2012-05-23 01:19:09 +08:00
|
|
|
//===- BoundsChecking.cpp - Instrumentation for run-time bounds checking --===//
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2012-05-23 01:19:09 +08:00
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
2017-11-14 09:30:04 +08:00
|
|
|
#include "llvm/Transforms/Instrumentation/BoundsChecking.h"
|
2012-12-04 00:50:05 +08:00
|
|
|
#include "llvm/ADT/Statistic.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/ADT/Twine.h"
|
2012-12-04 00:50:05 +08:00
|
|
|
#include "llvm/Analysis/MemoryBuiltins.h"
|
2018-07-24 23:21:54 +08:00
|
|
|
#include "llvm/Analysis/ScalarEvolution.h"
|
2014-03-04 19:59:06 +08:00
|
|
|
#include "llvm/Analysis/TargetFolder.h"
|
2015-03-24 03:32:43 +08:00
|
|
|
#include "llvm/Analysis/TargetLibraryInfo.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/IR/BasicBlock.h"
|
|
|
|
#include "llvm/IR/Constants.h"
|
2013-01-02 19:36:10 +08:00
|
|
|
#include "llvm/IR/DataLayout.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/IR/Function.h"
|
2013-01-02 19:36:10 +08:00
|
|
|
#include "llvm/IR/IRBuilder.h"
|
2014-03-04 18:30:26 +08:00
|
|
|
#include "llvm/IR/InstIterator.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/IR/InstrTypes.h"
|
|
|
|
#include "llvm/IR/Instruction.h"
|
|
|
|
#include "llvm/IR/Instructions.h"
|
2013-01-02 19:36:10 +08:00
|
|
|
#include "llvm/IR/Intrinsics.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/IR/Value.h"
|
Sink all InitializePasses.h includes
This file lists every pass in LLVM, and is included by Pass.h, which is
very popular. Every time we add, remove, or rename a pass in LLVM, it
caused lots of recompilation.
I found this fact by looking at this table, which is sorted by the
number of times a file was changed over the last 100,000 git commits
multiplied by the number of object files that depend on it in the
current checkout:
recompiles touches affected_files header
342380 95 3604 llvm/include/llvm/ADT/STLExtras.h
314730 234 1345 llvm/include/llvm/InitializePasses.h
307036 118 2602 llvm/include/llvm/ADT/APInt.h
213049 59 3611 llvm/include/llvm/Support/MathExtras.h
170422 47 3626 llvm/include/llvm/Support/Compiler.h
162225 45 3605 llvm/include/llvm/ADT/Optional.h
158319 63 2513 llvm/include/llvm/ADT/Triple.h
140322 39 3598 llvm/include/llvm/ADT/StringRef.h
137647 59 2333 llvm/include/llvm/Support/Error.h
131619 73 1803 llvm/include/llvm/Support/FileSystem.h
Before this change, touching InitializePasses.h would cause 1345 files
to recompile. After this change, touching it only causes 550 compiles in
an incremental rebuild.
Reviewers: bkramer, asbirlea, bollu, jdoerfert
Differential Revision: https://reviews.llvm.org/D70211
2019-11-14 05:15:01 +08:00
|
|
|
#include "llvm/InitializePasses.h"
|
2012-06-29 20:38:19 +08:00
|
|
|
#include "llvm/Pass.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/Support/Casting.h"
|
2012-06-01 06:58:48 +08:00
|
|
|
#include "llvm/Support/CommandLine.h"
|
2012-05-23 01:19:09 +08:00
|
|
|
#include "llvm/Support/Debug.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include "llvm/Support/ErrorHandling.h"
|
2012-06-29 20:38:19 +08:00
|
|
|
#include "llvm/Support/raw_ostream.h"
|
2017-10-20 06:07:16 +08:00
|
|
|
#include <cstdint>
|
|
|
|
#include <vector>
|
|
|
|
|
2012-05-23 01:19:09 +08:00
|
|
|
using namespace llvm;
|
|
|
|
|
2014-04-22 10:55:47 +08:00
|
|
|
#define DEBUG_TYPE "bounds-checking"
|
|
|
|
|
2012-06-21 23:59:53 +08:00
|
|
|
static cl::opt<bool> SingleTrapBB("bounds-checking-single-trap",
|
|
|
|
cl::desc("Use one trap block per function"));
|
2012-06-01 06:58:48 +08:00
|
|
|
|
2012-05-23 01:19:09 +08:00
|
|
|
STATISTIC(ChecksAdded, "Bounds checks added");
|
|
|
|
STATISTIC(ChecksSkipped, "Bounds checks skipped");
|
|
|
|
STATISTIC(ChecksUnable, "Bounds checks unable to add");
|
|
|
|
|
2017-10-20 06:07:16 +08:00
|
|
|
using BuilderTy = IRBuilder<TargetFolder>;
|
2012-05-23 01:19:09 +08:00
|
|
|
|
2018-08-04 01:12:23 +08:00
|
|
|
/// Gets the conditions under which memory accessing instructions will overflow.
|
2017-11-14 09:13:59 +08:00
|
|
|
///
|
|
|
|
/// \p Ptr is the pointer that will be read/written, and \p InstVal is either
|
|
|
|
/// the result from the load or the value being stored. It is used to determine
|
|
|
|
/// the size of memory block that is touched.
|
|
|
|
///
|
2018-08-04 01:12:23 +08:00
|
|
|
/// Returns the condition under which the access will overflow.
|
|
|
|
static Value *getBoundsCheckCond(Value *Ptr, Value *InstVal,
|
|
|
|
const DataLayout &DL, TargetLibraryInfo &TLI,
|
|
|
|
ObjectSizeOffsetEvaluator &ObjSizeEval,
|
|
|
|
BuilderTy &IRB, ScalarEvolution &SE) {
|
2015-03-10 10:37:25 +08:00
|
|
|
uint64_t NeededSize = DL.getTypeStoreSize(InstVal->getType());
|
2018-05-14 20:53:11 +08:00
|
|
|
LLVM_DEBUG(dbgs() << "Instrument " << *Ptr << " for " << Twine(NeededSize)
|
|
|
|
<< " bytes\n");
|
2012-05-23 01:19:09 +08:00
|
|
|
|
2017-11-14 09:13:59 +08:00
|
|
|
SizeOffsetEvalType SizeOffset = ObjSizeEval.compute(Ptr);
|
2012-06-02 01:43:31 +08:00
|
|
|
|
2017-11-14 09:13:59 +08:00
|
|
|
if (!ObjSizeEval.bothKnown(SizeOffset)) {
|
2012-05-23 01:19:09 +08:00
|
|
|
++ChecksUnable;
|
2018-08-04 01:12:23 +08:00
|
|
|
return nullptr;
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|
|
|
|
|
2012-06-21 23:59:53 +08:00
|
|
|
Value *Size = SizeOffset.first;
|
|
|
|
Value *Offset = SizeOffset.second;
|
2012-07-04 01:30:18 +08:00
|
|
|
ConstantInt *SizeCI = dyn_cast<ConstantInt>(Size);
|
2012-06-21 23:59:53 +08:00
|
|
|
|
2015-03-10 10:37:25 +08:00
|
|
|
Type *IntTy = DL.getIntPtrType(Ptr->getType());
|
2012-06-21 23:59:53 +08:00
|
|
|
Value *NeededSizeVal = ConstantInt::get(IntTy, NeededSize);
|
|
|
|
|
2018-07-24 23:21:54 +08:00
|
|
|
auto SizeRange = SE.getUnsignedRange(SE.getSCEV(Size));
|
|
|
|
auto OffsetRange = SE.getUnsignedRange(SE.getSCEV(Offset));
|
|
|
|
auto NeededSizeRange = SE.getUnsignedRange(SE.getSCEV(NeededSizeVal));
|
|
|
|
|
2012-06-01 06:45:40 +08:00
|
|
|
// three checks are required to ensure safety:
|
|
|
|
// . Offset >= 0 (since the offset is given from the base ptr)
|
|
|
|
// . Size >= Offset (unsigned)
|
|
|
|
// . Size - Offset >= NeededSize (unsigned)
|
2012-07-04 01:30:18 +08:00
|
|
|
//
|
|
|
|
// optimization: if Size >= 0 (signed), skip 1st check
|
2012-06-01 06:45:40 +08:00
|
|
|
// FIXME: add NSW/NUW here? -- we dont care if the subtraction overflows
|
2017-11-14 09:13:59 +08:00
|
|
|
Value *ObjSize = IRB.CreateSub(Size, Offset);
|
2018-07-24 23:21:54 +08:00
|
|
|
Value *Cmp2 = SizeRange.getUnsignedMin().uge(OffsetRange.getUnsignedMax())
|
|
|
|
? ConstantInt::getFalse(Ptr->getContext())
|
|
|
|
: IRB.CreateICmpULT(Size, Offset);
|
|
|
|
Value *Cmp3 = SizeRange.sub(OffsetRange)
|
|
|
|
.getUnsignedMin()
|
|
|
|
.uge(NeededSizeRange.getUnsignedMax())
|
|
|
|
? ConstantInt::getFalse(Ptr->getContext())
|
|
|
|
: IRB.CreateICmpULT(ObjSize, NeededSizeVal);
|
2017-11-14 09:13:59 +08:00
|
|
|
Value *Or = IRB.CreateOr(Cmp2, Cmp3);
|
2018-07-24 23:21:54 +08:00
|
|
|
if ((!SizeCI || SizeCI->getValue().slt(0)) &&
|
|
|
|
!SizeRange.getSignedMin().isNonNegative()) {
|
2017-11-14 09:13:59 +08:00
|
|
|
Value *Cmp1 = IRB.CreateICmpSLT(Offset, ConstantInt::get(IntTy, 0));
|
|
|
|
Or = IRB.CreateOr(Cmp1, Or);
|
2012-07-04 01:30:18 +08:00
|
|
|
}
|
2012-05-23 01:19:09 +08:00
|
|
|
|
2018-08-04 01:12:23 +08:00
|
|
|
return Or;
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Adds run-time bounds checks to memory accessing instructions.
|
|
|
|
///
|
|
|
|
/// \p Or is the condition that should guard the trap.
|
|
|
|
///
|
|
|
|
/// \p GetTrapBB is a callable that returns the trap BB to use on failure.
|
|
|
|
template <typename GetTrapBBT>
|
2020-02-17 00:57:18 +08:00
|
|
|
static void insertBoundsCheck(Value *Or, BuilderTy &IRB, GetTrapBBT GetTrapBB) {
|
2017-10-19 06:42:36 +08:00
|
|
|
// check if the comparison is always false
|
|
|
|
ConstantInt *C = dyn_cast_or_null<ConstantInt>(Or);
|
|
|
|
if (C) {
|
|
|
|
++ChecksSkipped;
|
|
|
|
// If non-zero, nothing to do.
|
|
|
|
if (!C->getZExtValue())
|
2018-08-04 01:12:23 +08:00
|
|
|
return;
|
2017-10-19 06:42:36 +08:00
|
|
|
}
|
|
|
|
++ChecksAdded;
|
|
|
|
|
2017-11-14 09:13:59 +08:00
|
|
|
BasicBlock::iterator SplitI = IRB.GetInsertPoint();
|
2017-10-19 06:42:36 +08:00
|
|
|
BasicBlock *OldBB = SplitI->getParent();
|
|
|
|
BasicBlock *Cont = OldBB->splitBasicBlock(SplitI);
|
|
|
|
OldBB->getTerminator()->eraseFromParent();
|
|
|
|
|
|
|
|
if (C) {
|
|
|
|
// If we have a constant zero, unconditionally branch.
|
|
|
|
// FIXME: We should really handle this differently to bypass the splitting
|
|
|
|
// the block.
|
2017-11-14 09:13:59 +08:00
|
|
|
BranchInst::Create(GetTrapBB(IRB), OldBB);
|
2018-08-04 01:12:23 +08:00
|
|
|
return;
|
2017-10-19 06:42:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Create the conditional branch.
|
2017-11-14 09:13:59 +08:00
|
|
|
BranchInst::Create(GetTrapBB(IRB), Cont, Or, OldBB);
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|
|
|
|
|
2018-07-24 23:21:54 +08:00
|
|
|
static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI,
|
|
|
|
ScalarEvolution &SE) {
|
2015-03-10 10:37:25 +08:00
|
|
|
const DataLayout &DL = F.getParent()->getDataLayout();
|
2019-01-31 04:34:35 +08:00
|
|
|
ObjectSizeOpts EvalOpts;
|
|
|
|
EvalOpts.RoundToAlign = true;
|
|
|
|
ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts);
|
2012-05-23 01:19:09 +08:00
|
|
|
|
|
|
|
// check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory
|
|
|
|
// touching instructions
|
2018-08-04 01:12:23 +08:00
|
|
|
SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo;
|
2017-11-14 09:13:59 +08:00
|
|
|
for (Instruction &I : instructions(F)) {
|
2018-08-04 01:12:23 +08:00
|
|
|
Value *Or = nullptr;
|
|
|
|
BuilderTy IRB(I.getParent(), BasicBlock::iterator(&I), TargetFolder(DL));
|
|
|
|
if (LoadInst *LI = dyn_cast<LoadInst>(&I)) {
|
2020-04-22 10:22:00 +08:00
|
|
|
if (!LI->isVolatile())
|
|
|
|
Or = getBoundsCheckCond(LI->getPointerOperand(), LI, DL, TLI,
|
|
|
|
ObjSizeEval, IRB, SE);
|
2018-08-04 01:12:23 +08:00
|
|
|
} else if (StoreInst *SI = dyn_cast<StoreInst>(&I)) {
|
2020-04-22 10:22:00 +08:00
|
|
|
if (!SI->isVolatile())
|
|
|
|
Or = getBoundsCheckCond(SI->getPointerOperand(), SI->getValueOperand(),
|
|
|
|
DL, TLI, ObjSizeEval, IRB, SE);
|
2018-08-04 01:12:23 +08:00
|
|
|
} else if (AtomicCmpXchgInst *AI = dyn_cast<AtomicCmpXchgInst>(&I)) {
|
2020-04-22 10:22:00 +08:00
|
|
|
if (!AI->isVolatile())
|
|
|
|
Or =
|
|
|
|
getBoundsCheckCond(AI->getPointerOperand(), AI->getCompareOperand(),
|
|
|
|
DL, TLI, ObjSizeEval, IRB, SE);
|
2018-08-04 01:12:23 +08:00
|
|
|
} else if (AtomicRMWInst *AI = dyn_cast<AtomicRMWInst>(&I)) {
|
2020-04-22 10:22:00 +08:00
|
|
|
if (!AI->isVolatile())
|
|
|
|
Or = getBoundsCheckCond(AI->getPointerOperand(), AI->getValOperand(),
|
|
|
|
DL, TLI, ObjSizeEval, IRB, SE);
|
2018-08-04 01:12:23 +08:00
|
|
|
}
|
|
|
|
if (Or)
|
|
|
|
TrapInfo.push_back(std::make_pair(&I, Or));
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|
|
|
|
|
2017-11-14 09:13:59 +08:00
|
|
|
// Create a trapping basic block on demand using a callback. Depending on
|
|
|
|
// flags, this will either create a single block for the entire function or
|
|
|
|
// will create a fresh block every time it is called.
|
|
|
|
BasicBlock *TrapBB = nullptr;
|
|
|
|
auto GetTrapBB = [&TrapBB](BuilderTy &IRB) {
|
|
|
|
if (TrapBB && SingleTrapBB)
|
|
|
|
return TrapBB;
|
|
|
|
|
|
|
|
Function *Fn = IRB.GetInsertBlock()->getParent();
|
|
|
|
// FIXME: This debug location doesn't make a lot of sense in the
|
|
|
|
// `SingleTrapBB` case.
|
|
|
|
auto DebugLoc = IRB.getCurrentDebugLocation();
|
|
|
|
IRBuilder<>::InsertPointGuard Guard(IRB);
|
|
|
|
TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn);
|
|
|
|
IRB.SetInsertPoint(TrapBB);
|
|
|
|
|
|
|
|
auto *F = Intrinsic::getDeclaration(Fn->getParent(), Intrinsic::trap);
|
|
|
|
CallInst *TrapCall = IRB.CreateCall(F, {});
|
|
|
|
TrapCall->setDoesNotReturn();
|
|
|
|
TrapCall->setDoesNotThrow();
|
|
|
|
TrapCall->setDebugLoc(DebugLoc);
|
|
|
|
IRB.CreateUnreachable();
|
2012-05-23 01:19:09 +08:00
|
|
|
|
2017-11-14 09:13:59 +08:00
|
|
|
return TrapBB;
|
|
|
|
};
|
|
|
|
|
2018-08-04 01:12:23 +08:00
|
|
|
// Add the checks.
|
|
|
|
for (const auto &Entry : TrapInfo) {
|
|
|
|
Instruction *Inst = Entry.first;
|
2017-11-14 09:13:59 +08:00
|
|
|
BuilderTy IRB(Inst->getParent(), BasicBlock::iterator(Inst), TargetFolder(DL));
|
2018-08-04 01:12:23 +08:00
|
|
|
insertBoundsCheck(Entry.second, IRB, GetTrapBB);
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|
2018-08-04 01:12:23 +08:00
|
|
|
|
|
|
|
return !TrapInfo.empty();
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|
|
|
|
|
2017-11-14 09:30:04 +08:00
|
|
|
PreservedAnalyses BoundsCheckingPass::run(Function &F, FunctionAnalysisManager &AM) {
|
|
|
|
auto &TLI = AM.getResult<TargetLibraryAnalysis>(F);
|
2018-07-24 23:21:54 +08:00
|
|
|
auto &SE = AM.getResult<ScalarEvolutionAnalysis>(F);
|
2017-11-14 09:30:04 +08:00
|
|
|
|
2018-07-24 23:21:54 +08:00
|
|
|
if (!addBoundsChecking(F, TLI, SE))
|
2017-11-14 09:30:04 +08:00
|
|
|
return PreservedAnalyses::all();
|
|
|
|
|
|
|
|
return PreservedAnalyses::none();
|
|
|
|
}
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
struct BoundsCheckingLegacyPass : public FunctionPass {
|
|
|
|
static char ID;
|
|
|
|
|
|
|
|
BoundsCheckingLegacyPass() : FunctionPass(ID) {
|
|
|
|
initializeBoundsCheckingLegacyPassPass(*PassRegistry::getPassRegistry());
|
|
|
|
}
|
|
|
|
|
|
|
|
bool runOnFunction(Function &F) override {
|
Change TargetLibraryInfo analysis passes to always require Function
Summary:
This is the first change to enable the TLI to be built per-function so
that -fno-builtin* handling can be migrated to use function attributes.
See discussion on D61634 for background. This is an enabler for fixing
handling of these options for LTO, for example.
This change should not affect behavior, as the provided function is not
yet used to build a specifically per-function TLI, but rather enables
that migration.
Most of the changes were very mechanical, e.g. passing a Function to the
legacy analysis pass's getTLI interface, or in Module level cases,
adding a callback. This is similar to the way the per-function TTI
analysis works.
There was one place where we were looking for builtins but not in the
context of a specific function. See FindCXAAtExit in
lib/Transforms/IPO/GlobalOpt.cpp. I'm somewhat concerned my workaround
could provide the wrong behavior in some corner cases. Suggestions
welcome.
Reviewers: chandlerc, hfinkel
Subscribers: arsenm, dschuff, jvesely, nhaehnle, mehdi_amini, javed.absar, sbc100, jgravelle-google, eraman, aheejin, steven_wu, george.burgess.iv, dexonsmith, jfb, asbirlea, gchatelet, llvm-commits
Tags: #llvm
Differential Revision: https://reviews.llvm.org/D66428
llvm-svn: 371284
2019-09-07 11:09:36 +08:00
|
|
|
auto &TLI = getAnalysis<TargetLibraryInfoWrapperPass>().getTLI(F);
|
2018-07-24 23:21:54 +08:00
|
|
|
auto &SE = getAnalysis<ScalarEvolutionWrapperPass>().getSE();
|
|
|
|
return addBoundsChecking(F, TLI, SE);
|
2017-11-14 09:30:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void getAnalysisUsage(AnalysisUsage &AU) const override {
|
|
|
|
AU.addRequired<TargetLibraryInfoWrapperPass>();
|
2018-07-24 23:21:54 +08:00
|
|
|
AU.addRequired<ScalarEvolutionWrapperPass>();
|
2017-11-14 09:30:04 +08:00
|
|
|
}
|
|
|
|
};
|
|
|
|
} // namespace
|
|
|
|
|
|
|
|
char BoundsCheckingLegacyPass::ID = 0;
|
|
|
|
INITIALIZE_PASS_BEGIN(BoundsCheckingLegacyPass, "bounds-checking",
|
|
|
|
"Run-time bounds checking", false, false)
|
|
|
|
INITIALIZE_PASS_DEPENDENCY(TargetLibraryInfoWrapperPass)
|
|
|
|
INITIALIZE_PASS_END(BoundsCheckingLegacyPass, "bounds-checking",
|
|
|
|
"Run-time bounds checking", false, false)
|
|
|
|
|
|
|
|
FunctionPass *llvm::createBoundsCheckingLegacyPass() {
|
|
|
|
return new BoundsCheckingLegacyPass();
|
2012-05-23 01:19:09 +08:00
|
|
|
}
|