This file is a part of DataFlowSanitizer, a generalised dynamic data flow analysis.
More...
|
| static const Align | ShadowTLSAlignment = Align(2) |
| |
| static const Align | MinOriginAlignment = Align(4) |
| |
| static const unsigned | ArgTLSSize = 800 |
| |
| static const unsigned | RetvalTLSSize = 800 |
| |
| static cl::opt< bool > | ClPreserveAlignment ("dfsan-preserve-alignment", cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::init(false)) |
| |
| static cl::list< std::string > | ClABIListFiles ("dfsan-abilist", cl::desc("File listing native ABI functions and how the pass treats them"), cl::Hidden) |
| |
| static cl::opt< bool > | ClCombinePointerLabelsOnLoad ("dfsan-combine-pointer-labels-on-load", cl::desc("Combine the label of the pointer with the label of the data when " "loading from memory."), cl::Hidden, cl::init(true)) |
| |
| static cl::opt< bool > | ClCombinePointerLabelsOnStore ("dfsan-combine-pointer-labels-on-store", cl::desc("Combine the label of the pointer with the label of the data when " "storing in memory."), cl::Hidden, cl::init(false)) |
| |
| static cl::opt< bool > | ClCombineOffsetLabelsOnGEP ("dfsan-combine-offset-labels-on-gep", cl::desc("Combine the label of the offset with the label of the pointer when " "doing pointer arithmetic."), cl::Hidden, cl::init(true)) |
| |
| static cl::list< std::string > | ClCombineTaintLookupTables ("dfsan-combine-taint-lookup-table", cl::desc("When dfsan-combine-offset-labels-on-gep and/or " "dfsan-combine-pointer-labels-on-load are false, this flag can " "be used to re-enable combining offset and/or pointer taint when " "loading specific constant global variables (i.e. lookup tables)."), cl::Hidden) |
| |
| static cl::opt< bool > | ClDebugNonzeroLabels ("dfsan-debug-nonzero-labels", cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " "load or return with a nonzero label"), cl::Hidden) |
| |
| static cl::opt< bool > | ClEventCallbacks ("dfsan-event-callbacks", cl::desc("Insert calls to __dfsan_*_callback functions on data events."), cl::Hidden, cl::init(false)) |
| |
| static cl::opt< bool > | ClConditionalCallbacks ("dfsan-conditional-callbacks", cl::desc("Insert calls to callback functions on conditionals."), cl::Hidden, cl::init(false)) |
| |
| static cl::opt< bool > | ClReachesFunctionCallbacks ("dfsan-reaches-function-callbacks", cl::desc("Insert calls to callback functions on data reaching a function."), cl::Hidden, cl::init(false)) |
| |
| static cl::opt< bool > | ClTrackSelectControlFlow ("dfsan-track-select-control-flow", cl::desc("Propagate labels from condition values of select instructions " "to results."), cl::Hidden, cl::init(true)) |
| |
| static cl::opt< int > | ClInstrumentWithCallThreshold ("dfsan-instrument-with-call-threshold", cl::desc("If the function being instrumented requires more than " "this number of origin stores, use callbacks instead of " "inline checks (-1 means never use callbacks)."), cl::Hidden, cl::init(3500)) |
| |
| static cl::opt< int > | ClTrackOrigins ("dfsan-track-origins", cl::desc("Track origins of labels"), cl::Hidden, cl::init(0)) |
| |
| static cl::opt< bool > | ClIgnorePersonalityRoutine ("dfsan-ignore-personality-routine", cl::desc("If a personality routine is marked uninstrumented from the ABI " "list, do not create a wrapper for it."), cl::Hidden, cl::init(false)) |
| |
| const MemoryMapParams | Linux_AArch64_MemoryMapParams |
| |
| const MemoryMapParams | Linux_X86_64_MemoryMapParams |
| |
| const MemoryMapParams | Linux_LoongArch64_MemoryMapParams |
| |
This file is a part of DataFlowSanitizer, a generalised dynamic data flow analysis.
Unlike other Sanitizer tools, this tool is not designed to detect a specific class of bugs on its own. Instead, it provides a generic dynamic data flow analysis framework to be used by clients to help detect application-specific issues within their own code.
The analysis is based on automatic propagation of data flow labels (also known as taint labels) through a program as it performs computation.
Argument and return value labels are passed through TLS variables __dfsan_arg_tls and __dfsan_retval_tls.
Each byte of application memory is backed by a shadow memory byte. The shadow byte can represent up to 8 labels. On Linux/x86_64, memory is then laid out as follows:
+-----------------—+ 0x800000000000 (top of memory) | application 3 | +-----------------—+ 0x700000000000 | invalid | +-----------------—+ 0x610000000000 | origin 1 | +-----------------—+ 0x600000000000 | application 2 | +-----------------—+ 0x510000000000 | shadow 1 | +-----------------—+ 0x500000000000 | invalid | +-----------------—+ 0x400000000000 | origin 3 | +-----------------—+ 0x300000000000 | shadow 3 | +-----------------—+ 0x200000000000 | origin 2 | +-----------------—+ 0x110000000000 | invalid | +-----------------—+ 0x100000000000 | shadow 2 | +-----------------—+ 0x010000000000 | application 1 | +-----------------—+ 0x000000000000
MEM_TO_SHADOW(mem) = mem ^ 0x500000000000 SHADOW_TO_ORIGIN(shadow) = shadow + 0x100000000000
For more information, please refer to the design document: http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
Definition in file DataFlowSanitizer.cpp.
