DataFlowSanitizer: greylist is now ABI list.

This replaces the old incomplete greylist functionality with an ABI
list, which can provide more detailed information about the ABI and
semantics of specific functions.  The pass treats every function in
the "uninstrumented" category in the ABI list file as conforming to
the "native" (i.e. unsanitized) ABI.  Unless the ABI list contains
additional categories for those functions, a call to one of those
functions will produce a warning message, as the labelling behaviour
of the function is unknown.  The other supported categories are
"functional", "discard" and "custom".

- "discard" -- This function does not write to (user-accessible) memory,
  and its return value is unlabelled.
- "functional" -- This function does not write to (user-accessible)
  memory, and the label of its return value is the union of the label of
  its arguments.
- "custom" -- Instead of calling the function, a custom wrapper __dfsw_F
  is called, where F is the name of the function.  This function may wrap
  the original function or provide its own implementation.

Differential Revision: http://llvm-reviews.chandlerc.com/D1345

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@188402 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Peter Collingbourne 2013-08-14 18:54:12 +00:00
parent 35d5e9044c
commit fdb1a6c341
4 changed files with 332 additions and 97 deletions

View File

@ -89,12 +89,14 @@ FunctionPass *createMemorySanitizerPass(bool TrackOrigins = false,
FunctionPass *createThreadSanitizerPass(StringRef BlacklistFile = StringRef()); FunctionPass *createThreadSanitizerPass(StringRef BlacklistFile = StringRef());
// Insert DataFlowSanitizer (dynamic data flow analysis) instrumentation // Insert DataFlowSanitizer (dynamic data flow analysis) instrumentation
ModulePass *createDataFlowSanitizerPass(void *(*getArgTLS)() = 0, ModulePass *createDataFlowSanitizerPass(StringRef ABIListFile = StringRef(),
void *(*getArgTLS)() = 0,
void *(*getRetValTLS)() = 0); void *(*getRetValTLS)() = 0);
#if defined(__GNUC__) && defined(__linux__) #if defined(__GNUC__) && defined(__linux__)
inline ModulePass *createDataFlowSanitizerPassForJIT() { inline ModulePass *createDataFlowSanitizerPassForJIT(StringRef ABIListFile =
return createDataFlowSanitizerPass(getDFSanArgTLSPtrForJIT, StringRef()) {
return createDataFlowSanitizerPass(ABIListFile, getDFSanArgTLSPtrForJIT,
getDFSanRetValTLSPtrForJIT); getDFSanRetValTLSPtrForJIT);
} }
#endif #endif

View File

@ -76,17 +76,20 @@ static cl::opt<bool> ClPreserveAlignment(
cl::desc("respect alignment requirements provided by input IR"), cl::Hidden, cl::desc("respect alignment requirements provided by input IR"), cl::Hidden,
cl::init(false)); cl::init(false));
// The greylist file controls how shadow parameters are passed. // The ABI list file controls how shadow parameters are passed. The pass treats
// The program acts as though every function in the greylist is passed // every function labelled "uninstrumented" in the ABI list file as conforming
// parameters with zero shadow and that its return value also has zero shadow. // to the "native" (i.e. unsanitized) ABI. Unless the ABI list contains
// This avoids the use of TLS or extra function parameters to pass shadow state // additional annotations for those functions, a call to one of those functions
// and essentially makes the function conform to the "native" (i.e. unsanitized) // will produce a warning message, as the labelling behaviour of the function is
// ABI. // unknown. The other supported annotations are "functional" and "discard",
static cl::opt<std::string> ClGreylistFile( // which are described below under DataFlowSanitizer::WrapperKind.
"dfsan-greylist", static cl::opt<std::string> ClABIListFile(
cl::desc("File containing the list of functions with a native ABI"), "dfsan-abilist",
cl::desc("File listing native ABI functions and how the pass treats them"),
cl::Hidden); cl::Hidden);
// Controls whether the pass uses IA_Args or IA_TLS as the ABI for instrumented
// functions (see DataFlowSanitizer::InstrumentedABI below).
static cl::opt<bool> ClArgsABI( static cl::opt<bool> ClArgsABI(
"dfsan-args-abi", "dfsan-args-abi",
cl::desc("Use the argument ABI rather than the TLS ABI"), cl::desc("Use the argument ABI rather than the TLS ABI"),
@ -102,13 +105,42 @@ class DataFlowSanitizer : public ModulePass {
ShadowWidth = 16 ShadowWidth = 16
}; };
/// Which ABI should be used for instrumented functions?
enum InstrumentedABI { enum InstrumentedABI {
IA_None, /// Argument and return value labels are passed through additional
IA_MemOnly, /// arguments and by modifying the return type.
IA_Args, IA_Args,
/// Argument and return value labels are passed through TLS variables
/// __dfsan_arg_tls and __dfsan_retval_tls.
IA_TLS IA_TLS
}; };
/// How should calls to uninstrumented functions be handled?
enum WrapperKind {
/// This function is present in an uninstrumented form but we don't know
/// how it should be handled. Print a warning and call the function anyway.
/// Don't label the return value.
WK_Warning,
/// This function does not write to (user-accessible) memory, and its return
/// value is unlabelled.
WK_Discard,
/// This function does not write to (user-accessible) memory, and the label
/// of its return value is the union of the label of its arguments.
WK_Functional,
/// Instead of calling the function, a custom wrapper __dfsw_F is called,
/// where F is the name of the function. This function may wrap the
/// original function or provide its own implementation. This is similar to
/// the IA_Args ABI, except that IA_Args uses a struct return type to
/// pass the return value shadow in a register, while WK_Custom uses an
/// extra pointer argument to return the shadow. This allows the wrapped
/// form of the function type to be expressed in C.
WK_Custom
};
DataLayout *DL; DataLayout *DL;
Module *Mod; Module *Mod;
LLVMContext *Ctx; LLVMContext *Ctx;
@ -126,20 +158,26 @@ class DataFlowSanitizer : public ModulePass {
Constant *GetRetvalTLS; Constant *GetRetvalTLS;
FunctionType *DFSanUnionFnTy; FunctionType *DFSanUnionFnTy;
FunctionType *DFSanUnionLoadFnTy; FunctionType *DFSanUnionLoadFnTy;
FunctionType *DFSanUnimplementedFnTy;
Constant *DFSanUnionFn; Constant *DFSanUnionFn;
Constant *DFSanUnionLoadFn; Constant *DFSanUnionLoadFn;
Constant *DFSanUnimplementedFn;
MDNode *ColdCallWeights; MDNode *ColdCallWeights;
OwningPtr<SpecialCaseList> Greylist; OwningPtr<SpecialCaseList> ABIList;
DenseMap<Value *, Function *> UnwrappedFnMap; DenseMap<Value *, Function *> UnwrappedFnMap;
AttributeSet ReadOnlyNoneAttrs;
Value *getShadowAddress(Value *Addr, Instruction *Pos); Value *getShadowAddress(Value *Addr, Instruction *Pos);
Value *combineShadows(Value *V1, Value *V2, Instruction *Pos); Value *combineShadows(Value *V1, Value *V2, Instruction *Pos);
FunctionType *getInstrumentedFunctionType(FunctionType *T); bool isInstrumented(Function *F);
InstrumentedABI getInstrumentedABI(Function *F); FunctionType *getArgsFunctionType(FunctionType *T);
InstrumentedABI getDefaultInstrumentedABI(); FunctionType *getCustomFunctionType(FunctionType *T);
InstrumentedABI getInstrumentedABI();
WrapperKind getWrapperKind(Function *F);
public: public:
DataFlowSanitizer(void *(*getArgTLS)() = 0, void *(*getRetValTLS)() = 0); DataFlowSanitizer(StringRef ABIListFile = StringRef(),
void *(*getArgTLS)() = 0, void *(*getRetValTLS)() = 0);
static char ID; static char ID;
bool doInitialization(Module &M); bool doInitialization(Module &M);
bool runOnModule(Module &M); bool runOnModule(Module &M);
@ -149,16 +187,19 @@ struct DFSanFunction {
DataFlowSanitizer &DFS; DataFlowSanitizer &DFS;
Function *F; Function *F;
DataFlowSanitizer::InstrumentedABI IA; DataFlowSanitizer::InstrumentedABI IA;
bool IsNativeABI;
Value *ArgTLSPtr; Value *ArgTLSPtr;
Value *RetvalTLSPtr; Value *RetvalTLSPtr;
AllocaInst *LabelReturnAlloca;
DenseMap<Value *, Value *> ValShadowMap; DenseMap<Value *, Value *> ValShadowMap;
DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap; DenseMap<AllocaInst *, AllocaInst *> AllocaShadowMap;
std::vector<std::pair<PHINode *, PHINode *> > PHIFixups; std::vector<std::pair<PHINode *, PHINode *> > PHIFixups;
DenseSet<Instruction *> SkipInsts; DenseSet<Instruction *> SkipInsts;
DFSanFunction(DataFlowSanitizer &DFS, Function *F) DFSanFunction(DataFlowSanitizer &DFS, Function *F, bool IsNativeABI)
: DFS(DFS), F(F), IA(DFS.getInstrumentedABI(F)), ArgTLSPtr(0), : DFS(DFS), F(F), IA(DFS.getInstrumentedABI()),
RetvalTLSPtr(0) {} IsNativeABI(IsNativeABI), ArgTLSPtr(0), RetvalTLSPtr(0),
LabelReturnAlloca(0) {}
Value *getArgTLSPtr(); Value *getArgTLSPtr();
Value *getArgTLS(unsigned Index, Instruction *Pos); Value *getArgTLS(unsigned Index, Instruction *Pos);
Value *getRetvalTLS(); Value *getRetvalTLS();
@ -203,17 +244,21 @@ char DataFlowSanitizer::ID;
INITIALIZE_PASS(DataFlowSanitizer, "dfsan", INITIALIZE_PASS(DataFlowSanitizer, "dfsan",
"DataFlowSanitizer: dynamic data flow analysis.", false, false) "DataFlowSanitizer: dynamic data flow analysis.", false, false)
ModulePass *llvm::createDataFlowSanitizerPass(void *(*getArgTLS)(), ModulePass *llvm::createDataFlowSanitizerPass(StringRef ABIListFile,
void *(*getArgTLS)(),
void *(*getRetValTLS)()) { void *(*getRetValTLS)()) {
return new DataFlowSanitizer(getArgTLS, getRetValTLS); return new DataFlowSanitizer(ABIListFile, getArgTLS, getRetValTLS);
} }
DataFlowSanitizer::DataFlowSanitizer(void *(*getArgTLS)(), DataFlowSanitizer::DataFlowSanitizer(StringRef ABIListFile,
void *(*getArgTLS)(),
void *(*getRetValTLS)()) void *(*getRetValTLS)())
: ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS), : ModulePass(ID), GetArgTLSPtr(getArgTLS), GetRetvalTLSPtr(getRetValTLS),
Greylist(SpecialCaseList::createOrDie(ClGreylistFile)) {} ABIList(SpecialCaseList::createOrDie(ABIListFile.empty() ? ClABIListFile
: ABIListFile)) {
}
FunctionType *DataFlowSanitizer::getInstrumentedFunctionType(FunctionType *T) { FunctionType *DataFlowSanitizer::getArgsFunctionType(FunctionType *T) {
llvm::SmallVector<Type *, 4> ArgTypes; llvm::SmallVector<Type *, 4> ArgTypes;
std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes)); std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes));
for (unsigned i = 0, e = T->getNumParams(); i != e; ++i) for (unsigned i = 0, e = T->getNumParams(); i != e; ++i)
@ -226,6 +271,18 @@ FunctionType *DataFlowSanitizer::getInstrumentedFunctionType(FunctionType *T) {
return FunctionType::get(RetType, ArgTypes, T->isVarArg()); return FunctionType::get(RetType, ArgTypes, T->isVarArg());
} }
FunctionType *DataFlowSanitizer::getCustomFunctionType(FunctionType *T) {
assert(!T->isVarArg());
llvm::SmallVector<Type *, 4> ArgTypes;
std::copy(T->param_begin(), T->param_end(), std::back_inserter(ArgTypes));
for (unsigned i = 0, e = T->getNumParams(); i != e; ++i)
ArgTypes.push_back(ShadowTy);
Type *RetType = T->getReturnType();
if (!RetType->isVoidTy())
ArgTypes.push_back(ShadowPtrTy);
return FunctionType::get(T->getReturnType(), ArgTypes, false);
}
bool DataFlowSanitizer::doInitialization(Module &M) { bool DataFlowSanitizer::doInitialization(Module &M) {
DL = getAnalysisIfAvailable<DataLayout>(); DL = getAnalysisIfAvailable<DataLayout>();
if (!DL) if (!DL)
@ -246,6 +303,8 @@ bool DataFlowSanitizer::doInitialization(Module &M) {
Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy }; Type *DFSanUnionLoadArgs[2] = { ShadowPtrTy, IntptrTy };
DFSanUnionLoadFnTy = DFSanUnionLoadFnTy =
FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false); FunctionType::get(ShadowTy, DFSanUnionLoadArgs, /*isVarArg=*/ false);
DFSanUnimplementedFnTy = FunctionType::get(
Type::getVoidTy(*Ctx), Type::getInt8PtrTy(*Ctx), /*isVarArg=*/false);
if (GetArgTLSPtr) { if (GetArgTLSPtr) {
Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
@ -267,23 +326,32 @@ bool DataFlowSanitizer::doInitialization(Module &M) {
return true; return true;
} }
DataFlowSanitizer::InstrumentedABI bool DataFlowSanitizer::isInstrumented(Function *F) {
DataFlowSanitizer::getInstrumentedABI(Function *F) { return !ABIList->isIn(*F, "uninstrumented");
if (Greylist->isIn(*F))
return IA_MemOnly;
else
return getDefaultInstrumentedABI();
} }
DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::InstrumentedABI DataFlowSanitizer::getInstrumentedABI() {
DataFlowSanitizer::getDefaultInstrumentedABI() {
return ClArgsABI ? IA_Args : IA_TLS; return ClArgsABI ? IA_Args : IA_TLS;
} }
DataFlowSanitizer::WrapperKind DataFlowSanitizer::getWrapperKind(Function *F) {
if (ABIList->isIn(*F, "functional"))
return WK_Functional;
if (ABIList->isIn(*F, "discard"))
return WK_Discard;
if (ABIList->isIn(*F, "custom"))
return WK_Custom;
return WK_Warning;
}
bool DataFlowSanitizer::runOnModule(Module &M) { bool DataFlowSanitizer::runOnModule(Module &M) {
if (!DL) if (!DL)
return false; return false;
if (ABIList->isIn(M, "skip"))
return false;
if (!GetArgTLSPtr) { if (!GetArgTLSPtr) {
Type *ArgTLSTy = ArrayType::get(ShadowTy, 64); Type *ArgTLSTy = ArrayType::get(ShadowTy, 64);
ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy); ArgTLS = Mod->getOrInsertGlobal("__dfsan_arg_tls", ArgTLSTy);
@ -308,33 +376,44 @@ bool DataFlowSanitizer::runOnModule(Module &M) {
if (Function *F = dyn_cast<Function>(DFSanUnionLoadFn)) { if (Function *F = dyn_cast<Function>(DFSanUnionLoadFn)) {
F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt); F->addAttribute(AttributeSet::ReturnIndex, Attribute::ZExt);
} }
DFSanUnimplementedFn =
Mod->getOrInsertFunction("__dfsan_unimplemented", DFSanUnimplementedFnTy);
std::vector<Function *> FnsToInstrument; std::vector<Function *> FnsToInstrument;
llvm::SmallPtrSet<Function *, 2> FnsWithNativeABI;
for (Module::iterator i = M.begin(), e = M.end(); i != e; ++i) { for (Module::iterator i = M.begin(), e = M.end(); i != e; ++i) {
if (!i->isIntrinsic() && i != DFSanUnionFn && i != DFSanUnionLoadFn) if (!i->isIntrinsic() &&
i != DFSanUnionFn &&
i != DFSanUnionLoadFn &&
i != DFSanUnimplementedFn)
FnsToInstrument.push_back(&*i); FnsToInstrument.push_back(&*i);
} }
// First, change the ABI of every function in the module. Greylisted AttrBuilder B;
B.addAttribute(Attribute::ReadOnly).addAttribute(Attribute::ReadNone);
ReadOnlyNoneAttrs = AttributeSet::get(*Ctx, AttributeSet::FunctionIndex, B);
// First, change the ABI of every function in the module. ABI-listed
// functions keep their original ABI and get a wrapper function. // functions keep their original ABI and get a wrapper function.
for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), for (std::vector<Function *>::iterator i = FnsToInstrument.begin(),
e = FnsToInstrument.end(); e = FnsToInstrument.end();
i != e; ++i) { i != e; ++i) {
Function &F = **i; Function &F = **i;
FunctionType *FT = F.getFunctionType(); FunctionType *FT = F.getFunctionType();
FunctionType *NewFT = getInstrumentedFunctionType(FT);
// If the function types are the same (i.e. void()), we don't need to do if (FT->getNumParams() == 0 && !FT->isVarArg() &&
// anything here. FT->getReturnType()->isVoidTy())
if (FT != NewFT) { continue;
switch (getInstrumentedABI(&F)) {
case IA_Args: { if (isInstrumented(&F)) {
if (getInstrumentedABI() == IA_Args) {
FunctionType *NewFT = getArgsFunctionType(FT);
Function *NewF = Function::Create(NewFT, F.getLinkage(), "", &M); Function *NewF = Function::Create(NewFT, F.getLinkage(), "", &M);
NewF->setCallingConv(F.getCallingConv()); NewF->copyAttributesFrom(&F);
NewF->setAttributes(F.getAttributes().removeAttributes( NewF->removeAttributes(
*Ctx, AttributeSet::ReturnIndex, AttributeSet::ReturnIndex,
AttributeFuncs::typeIncompatible(NewFT->getReturnType(), AttributeFuncs::typeIncompatible(NewFT->getReturnType(),
AttributeSet::ReturnIndex))); AttributeSet::ReturnIndex));
for (Function::arg_iterator FArg = F.arg_begin(), for (Function::arg_iterator FArg = F.arg_begin(),
NewFArg = NewF->arg_begin(), NewFArg = NewF->arg_begin(),
FArgEnd = F.arg_end(); FArgEnd = F.arg_end();
@ -358,41 +437,63 @@ bool DataFlowSanitizer::runOnModule(Module &M) {
NewF->takeName(&F); NewF->takeName(&F);
F.eraseFromParent(); F.eraseFromParent();
*i = NewF; *i = NewF;
break;
} }
case IA_MemOnly: { // Hopefully, nobody will try to indirectly call a vararg
assert(!FT->isVarArg() && "varargs not handled here yet"); // function... yet.
assert(getDefaultInstrumentedABI() == IA_Args); } else if (FT->isVarArg()) {
Function *NewF = UnwrappedFnMap[&F] = &F;
Function::Create(NewFT, GlobalValue::LinkOnceODRLinkage, *i = 0;
std::string("dfsw$") + F.getName(), &M); } else {
NewF->setCallingConv(F.getCallingConv()); // Build a wrapper function for F. The wrapper simply calls F, and is
NewF->setAttributes(F.getAttributes()); // added to FnsToInstrument so that any instrumentation according to its
// WrapperKind is done in the second pass below.
FunctionType *NewFT = getInstrumentedABI() == IA_Args
? getArgsFunctionType(FT)
: FT;
Function *NewF =
Function::Create(NewFT, GlobalValue::LinkOnceODRLinkage,
std::string("dfsw$") + F.getName(), &M);
NewF->copyAttributesFrom(&F);
NewF->removeAttributes(
AttributeSet::ReturnIndex,
AttributeFuncs::typeIncompatible(NewFT->getReturnType(),
AttributeSet::ReturnIndex));
if (getInstrumentedABI() == IA_TLS)
NewF->removeAttributes(AttributeSet::FunctionIndex,
ReadOnlyNoneAttrs);
BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF); BasicBlock *BB = BasicBlock::Create(*Ctx, "entry", NewF);
std::vector<Value *> Args; std::vector<Value *> Args;
unsigned n = FT->getNumParams(); unsigned n = FT->getNumParams();
for (Function::arg_iterator i = NewF->arg_begin(); n != 0; ++i, --n) for (Function::arg_iterator ai = NewF->arg_begin(); n != 0; ++ai, --n)
Args.push_back(&*i); Args.push_back(&*ai);
CallInst *CI = CallInst::Create(&F, Args, "", BB); CallInst *CI = CallInst::Create(&F, Args, "", BB);
if (FT->getReturnType()->isVoidTy()) if (FT->getReturnType()->isVoidTy())
ReturnInst::Create(*Ctx, BB); ReturnInst::Create(*Ctx, BB);
else { else
Value *InsVal = InsertValueInst::Create( ReturnInst::Create(*Ctx, CI, BB);
UndefValue::get(NewFT->getReturnType()), CI, 0, "", BB);
Value *InsShadow =
InsertValueInst::Create(InsVal, ZeroShadow, 1, "", BB);
ReturnInst::Create(*Ctx, InsShadow, BB);
}
Value *WrappedFnCst = Value *WrappedFnCst =
ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT)); ConstantExpr::getBitCast(NewF, PointerType::getUnqual(FT));
F.replaceAllUsesWith(WrappedFnCst); F.replaceAllUsesWith(WrappedFnCst);
UnwrappedFnMap[WrappedFnCst] = &F; UnwrappedFnMap[WrappedFnCst] = &F;
break; *i = NewF;
}
default: if (!F.isDeclaration()) {
break; // This function is probably defining an interposition of an
// uninstrumented function and hence needs to keep the original ABI.
// But any functions it may call need to use the instrumented ABI, so
// we instrument it in a mode which preserves the original ABI.
FnsWithNativeABI.insert(&F);
// This code needs to rebuild the iterators, as they may be invalidated
// by the push_back, taking care that the new range does not include
// any functions added by this code.
size_t N = i - FnsToInstrument.begin(),
Count = e - FnsToInstrument.begin();
FnsToInstrument.push_back(&F);
i = FnsToInstrument.begin() + N;
e = FnsToInstrument.begin() + Count;
} }
} }
} }
@ -400,12 +501,12 @@ bool DataFlowSanitizer::runOnModule(Module &M) {
for (std::vector<Function *>::iterator i = FnsToInstrument.begin(), for (std::vector<Function *>::iterator i = FnsToInstrument.begin(),
e = FnsToInstrument.end(); e = FnsToInstrument.end();
i != e; ++i) { i != e; ++i) {
if ((*i)->isDeclaration()) if (!*i || (*i)->isDeclaration())
continue; continue;
removeUnreachableBlocks(**i); removeUnreachableBlocks(**i);
DFSanFunction DFSF(*this, *i); DFSanFunction DFSF(*this, *i, FnsWithNativeABI.count(*i));
// DFSanVisitor may create new basic blocks, which confuses df_iterator. // DFSanVisitor may create new basic blocks, which confuses df_iterator.
// Build a copy of the list before iterating over it. // Build a copy of the list before iterating over it.
@ -433,6 +534,10 @@ bool DataFlowSanitizer::runOnModule(Module &M) {
} }
} }
// We will not necessarily be able to compute the shadow for every phi node
// until we have visited every block. Therefore, the code that handles phi
// nodes adds them to the PHIFixups list so that they can be properly
// handled here.
for (std::vector<std::pair<PHINode *, PHINode *> >::iterator for (std::vector<std::pair<PHINode *, PHINode *> >::iterator
i = DFSF.PHIFixups.begin(), i = DFSF.PHIFixups.begin(),
e = DFSF.PHIFixups.end(); e = DFSF.PHIFixups.end();
@ -479,6 +584,8 @@ Value *DFSanFunction::getShadow(Value *V) {
Value *&Shadow = ValShadowMap[V]; Value *&Shadow = ValShadowMap[V];
if (!Shadow) { if (!Shadow) {
if (Argument *A = dyn_cast<Argument>(V)) { if (Argument *A = dyn_cast<Argument>(V)) {
if (IsNativeABI)
return DFS.ZeroShadow;
switch (IA) { switch (IA) {
case DataFlowSanitizer::IA_TLS: { case DataFlowSanitizer::IA_TLS: {
Value *ArgTLSPtr = getArgTLSPtr(); Value *ArgTLSPtr = getArgTLSPtr();
@ -495,11 +602,9 @@ Value *DFSanFunction::getShadow(Value *V) {
while (ArgIdx--) while (ArgIdx--)
++i; ++i;
Shadow = i; Shadow = i;
assert(Shadow->getType() == DFS.ShadowTy);
break; break;
} }
default:
Shadow = DFS.ZeroShadow;
break;
} }
} else { } else {
Shadow = DFS.ZeroShadow; Shadow = DFS.ZeroShadow;
@ -866,7 +971,7 @@ void DFSanVisitor::visitMemTransferInst(MemTransferInst &I) {
} }
void DFSanVisitor::visitReturnInst(ReturnInst &RI) { void DFSanVisitor::visitReturnInst(ReturnInst &RI) {
if (RI.getReturnValue()) { if (!DFSF.IsNativeABI && RI.getReturnValue()) {
switch (DFSF.IA) { switch (DFSF.IA) {
case DataFlowSanitizer::IA_TLS: { case DataFlowSanitizer::IA_TLS: {
Value *S = DFSF.getShadow(RI.getReturnValue()); Value *S = DFSF.getShadow(RI.getReturnValue());
@ -884,8 +989,6 @@ void DFSanVisitor::visitReturnInst(ReturnInst &RI) {
RI.setOperand(0, InsShadow); RI.setOperand(0, InsShadow);
break; break;
} }
default:
break;
} }
} }
} }
@ -897,19 +1000,91 @@ void DFSanVisitor::visitCallSite(CallSite CS) {
return; return;
} }
IRBuilder<> IRB(CS.getInstruction());
DenseMap<Value *, Function *>::iterator i = DenseMap<Value *, Function *>::iterator i =
DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue()); DFSF.DFS.UnwrappedFnMap.find(CS.getCalledValue());
if (i != DFSF.DFS.UnwrappedFnMap.end()) { if (i != DFSF.DFS.UnwrappedFnMap.end()) {
CS.setCalledFunction(i->second); Function *F = i->second;
DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow); switch (DFSF.DFS.getWrapperKind(F)) {
return; case DataFlowSanitizer::WK_Warning: {
} CS.setCalledFunction(F);
IRB.CreateCall(DFSF.DFS.DFSanUnimplementedFn,
IRB.CreateGlobalStringPtr(F->getName()));
DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
return;
}
case DataFlowSanitizer::WK_Discard: {
CS.setCalledFunction(F);
DFSF.setShadow(CS.getInstruction(), DFSF.DFS.ZeroShadow);
return;
}
case DataFlowSanitizer::WK_Functional: {
CS.setCalledFunction(F);
visitOperandShadowInst(*CS.getInstruction());
return;
}
case DataFlowSanitizer::WK_Custom: {
// Don't try to handle invokes of custom functions, it's too complicated.
// Instead, invoke the dfsw$ wrapper, which will in turn call the __dfsw_
// wrapper.
if (CallInst *CI = dyn_cast<CallInst>(CS.getInstruction())) {
FunctionType *FT = F->getFunctionType();
FunctionType *CustomFT = DFSF.DFS.getCustomFunctionType(FT);
std::string CustomFName = "__dfsw_";
CustomFName += F->getName();
Constant *CustomF =
DFSF.DFS.Mod->getOrInsertFunction(CustomFName, CustomFT);
if (Function *CustomFn = dyn_cast<Function>(CustomF)) {
CustomFn->copyAttributesFrom(F);
IRBuilder<> IRB(CS.getInstruction()); // Custom functions returning non-void will write to the return label.
if (!FT->getReturnType()->isVoidTy()) {
CustomFn->removeAttributes(AttributeSet::FunctionIndex,
DFSF.DFS.ReadOnlyNoneAttrs);
}
}
std::vector<Value *> Args;
CallSite::arg_iterator i = CS.arg_begin();
for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
Args.push_back(*i);
i = CS.arg_begin();
for (unsigned n = FT->getNumParams(); n != 0; ++i, --n)
Args.push_back(DFSF.getShadow(*i));
if (!FT->getReturnType()->isVoidTy()) {
if (!DFSF.LabelReturnAlloca) {
DFSF.LabelReturnAlloca =
new AllocaInst(DFSF.DFS.ShadowTy, "labelreturn",
DFSF.F->getEntryBlock().begin());
}
Args.push_back(DFSF.LabelReturnAlloca);
}
CallInst *CustomCI = IRB.CreateCall(CustomF, Args);
CustomCI->setCallingConv(CI->getCallingConv());
CustomCI->setAttributes(CI->getAttributes());
if (!FT->getReturnType()->isVoidTy()) {
LoadInst *LabelLoad = IRB.CreateLoad(DFSF.LabelReturnAlloca);
DFSF.setShadow(CustomCI, LabelLoad);
}
CI->replaceAllUsesWith(CustomCI);
CI->eraseFromParent();
return;
}
break;
}
}
}
FunctionType *FT = cast<FunctionType>( FunctionType *FT = cast<FunctionType>(
CS.getCalledValue()->getType()->getPointerElementType()); CS.getCalledValue()->getType()->getPointerElementType());
if (DFSF.DFS.getDefaultInstrumentedABI() == DataFlowSanitizer::IA_TLS) { if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) { for (unsigned i = 0, n = FT->getNumParams(); i != n; ++i) {
IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)), IRB.CreateStore(DFSF.getShadow(CS.getArgument(i)),
DFSF.getArgTLS(i, CS.getInstruction())); DFSF.getArgTLS(i, CS.getInstruction()));
@ -930,7 +1105,7 @@ void DFSanVisitor::visitCallSite(CallSite CS) {
Next = CS->getNextNode(); Next = CS->getNextNode();
} }
if (DFSF.DFS.getDefaultInstrumentedABI() == DataFlowSanitizer::IA_TLS) { if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_TLS) {
IRBuilder<> NextIRB(Next); IRBuilder<> NextIRB(Next);
LoadInst *LI = NextIRB.CreateLoad(DFSF.getRetvalTLS()); LoadInst *LI = NextIRB.CreateLoad(DFSF.getRetvalTLS());
DFSF.SkipInsts.insert(LI); DFSF.SkipInsts.insert(LI);
@ -940,8 +1115,8 @@ void DFSanVisitor::visitCallSite(CallSite CS) {
// Do all instrumentation for IA_Args down here to defer tampering with the // Do all instrumentation for IA_Args down here to defer tampering with the
// CFG in a way that SplitEdge may be able to detect. // CFG in a way that SplitEdge may be able to detect.
if (DFSF.DFS.getDefaultInstrumentedABI() == DataFlowSanitizer::IA_Args) { if (DFSF.DFS.getInstrumentedABI() == DataFlowSanitizer::IA_Args) {
FunctionType *NewFT = DFSF.DFS.getInstrumentedFunctionType(FT); FunctionType *NewFT = DFSF.DFS.getArgsFunctionType(FT);
Value *Func = Value *Func =
IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT)); IRB.CreateBitCast(CS.getCalledValue(), PointerType::getUnqual(NewFT));
std::vector<Value *> Args; std::vector<Value *> Args;

View File

@ -0,0 +1,47 @@
; RUN: opt < %s -dfsan -dfsan-args-abi -dfsan-abilist=%s.txt -S | FileCheck %s
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64-S128"
; CHECK: i32 @discard(i32 %a, i32 %b)
define i32 @discard(i32 %a, i32 %b) {
ret i32 0
}
; CHECK: i32 @functional(i32 %a, i32 %b)
define i32 @functional(i32 %a, i32 %b) {
%c = add i32 %a, %b
ret i32 %c
}
declare void @custom1(i32 %a, i32 %b)
declare i32 @custom2(i32 %a, i32 %b)
; CHECK: @f
define void @f() {
; CHECK: %[[LABELRETURN:.*]] = alloca i16
; CHECK: call void @__dfsw_custom1(i32 1, i32 2, i16 0, i16 0)
call void @custom1(i32 1, i32 2)
; CHECK: call i32 @__dfsw_custom2(i32 1, i32 2, i16 0, i16 0, i16* %[[LABELRETURN]])
call i32 @custom2(i32 1, i32 2)
ret void
}
; CHECK: define linkonce_odr { i32, i16 } @"dfsw$custom2"(i32, i32, i16, i16)
; CHECK: %[[LABELRETURN2:.*]] = alloca i16
; CHECK: %[[RV:.*]] = call i32 @__dfsw_custom2
; CHECK: %[[RVSHADOW:.*]] = load i16* %[[LABELRETURN2]]
; CHECK: insertvalue {{.*}}[[RV]], 0
; CHECK: insertvalue {{.*}}[[RVSHADOW]], 1
; CHECK: ret { i32, i16 }
; CHECK: @g
define i32 (i32, i32)* @g() {
; CHECK: ret {{.*}} @"dfsw$custom2"
ret i32 (i32, i32)* @custom2
}
; CHECK: declare void @__dfsw_custom1(i32, i32, i16, i16)
; CHECK: declare i32 @__dfsw_custom2(i32, i32, i16, i16, i16*)

View File

@ -0,0 +1,11 @@
fun:discard=uninstrumented
fun:discard=discard
fun:functional=uninstrumented
fun:functional=functional
fun:custom1=uninstrumented
fun:custom1=custom
fun:custom2=uninstrumented
fun:custom2=custom