This file is a part of DataFlowSanitizer, a generalised dynamic data flow analysis.
More...
|
static const Align | kShadowTLSAlignment = Align(2) |
|
static const unsigned | kArgTLSSize = 800 |
|
static const unsigned | kRetvalTLSSize = 800 |
|
const char | kDFSanExternShadowPtrMask [] = "__dfsan_shadow_ptr_mask" |
|
static cl::opt< bool > | ClPreserveAlignment ("dfsan-preserve-alignment", cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::init(false)) |
|
static cl::list< std::string > | ClABIListFiles ("dfsan-abilist", cl::desc("File listing native ABI functions and how the pass treats them"), cl::Hidden) |
|
static cl::opt< bool > | ClArgsABI ("dfsan-args-abi", cl::desc("Use the argument ABI rather than the TLS ABI"), cl::Hidden) |
|
static cl::opt< bool > | ClCombinePointerLabelsOnLoad ("dfsan-combine-pointer-labels-on-load", cl::desc("Combine the label of the pointer with the label of the data when " "loading from memory."), cl::Hidden, cl::init(true)) |
|
static cl::opt< bool > | ClCombinePointerLabelsOnStore ("dfsan-combine-pointer-labels-on-store", cl::desc("Combine the label of the pointer with the label of the data when " "storing in memory."), cl::Hidden, cl::init(false)) |
|
static cl::opt< bool > | ClDebugNonzeroLabels ("dfsan-debug-nonzero-labels", cl::desc("Insert calls to __dfsan_nonzero_label on observing a parameter, " "load or return with a nonzero label"), cl::Hidden) |
|
static cl::opt< bool > | ClEventCallbacks ("dfsan-event-callbacks", cl::desc("Insert calls to __dfsan_*_callback functions on data events."), cl::Hidden, cl::init(false)) |
|
static cl::opt< bool > | ClFast16Labels ("dfsan-fast-16-labels", cl::desc("Use more efficient instrumentation, limiting the number of " "labels to 16."), cl::Hidden, cl::init(false)) |
|
static cl::opt< bool > | ClTrackSelectControlFlow ("dfsan-track-select-control-flow", cl::desc("Propagate labels from condition values of select instructions " "to results."), cl::Hidden, cl::init(true)) |
|
This file is a part of DataFlowSanitizer, a generalised dynamic data flow analysis.
Unlike other Sanitizer tools, this tool is not designed to detect a specific class of bugs on its own. Instead, it provides a generic dynamic data flow analysis framework to be used by clients to help detect application-specific issues within their own code.
The analysis is based on automatic propagation of data flow labels (also known as taint labels) through a program as it performs computation. Each byte of application memory is backed by two bytes of shadow memory which hold the label. On Linux/x86_64, memory is laid out as follows:
+-----------------—+ 0x800000000000 (top of memory) | application memory | +-----------------—+ 0x700000008000 (kAppAddr) | | | unused | | | +-----------------—+ 0x200200000000 (kUnusedAddr) | union table | +-----------------—+ 0x200000000000 (kUnionTableAddr) | shadow memory | +-----------------—+ 0x000000010000 (kShadowAddr) | reserved by kernel | +-----------------—+ 0x000000000000
To derive a shadow memory address from an application memory address, bits 44-46 are cleared to bring the address into the range [0x000000008000,0x100000000000). Then the address is shifted left by 1 to account for the double byte representation of shadow labels and move the address into the shadow memory range. See the function DataFlowSanitizer::getShadowAddress below.
For more information, please refer to the design document: http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
Definition in file DataFlowSanitizer.cpp.