : 
     814         360 :     ScalarEvolution SE(F, TLI, ACT, DT, LI);
     815             : 
     816         180 :     return SafeStack(F, *TL, *DL, SE).run();
     817             :   }
     818             : };
     819             : 
     820             : } // anonymous namespace
     821             : 
     822             : char SafeStackLegacyPass::ID = 0;
     823       26583 : INITIALIZE_PASS_BEGIN(SafeStackLegacyPass, DEBUG_TYPE,
     824             :                       "Safe Stack instrumentation pass", false, false)
     825       26583 : INITIALIZE_PASS_DEPENDENCY(TargetPassConfig)
     826      242433 : INITIALIZE_PASS_END(SafeStackLegacyPass, DEBUG_TYPE,
     827             :                     "Safe Stack instrumentation pass", false, false)
     828             : 
     829       16923 : FunctionPass *llvm::createSafeStackPass() { return new SafeStackLegacyPass(); }

Generated by: LCOV version 1.13