2014-11-12 06:14:37 +08:00
|
|
|
//===-- SanitizerCoverage.cpp - coverage instrumentation for sanitizers ---===//
|
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2014-11-12 06:14:37 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
//
|
2017-06-01 02:27:33 +08:00
|
|
|
// Coverage instrumentation done on LLVM IR level, works with Sanitizers.
|
2014-11-12 06:14:37 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
2019-07-26 04:53:15 +08:00
|
|
|
#include "llvm/Transforms/Instrumentation/SanitizerCoverage.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/ADT/ArrayRef.h"
|
|
|
|
|
#include "llvm/ADT/SmallVector.h"
|
2015-12-03 07:06:39 +08:00
|
|
|
#include "llvm/Analysis/EHPersonalities.h"
|
2017-05-24 08:29:12 +08:00
|
|
|
#include "llvm/Analysis/PostDominators.h"
|
2016-02-26 09:17:22 +08:00
|
|
|
#include "llvm/IR/CFG.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/CallSite.h"
|
2017-08-19 02:43:30 +08:00
|
|
|
#include "llvm/IR/Constant.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/DataLayout.h"
|
2015-06-12 09:48:47 +08:00
|
|
|
#include "llvm/IR/DebugInfo.h"
|
2016-02-26 09:17:22 +08:00
|
|
|
#include "llvm/IR/Dominators.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/Function.h"
|
2017-08-19 02:43:30 +08:00
|
|
|
#include "llvm/IR/GlobalVariable.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/IRBuilder.h"
|
2014-12-17 05:24:15 +08:00
|
|
|
#include "llvm/IR/InlineAsm.h"
|
2017-08-31 06:49:31 +08:00
|
|
|
#include "llvm/IR/IntrinsicInst.h"
|
2017-08-19 02:43:30 +08:00
|
|
|
#include "llvm/IR/Intrinsics.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/LLVMContext.h"
|
|
|
|
|
#include "llvm/IR/MDBuilder.h"
|
2018-10-13 02:11:47 +08:00
|
|
|
#include "llvm/IR/Mangler.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/IR/Module.h"
|
|
|
|
|
#include "llvm/IR/Type.h"
|
|
|
|
|
#include "llvm/Support/CommandLine.h"
|
|
|
|
|
#include "llvm/Support/Debug.h"
|
|
|
|
|
#include "llvm/Support/raw_ostream.h"
|
2016-02-26 09:17:22 +08:00
|
|
|
#include "llvm/Transforms/Instrumentation.h"
|
2014-11-12 06:14:37 +08:00
|
|
|
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
|
|
|
|
|
#include "llvm/Transforms/Utils/ModuleUtils.h"
|
|
|
|
|
|
|
|
|
|
using namespace llvm;
|
|
|
|
|
|
|
|
|
|
#define DEBUG_TYPE "sancov"
|
|
|
|
|
|
2016-03-19 07:29:29 +08:00
|
|
|
static const char *const SanCovTracePCIndirName =
|
|
|
|
|
"__sanitizer_cov_trace_pc_indir";
|
|
|
|
|
static const char *const SanCovTracePCName = "__sanitizer_cov_trace_pc";
|
2016-08-18 09:25:28 +08:00
|
|
|
static const char *const SanCovTraceCmp1 = "__sanitizer_cov_trace_cmp1";
|
|
|
|
|
static const char *const SanCovTraceCmp2 = "__sanitizer_cov_trace_cmp2";
|
|
|
|
|
static const char *const SanCovTraceCmp4 = "__sanitizer_cov_trace_cmp4";
|
|
|
|
|
static const char *const SanCovTraceCmp8 = "__sanitizer_cov_trace_cmp8";
|
2017-08-29 07:38:12 +08:00
|
|
|
static const char *const SanCovTraceConstCmp1 =
|
2017-08-10 23:00:13 +08:00
|
|
|
"__sanitizer_cov_trace_const_cmp1";
|
2017-08-29 07:38:12 +08:00
|
|
|
static const char *const SanCovTraceConstCmp2 =
|
2017-08-10 23:00:13 +08:00
|
|
|
"__sanitizer_cov_trace_const_cmp2";
|
2017-08-29 07:38:12 +08:00
|
|
|
static const char *const SanCovTraceConstCmp4 =
|
2017-08-10 23:00:13 +08:00
|
|
|
"__sanitizer_cov_trace_const_cmp4";
|
2017-08-29 07:38:12 +08:00
|
|
|
static const char *const SanCovTraceConstCmp8 =
|
2017-08-10 23:00:13 +08:00
|
|
|
"__sanitizer_cov_trace_const_cmp8";
|
2016-08-30 09:12:10 +08:00
|
|
|
static const char *const SanCovTraceDiv4 = "__sanitizer_cov_trace_div4";
|
|
|
|
|
static const char *const SanCovTraceDiv8 = "__sanitizer_cov_trace_div8";
|
|
|
|
|
static const char *const SanCovTraceGep = "__sanitizer_cov_trace_gep";
|
2016-03-19 07:29:29 +08:00
|
|
|
static const char *const SanCovTraceSwitchName = "__sanitizer_cov_trace_switch";
|
2019-05-07 09:39:37 +08:00
|
|
|
static const char *const SanCovModuleCtorTracePcGuardName =
|
|
|
|
|
"sancov.module_ctor_trace_pc_guard";
|
|
|
|
|
static const char *const SanCovModuleCtor8bitCountersName =
|
|
|
|
|
"sancov.module_ctor_8bit_counters";
|
2016-03-19 07:29:29 +08:00
|
|
|
static const uint64_t SanCtorAndDtorPriority = 2;
|
|
|
|
|
|
2016-09-14 09:39:35 +08:00
|
|
|
static const char *const SanCovTracePCGuardName =
|
|
|
|
|
"__sanitizer_cov_trace_pc_guard";
|
|
|
|
|
static const char *const SanCovTracePCGuardInitName =
|
|
|
|
|
"__sanitizer_cov_trace_pc_guard_init";
|
2017-07-28 07:36:49 +08:00
|
|
|
static const char *const SanCov8bitCountersInitName =
|
2017-06-09 06:58:19 +08:00
|
|
|
"__sanitizer_cov_8bit_counters_init";
|
2017-07-28 07:36:49 +08:00
|
|
|
static const char *const SanCovPCsInitName = "__sanitizer_cov_pcs_init";
|
2016-09-14 09:39:35 +08:00
|
|
|
|
2017-06-03 07:13:44 +08:00
|
|
|
static const char *const SanCovGuardsSectionName = "sancov_guards";
|
2017-06-15 07:40:25 +08:00
|
|
|
static const char *const SanCovCountersSectionName = "sancov_cntrs";
|
2017-07-28 07:36:49 +08:00
|
|
|
static const char *const SanCovPCsSectionName = "sancov_pcs";
|
2017-06-03 07:13:44 +08:00
|
|
|
|
2017-08-19 02:43:30 +08:00
|
|
|
static const char *const SanCovLowestStackName = "__sancov_lowest_stack";
|
|
|
|
|
|
2016-03-19 07:29:29 +08:00
|
|
|
static cl::opt<int> ClCoverageLevel(
|
|
|
|
|
"sanitizer-coverage-level",
|
|
|
|
|
cl::desc("Sanitizer Coverage. 0: none, 1: entry block, 2: all blocks, "
|
2017-04-20 06:42:11 +08:00
|
|
|
"3: all blocks and critical edges"),
|
2016-03-19 07:29:29 +08:00
|
|
|
cl::Hidden, cl::init(0));
|
2014-11-12 06:14:37 +08:00
|
|
|
|
2017-06-09 06:58:19 +08:00
|
|
|
static cl::opt<bool> ClTracePC("sanitizer-coverage-trace-pc",
|
|
|
|
|
cl::desc("Experimental pc tracing"), cl::Hidden,
|
|
|
|
|
cl::init(false));
|
2016-02-18 05:34:43 +08:00
|
|
|
|
2016-09-14 09:39:35 +08:00
|
|
|
static cl::opt<bool> ClTracePCGuard("sanitizer-coverage-trace-pc-guard",
|
|
|
|
|
cl::desc("pc tracing with a guard"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
|
|
|
|
|
2017-07-28 07:36:49 +08:00
|
|
|
// If true, we create a global variable that contains PCs of all instrumented
|
|
|
|
|
// BBs, put this global into a named section, and pass this section's bounds
|
|
|
|
|
// to __sanitizer_cov_pcs_init.
|
|
|
|
|
// This way the coverage instrumentation does not need to acquire the PCs
|
|
|
|
|
// at run-time. Works with trace-pc-guard and inline-8bit-counters.
|
2017-07-28 08:09:29 +08:00
|
|
|
static cl::opt<bool> ClCreatePCTable("sanitizer-coverage-pc-table",
|
2017-07-28 07:36:49 +08:00
|
|
|
cl::desc("create a static PC table"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
|
|
|
|
|
|
|
|
|
static cl::opt<bool>
|
|
|
|
|
ClInline8bitCounters("sanitizer-coverage-inline-8bit-counters",
|
|
|
|
|
cl::desc("increments 8-bit counter for every edge"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
2017-06-09 06:58:19 +08:00
|
|
|
|
2015-03-21 09:29:36 +08:00
|
|
|
static cl::opt<bool>
|
2016-08-30 09:12:10 +08:00
|
|
|
ClCMPTracing("sanitizer-coverage-trace-compares",
|
|
|
|
|
cl::desc("Tracing of CMP and similar instructions"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
|
|
|
|
|
|
|
|
|
static cl::opt<bool> ClDIVTracing("sanitizer-coverage-trace-divs",
|
|
|
|
|
cl::desc("Tracing of DIV instructions"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
|
|
|
|
|
|
|
|
|
static cl::opt<bool> ClGEPTracing("sanitizer-coverage-trace-geps",
|
|
|
|
|
cl::desc("Tracing of GEP instructions"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
2015-03-21 09:29:36 +08:00
|
|
|
|
2016-04-07 07:24:37 +08:00
|
|
|
static cl::opt<bool>
|
|
|
|
|
ClPruneBlocks("sanitizer-coverage-prune-blocks",
|
|
|
|
|
cl::desc("Reduce the number of instrumented blocks"),
|
|
|
|
|
cl::Hidden, cl::init(true));
|
2016-02-26 09:17:22 +08:00
|
|
|
|
2017-08-19 02:43:30 +08:00
|
|
|
static cl::opt<bool> ClStackDepth("sanitizer-coverage-stack-depth",
|
|
|
|
|
cl::desc("max stack depth tracing"),
|
|
|
|
|
cl::Hidden, cl::init(false));
|
|
|
|
|
|
2014-11-12 06:14:37 +08:00
|
|
|
namespace {
|
|
|
|
|
|
2015-05-07 09:00:31 +08:00
|
|
|
SanitizerCoverageOptions getOptions(int LegacyCoverageLevel) {
|
|
|
|
|
SanitizerCoverageOptions Res;
|
|
|
|
|
switch (LegacyCoverageLevel) {
|
|
|
|
|
case 0:
|
|
|
|
|
Res.CoverageType = SanitizerCoverageOptions::SCK_None;
|
|
|
|
|
break;
|
|
|
|
|
case 1:
|
|
|
|
|
Res.CoverageType = SanitizerCoverageOptions::SCK_Function;
|
|
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
Res.CoverageType = SanitizerCoverageOptions::SCK_BB;
|
|
|
|
|
break;
|
|
|
|
|
case 3:
|
|
|
|
|
Res.CoverageType = SanitizerCoverageOptions::SCK_Edge;
|
|
|
|
|
break;
|
|
|
|
|
case 4:
|
|
|
|
|
Res.CoverageType = SanitizerCoverageOptions::SCK_Edge;
|
|
|
|
|
Res.IndirectCalls = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return Res;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SanitizerCoverageOptions OverrideFromCL(SanitizerCoverageOptions Options) {
|
|
|
|
|
// Sets CoverageType and IndirectCalls.
|
|
|
|
|
SanitizerCoverageOptions CLOpts = getOptions(ClCoverageLevel);
|
|
|
|
|
Options.CoverageType = std::max(Options.CoverageType, CLOpts.CoverageType);
|
|
|
|
|
Options.IndirectCalls |= CLOpts.IndirectCalls;
|
2016-08-30 09:12:10 +08:00
|
|
|
Options.TraceCmp |= ClCMPTracing;
|
|
|
|
|
Options.TraceDiv |= ClDIVTracing;
|
|
|
|
|
Options.TraceGep |= ClGEPTracing;
|
2017-06-09 06:58:19 +08:00
|
|
|
Options.TracePC |= ClTracePC;
|
2016-09-14 09:39:35 +08:00
|
|
|
Options.TracePCGuard |= ClTracePCGuard;
|
2017-06-09 06:58:19 +08:00
|
|
|
Options.Inline8bitCounters |= ClInline8bitCounters;
|
2017-07-28 08:09:29 +08:00
|
|
|
Options.PCTable |= ClCreatePCTable;
|
2017-05-06 07:14:40 +08:00
|
|
|
Options.NoPrune |= !ClPruneBlocks;
|
2017-08-19 02:43:30 +08:00
|
|
|
Options.StackDepth |= ClStackDepth;
|
|
|
|
|
if (!Options.TracePCGuard && !Options.TracePC &&
|
|
|
|
|
!Options.Inline8bitCounters && !Options.StackDepth)
|
|
|
|
|
Options.TracePCGuard = true; // TracePCGuard is default.
|
2015-05-07 09:00:31 +08:00
|
|
|
return Options;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
using DomTreeCallback = function_ref<const DominatorTree *(Function &F)>;
|
|
|
|
|
using PostDomTreeCallback =
|
|
|
|
|
function_ref<const PostDominatorTree *(Function &F)>;
|
2019-07-26 04:53:15 +08:00
|
|
|
|
|
|
|
|
class ModuleSanitizerCoverage {
|
|
|
|
|
public:
|
2019-09-05 04:30:29 +08:00
|
|
|
ModuleSanitizerCoverage(
|
|
|
|
|
const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
|
2019-07-26 04:53:15 +08:00
|
|
|
: Options(OverrideFromCL(Options)) {}
|
2019-09-05 04:30:29 +08:00
|
|
|
bool instrumentModule(Module &M, DomTreeCallback DTCallback,
|
|
|
|
|
PostDomTreeCallback PDTCallback);
|
2019-07-26 04:53:15 +08:00
|
|
|
|
|
|
|
|
private:
|
2019-09-05 04:30:29 +08:00
|
|
|
void instrumentFunction(Function &F, DomTreeCallback DTCallback,
|
|
|
|
|
PostDomTreeCallback PDTCallback);
|
2014-11-12 06:14:37 +08:00
|
|
|
void InjectCoverageForIndirectCalls(Function &F,
|
|
|
|
|
ArrayRef<Instruction *> IndirCalls);
|
2015-03-21 09:29:36 +08:00
|
|
|
void InjectTraceForCmp(Function &F, ArrayRef<Instruction *> CmpTraceTargets);
|
2016-08-30 09:12:10 +08:00
|
|
|
void InjectTraceForDiv(Function &F,
|
|
|
|
|
ArrayRef<BinaryOperator *> DivTraceTargets);
|
|
|
|
|
void InjectTraceForGep(Function &F,
|
|
|
|
|
ArrayRef<GetElementPtrInst *> GepTraceTargets);
|
2015-07-31 09:33:06 +08:00
|
|
|
void InjectTraceForSwitch(Function &F,
|
|
|
|
|
ArrayRef<Instruction *> SwitchTraceTargets);
|
2017-08-31 06:49:31 +08:00
|
|
|
bool InjectCoverage(Function &F, ArrayRef<BasicBlock *> AllBlocks,
|
|
|
|
|
bool IsLeafFunc = true);
|
2017-06-03 07:13:44 +08:00
|
|
|
GlobalVariable *CreateFunctionLocalArrayInSection(size_t NumElements,
|
|
|
|
|
Function &F, Type *Ty,
|
|
|
|
|
const char *Section);
|
2017-08-29 07:46:11 +08:00
|
|
|
GlobalVariable *CreatePCArray(Function &F, ArrayRef<BasicBlock *> AllBlocks);
|
2017-07-28 07:36:49 +08:00
|
|
|
void CreateFunctionLocalArrays(Function &F, ArrayRef<BasicBlock *> AllBlocks);
|
2017-08-31 06:49:31 +08:00
|
|
|
void InjectCoverageAtBlock(Function &F, BasicBlock &BB, size_t Idx,
|
|
|
|
|
bool IsLeafFunc = true);
|
2019-09-05 04:30:29 +08:00
|
|
|
Function *CreateInitCallsForSections(Module &M, const char *CtorName,
|
|
|
|
|
const char *InitFunctionName, Type *Ty,
|
|
|
|
|
const char *Section);
|
|
|
|
|
std::pair<Value *, Value *> CreateSecStartEnd(Module &M, const char *Section,
|
|
|
|
|
Type *Ty);
|
2017-06-03 07:13:44 +08:00
|
|
|
|
2017-06-09 06:58:19 +08:00
|
|
|
void SetNoSanitizeMetadata(Instruction *I) {
|
|
|
|
|
I->setMetadata(I->getModule()->getMDKindID("nosanitize"),
|
|
|
|
|
MDNode::get(*C, None));
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-03 07:13:44 +08:00
|
|
|
std::string getSectionName(const std::string &Section) const;
|
2019-07-16 07:18:31 +08:00
|
|
|
std::string getSectionStart(const std::string &Section) const;
|
|
|
|
|
std::string getSectionEnd(const std::string &Section) const;
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
FunctionCallee SanCovTracePCIndir;
|
|
|
|
|
FunctionCallee SanCovTracePC, SanCovTracePCGuard;
|
|
|
|
|
FunctionCallee SanCovTraceCmpFunction[4];
|
|
|
|
|
FunctionCallee SanCovTraceConstCmpFunction[4];
|
|
|
|
|
FunctionCallee SanCovTraceDivFunction[2];
|
|
|
|
|
FunctionCallee SanCovTraceGepFunction;
|
|
|
|
|
FunctionCallee SanCovTraceSwitchFunction;
|
2017-08-19 02:43:30 +08:00
|
|
|
GlobalVariable *SanCovLowestStack;
|
2014-12-17 05:24:15 +08:00
|
|
|
InlineAsm *EmptyAsm;
|
2017-06-09 06:58:19 +08:00
|
|
|
Type *IntptrTy, *IntptrPtrTy, *Int64Ty, *Int64PtrTy, *Int32Ty, *Int32PtrTy,
|
2017-08-10 23:00:13 +08:00
|
|
|
*Int16Ty, *Int8Ty, *Int8PtrTy;
|
2015-07-31 09:33:06 +08:00
|
|
|
Module *CurModule;
|
2018-09-14 05:45:55 +08:00
|
|
|
std::string CurModuleUniqueId;
|
2017-02-03 09:08:06 +08:00
|
|
|
Triple TargetTriple;
|
2014-11-12 06:14:37 +08:00
|
|
|
LLVMContext *C;
|
2015-03-21 09:29:36 +08:00
|
|
|
const DataLayout *DL;
|
2014-11-12 06:14:37 +08:00
|
|
|
|
2016-09-30 01:43:24 +08:00
|
|
|
GlobalVariable *FunctionGuardArray; // for trace-pc-guard.
|
2017-06-09 06:58:19 +08:00
|
|
|
GlobalVariable *Function8bitCounterArray; // for inline-8bit-counters.
|
2017-07-28 08:09:29 +08:00
|
|
|
GlobalVariable *FunctionPCsArray; // for pc-table.
|
2017-09-09 13:30:13 +08:00
|
|
|
SmallVector<GlobalValue *, 20> GlobalsToAppendToUsed;
|
2018-06-16 04:12:58 +08:00
|
|
|
SmallVector<GlobalValue *, 20> GlobalsToAppendToCompilerUsed;
|
2014-12-24 06:32:17 +08:00
|
|
|
|
2015-05-07 09:00:31 +08:00
|
|
|
SanitizerCoverageOptions Options;
|
2014-11-12 06:14:37 +08:00
|
|
|
};
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
class ModuleSanitizerCoverageLegacyPass : public ModulePass {
|
2019-07-26 04:53:15 +08:00
|
|
|
public:
|
2019-09-05 04:30:29 +08:00
|
|
|
ModuleSanitizerCoverageLegacyPass(
|
|
|
|
|
const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
|
|
|
|
|
: ModulePass(ID), Options(Options) {
|
|
|
|
|
initializeModuleSanitizerCoverageLegacyPassPass(
|
|
|
|
|
*PassRegistry::getPassRegistry());
|
2019-07-26 04:53:15 +08:00
|
|
|
}
|
2019-09-05 04:30:29 +08:00
|
|
|
bool runOnModule(Module &M) override {
|
|
|
|
|
ModuleSanitizerCoverage ModuleSancov(Options);
|
|
|
|
|
auto DTCallback = [this](Function &F) -> const DominatorTree * {
|
|
|
|
|
return &this->getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
|
|
|
|
|
};
|
|
|
|
|
auto PDTCallback = [this](Function &F) -> const PostDominatorTree * {
|
|
|
|
|
return &this->getAnalysis<PostDominatorTreeWrapperPass>(F)
|
|
|
|
|
.getPostDomTree();
|
|
|
|
|
};
|
|
|
|
|
return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback);
|
2019-07-26 04:53:15 +08:00
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
static char ID; // Pass identification, replacement for typeid
|
|
|
|
|
StringRef getPassName() const override { return "ModuleSanitizerCoverage"; }
|
2019-07-26 04:53:15 +08:00
|
|
|
|
|
|
|
|
void getAnalysisUsage(AnalysisUsage &AU) const override {
|
|
|
|
|
AU.addRequired<DominatorTreeWrapperPass>();
|
|
|
|
|
AU.addRequired<PostDominatorTreeWrapperPass>();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
SanitizerCoverageOptions Options;
|
|
|
|
|
};
|
|
|
|
|
|
2016-03-19 07:29:29 +08:00
|
|
|
} // namespace
|
2014-11-12 06:14:37 +08:00
|
|
|
|
2019-07-26 04:53:15 +08:00
|
|
|
PreservedAnalyses ModuleSanitizerCoveragePass::run(Module &M,
|
2019-09-05 04:30:29 +08:00
|
|
|
ModuleAnalysisManager &MAM) {
|
2019-07-26 04:53:15 +08:00
|
|
|
ModuleSanitizerCoverage ModuleSancov(Options);
|
2019-09-05 04:30:29 +08:00
|
|
|
auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
|
|
|
|
|
auto DTCallback = [&FAM](Function &F) -> const DominatorTree * {
|
|
|
|
|
return &FAM.getResult<DominatorTreeAnalysis>(F);
|
|
|
|
|
};
|
|
|
|
|
auto PDTCallback = [&FAM](Function &F) -> const PostDominatorTree * {
|
|
|
|
|
return &FAM.getResult<PostDominatorTreeAnalysis>(F);
|
|
|
|
|
};
|
|
|
|
|
if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
|
2019-07-26 04:53:15 +08:00
|
|
|
return PreservedAnalyses::none();
|
|
|
|
|
return PreservedAnalyses::all();
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-17 07:43:57 +08:00
|
|
|
std::pair<Value *, Value *>
|
2019-07-26 04:53:15 +08:00
|
|
|
ModuleSanitizerCoverage::CreateSecStartEnd(Module &M, const char *Section,
|
2017-07-28 07:36:49 +08:00
|
|
|
Type *Ty) {
|
2017-06-03 07:13:44 +08:00
|
|
|
GlobalVariable *SecStart =
|
|
|
|
|
new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage, nullptr,
|
|
|
|
|
getSectionStart(Section));
|
|
|
|
|
SecStart->setVisibility(GlobalValue::HiddenVisibility);
|
|
|
|
|
GlobalVariable *SecEnd =
|
|
|
|
|
new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
|
|
|
|
|
nullptr, getSectionEnd(Section));
|
|
|
|
|
SecEnd->setVisibility(GlobalValue::HiddenVisibility);
|
2018-10-17 07:43:57 +08:00
|
|
|
IRBuilder<> IRB(M.getContext());
|
|
|
|
|
Value *SecEndPtr = IRB.CreatePointerCast(SecEnd, Ty);
|
2019-01-15 05:02:02 +08:00
|
|
|
if (!TargetTriple.isOSBinFormatCOFF())
|
2018-10-17 07:43:57 +08:00
|
|
|
return std::make_pair(IRB.CreatePointerCast(SecStart, Ty), SecEndPtr);
|
2017-06-03 07:13:44 +08:00
|
|
|
|
2018-10-17 07:43:57 +08:00
|
|
|
// Account for the fact that on windows-msvc __start_* symbols actually
|
|
|
|
|
// point to a uint64_t before the start of the array.
|
|
|
|
|
auto SecStartI8Ptr = IRB.CreatePointerCast(SecStart, Int8PtrTy);
|
2019-02-02 04:44:47 +08:00
|
|
|
auto GEP = IRB.CreateGEP(Int8Ty, SecStartI8Ptr,
|
2018-10-17 07:43:57 +08:00
|
|
|
ConstantInt::get(IntptrTy, sizeof(uint64_t)));
|
|
|
|
|
return std::make_pair(IRB.CreatePointerCast(GEP, Ty), SecEndPtr);
|
2017-07-28 07:36:49 +08:00
|
|
|
}
|
|
|
|
|
|
2019-07-26 04:53:15 +08:00
|
|
|
Function *ModuleSanitizerCoverage::CreateInitCallsForSections(
|
2019-05-07 09:39:37 +08:00
|
|
|
Module &M, const char *CtorName, const char *InitFunctionName, Type *Ty,
|
2017-07-28 07:36:49 +08:00
|
|
|
const char *Section) {
|
|
|
|
|
auto SecStartEnd = CreateSecStartEnd(M, Section, Ty);
|
|
|
|
|
auto SecStart = SecStartEnd.first;
|
|
|
|
|
auto SecEnd = SecStartEnd.second;
|
|
|
|
|
Function *CtorFunc;
|
2017-06-03 07:13:44 +08:00
|
|
|
std::tie(CtorFunc, std::ignore) = createSanitizerCtorAndInitFunctions(
|
2019-05-07 09:39:37 +08:00
|
|
|
M, CtorName, InitFunctionName, {Ty, Ty}, {SecStart, SecEnd});
|
|
|
|
|
assert(CtorFunc->getName() == CtorName);
|
2017-06-03 07:13:44 +08:00
|
|
|
|
|
|
|
|
if (TargetTriple.supportsCOMDAT()) {
|
|
|
|
|
// Use comdat to dedup CtorFunc.
|
2019-05-07 09:39:37 +08:00
|
|
|
CtorFunc->setComdat(M.getOrInsertComdat(CtorName));
|
2017-06-03 07:13:44 +08:00
|
|
|
appendToGlobalCtors(M, CtorFunc, SanCtorAndDtorPriority, CtorFunc);
|
|
|
|
|
} else {
|
|
|
|
|
appendToGlobalCtors(M, CtorFunc, SanCtorAndDtorPriority);
|
|
|
|
|
}
|
2018-10-13 02:11:47 +08:00
|
|
|
|
2019-01-15 05:02:02 +08:00
|
|
|
if (TargetTriple.isOSBinFormatCOFF()) {
|
2018-10-13 02:11:47 +08:00
|
|
|
// In COFF files, if the contructors are set as COMDAT (they are because
|
|
|
|
|
// COFF supports COMDAT) and the linker flag /OPT:REF (strip unreferenced
|
|
|
|
|
// functions and data) is used, the constructors get stripped. To prevent
|
2019-01-15 05:02:02 +08:00
|
|
|
// this, give the constructors weak ODR linkage and ensure the linker knows
|
|
|
|
|
// to include the sancov constructor. This way the linker can deduplicate
|
|
|
|
|
// the constructors but always leave one copy.
|
2018-10-13 02:11:47 +08:00
|
|
|
CtorFunc->setLinkage(GlobalValue::WeakODRLinkage);
|
2019-01-15 05:02:02 +08:00
|
|
|
appendToUsed(M, CtorFunc);
|
2018-10-13 02:11:47 +08:00
|
|
|
}
|
2017-07-28 07:36:49 +08:00
|
|
|
return CtorFunc;
|
2017-06-03 07:13:44 +08:00
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
bool ModuleSanitizerCoverage::instrumentModule(
|
|
|
|
|
Module &M, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
|
2015-05-07 09:00:31 +08:00
|
|
|
if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
|
2019-09-05 04:30:29 +08:00
|
|
|
return false;
|
2014-11-12 06:14:37 +08:00
|
|
|
C = &(M.getContext());
|
2015-03-21 09:29:36 +08:00
|
|
|
DL = &M.getDataLayout();
|
2019-09-05 04:30:29 +08:00
|
|
|
CurModule = &M;
|
2018-09-14 05:45:55 +08:00
|
|
|
CurModuleUniqueId = getUniqueModuleId(CurModule);
|
2017-02-03 09:08:06 +08:00
|
|
|
TargetTriple = Triple(M.getTargetTriple());
|
2017-06-03 07:13:44 +08:00
|
|
|
FunctionGuardArray = nullptr;
|
2017-06-09 06:58:19 +08:00
|
|
|
Function8bitCounterArray = nullptr;
|
2017-07-28 07:36:49 +08:00
|
|
|
FunctionPCsArray = nullptr;
|
2015-03-21 09:29:36 +08:00
|
|
|
IntptrTy = Type::getIntNTy(*C, DL->getPointerSizeInBits());
|
2016-09-18 12:52:23 +08:00
|
|
|
IntptrPtrTy = PointerType::getUnqual(IntptrTy);
|
2014-11-12 06:14:37 +08:00
|
|
|
Type *VoidTy = Type::getVoidTy(*C);
|
2014-11-25 02:49:53 +08:00
|
|
|
IRBuilder<> IRB(*C);
|
2015-07-31 09:33:06 +08:00
|
|
|
Int64PtrTy = PointerType::getUnqual(IRB.getInt64Ty());
|
2016-09-30 01:43:24 +08:00
|
|
|
Int32PtrTy = PointerType::getUnqual(IRB.getInt32Ty());
|
2017-06-09 06:58:19 +08:00
|
|
|
Int8PtrTy = PointerType::getUnqual(IRB.getInt8Ty());
|
2015-03-21 09:29:36 +08:00
|
|
|
Int64Ty = IRB.getInt64Ty();
|
2016-09-30 01:43:24 +08:00
|
|
|
Int32Ty = IRB.getInt32Ty();
|
2017-08-10 23:00:13 +08:00
|
|
|
Int16Ty = IRB.getInt16Ty();
|
2017-06-09 06:58:19 +08:00
|
|
|
Int8Ty = IRB.getInt8Ty();
|
2014-11-12 06:14:37 +08:00
|
|
|
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
SanCovTracePCIndir =
|
|
|
|
|
M.getOrInsertFunction(SanCovTracePCIndirName, VoidTy, IntptrTy);
|
|
|
|
|
// Make sure smaller parameters are zero-extended to i64 as required by the
|
|
|
|
|
// x86_64 ABI.
|
|
|
|
|
AttributeList SanCovTraceCmpZeroExtAL;
|
|
|
|
|
if (TargetTriple.getArch() == Triple::x86_64) {
|
|
|
|
|
SanCovTraceCmpZeroExtAL =
|
|
|
|
|
SanCovTraceCmpZeroExtAL.addParamAttribute(*C, 0, Attribute::ZExt);
|
|
|
|
|
SanCovTraceCmpZeroExtAL =
|
|
|
|
|
SanCovTraceCmpZeroExtAL.addParamAttribute(*C, 1, Attribute::ZExt);
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-07 04:23:57 +08:00
|
|
|
SanCovTraceCmpFunction[0] =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceCmp1, SanCovTraceCmpZeroExtAL, VoidTy,
|
|
|
|
|
IRB.getInt8Ty(), IRB.getInt8Ty());
|
|
|
|
|
SanCovTraceCmpFunction[1] =
|
|
|
|
|
M.getOrInsertFunction(SanCovTraceCmp2, SanCovTraceCmpZeroExtAL, VoidTy,
|
|
|
|
|
IRB.getInt16Ty(), IRB.getInt16Ty());
|
|
|
|
|
SanCovTraceCmpFunction[2] =
|
|
|
|
|
M.getOrInsertFunction(SanCovTraceCmp4, SanCovTraceCmpZeroExtAL, VoidTy,
|
|
|
|
|
IRB.getInt32Ty(), IRB.getInt32Ty());
|
2017-04-07 04:23:57 +08:00
|
|
|
SanCovTraceCmpFunction[3] =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceCmp8, VoidTy, Int64Ty, Int64Ty);
|
|
|
|
|
|
|
|
|
|
SanCovTraceConstCmpFunction[0] = M.getOrInsertFunction(
|
|
|
|
|
SanCovTraceConstCmp1, SanCovTraceCmpZeroExtAL, VoidTy, Int8Ty, Int8Ty);
|
|
|
|
|
SanCovTraceConstCmpFunction[1] = M.getOrInsertFunction(
|
|
|
|
|
SanCovTraceConstCmp2, SanCovTraceCmpZeroExtAL, VoidTy, Int16Ty, Int16Ty);
|
|
|
|
|
SanCovTraceConstCmpFunction[2] = M.getOrInsertFunction(
|
|
|
|
|
SanCovTraceConstCmp4, SanCovTraceCmpZeroExtAL, VoidTy, Int32Ty, Int32Ty);
|
2017-08-10 23:00:13 +08:00
|
|
|
SanCovTraceConstCmpFunction[3] =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceConstCmp8, VoidTy, Int64Ty, Int64Ty);
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
AttributeList AL;
|
|
|
|
|
if (TargetTriple.getArch() == Triple::x86_64)
|
|
|
|
|
AL = AL.addParamAttribute(*C, 0, Attribute::ZExt);
|
|
|
|
|
SanCovTraceDivFunction[0] =
|
|
|
|
|
M.getOrInsertFunction(SanCovTraceDiv4, AL, VoidTy, IRB.getInt32Ty());
|
|
|
|
|
}
|
2017-04-07 04:23:57 +08:00
|
|
|
SanCovTraceDivFunction[1] =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceDiv8, VoidTy, Int64Ty);
|
2017-04-07 04:23:57 +08:00
|
|
|
SanCovTraceGepFunction =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceGep, VoidTy, IntptrTy);
|
2015-07-31 09:33:06 +08:00
|
|
|
SanCovTraceSwitchFunction =
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
M.getOrInsertFunction(SanCovTraceSwitchName, VoidTy, Int64Ty, Int64PtrTy);
|
2017-08-19 02:43:30 +08:00
|
|
|
|
|
|
|
|
Constant *SanCovLowestStackConstant =
|
|
|
|
|
M.getOrInsertGlobal(SanCovLowestStackName, IntptrTy);
|
2019-02-05 06:06:30 +08:00
|
|
|
SanCovLowestStack = dyn_cast<GlobalVariable>(SanCovLowestStackConstant);
|
2019-09-05 04:30:29 +08:00
|
|
|
if (!SanCovLowestStack) {
|
|
|
|
|
C->emitError(StringRef("'") + SanCovLowestStackName +
|
|
|
|
|
"' should not be declared by the user");
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2017-08-23 05:28:29 +08:00
|
|
|
SanCovLowestStack->setThreadLocalMode(
|
|
|
|
|
GlobalValue::ThreadLocalMode::InitialExecTLSModel);
|
|
|
|
|
if (Options.StackDepth && !SanCovLowestStack->isDeclaration())
|
|
|
|
|
SanCovLowestStack->setInitializer(Constant::getAllOnesValue(IntptrTy));
|
2017-08-19 02:43:30 +08:00
|
|
|
|
2014-12-17 05:24:15 +08:00
|
|
|
// We insert an empty inline asm after cov callbacks to avoid callback merge.
|
|
|
|
|
EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false),
|
|
|
|
|
StringRef(""), StringRef(""),
|
|
|
|
|
/*hasSideEffects=*/true);
|
2014-11-12 06:14:37 +08:00
|
|
|
|
[opaque pointer types] Add a FunctionCallee wrapper type, and use it.
Recommit r352791 after tweaking DerivedTypes.h slightly, so that gcc
doesn't choke on it, hopefully.
Original Message:
The FunctionCallee type is effectively a {FunctionType*,Value*} pair,
and is a useful convenience to enable code to continue passing the
result of getOrInsertFunction() through to EmitCall, even once pointer
types lose their pointee-type.
Then:
- update the CallInst/InvokeInst instruction creation functions to
take a Callee,
- modify getOrInsertFunction to return FunctionCallee, and
- update all callers appropriately.
One area of particular note is the change to the sanitizer
code. Previously, they had been casting the result of
`getOrInsertFunction` to a `Function*` via
`checkSanitizerInterfaceFunction`, and storing that. That would report
an error if someone had already inserted a function declaraction with
a mismatching signature.
However, in general, LLVM allows for such mismatches, as
`getOrInsertFunction` will automatically insert a bitcast if
needed. As part of this cleanup, cause the sanitizer code to do the
same. (It will call its functions using the expected signature,
however they may have been declared.)
Finally, in a small number of locations, callers of
`getOrInsertFunction` actually were expecting/requiring that a brand
new function was being created. In such cases, I've switched them to
Function::Create instead.
Differential Revision: https://reviews.llvm.org/D57315
llvm-svn: 352827
2019-02-01 10:28:03 +08:00
|
|
|
SanCovTracePC = M.getOrInsertFunction(SanCovTracePCName, VoidTy);
|
|
|
|
|
SanCovTracePCGuard =
|
|
|
|
|
M.getOrInsertFunction(SanCovTracePCGuardName, VoidTy, Int32PtrTy);
|
2014-11-19 08:22:58 +08:00
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
for (auto &F : M)
|
|
|
|
|
instrumentFunction(F, DTCallback, PDTCallback);
|
|
|
|
|
|
|
|
|
|
Function *Ctor = nullptr;
|
|
|
|
|
|
|
|
|
|
if (FunctionGuardArray)
|
|
|
|
|
Ctor = CreateInitCallsForSections(M, SanCovModuleCtorTracePcGuardName,
|
|
|
|
|
SanCovTracePCGuardInitName, Int32PtrTy,
|
|
|
|
|
SanCovGuardsSectionName);
|
|
|
|
|
if (Function8bitCounterArray)
|
|
|
|
|
Ctor = CreateInitCallsForSections(M, SanCovModuleCtor8bitCountersName,
|
|
|
|
|
SanCov8bitCountersInitName, Int8PtrTy,
|
|
|
|
|
SanCovCountersSectionName);
|
|
|
|
|
if (Ctor && Options.PCTable) {
|
|
|
|
|
auto SecStartEnd = CreateSecStartEnd(M, SanCovPCsSectionName, IntptrPtrTy);
|
|
|
|
|
FunctionCallee InitFunction = declareSanitizerInitFunction(
|
|
|
|
|
M, SanCovPCsInitName, {IntptrPtrTy, IntptrPtrTy});
|
|
|
|
|
IRBuilder<> IRBCtor(Ctor->getEntryBlock().getTerminator());
|
|
|
|
|
IRBCtor.CreateCall(InitFunction, {SecStartEnd.first, SecStartEnd.second});
|
|
|
|
|
}
|
2017-09-09 13:30:13 +08:00
|
|
|
// We don't reference these arrays directly in any of our runtime functions,
|
|
|
|
|
// so we need to prevent them from being dead stripped.
|
|
|
|
|
if (TargetTriple.isOSBinFormatMachO())
|
|
|
|
|
appendToUsed(M, GlobalsToAppendToUsed);
|
2018-06-16 04:12:58 +08:00
|
|
|
appendToCompilerUsed(M, GlobalsToAppendToCompilerUsed);
|
2019-09-05 04:30:29 +08:00
|
|
|
return true;
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
|
|
|
|
|
2016-03-24 07:15:03 +08:00
|
|
|
// True if block has successors and it dominates all of them.
|
|
|
|
|
static bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
|
|
|
|
|
if (succ_begin(BB) == succ_end(BB))
|
|
|
|
|
return false;
|
2016-02-26 09:17:22 +08:00
|
|
|
|
|
|
|
|
for (const BasicBlock *SUCC : make_range(succ_begin(BB), succ_end(BB))) {
|
2016-03-24 07:15:03 +08:00
|
|
|
if (!DT->dominates(BB, SUCC))
|
|
|
|
|
return false;
|
2016-03-22 07:08:16 +08:00
|
|
|
}
|
|
|
|
|
|
2016-03-24 07:15:03 +08:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-24 08:29:12 +08:00
|
|
|
// True if block has predecessors and it postdominates all of them.
|
|
|
|
|
static bool isFullPostDominator(const BasicBlock *BB,
|
|
|
|
|
const PostDominatorTree *PDT) {
|
|
|
|
|
if (pred_begin(BB) == pred_end(BB))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
for (const BasicBlock *PRED : make_range(pred_begin(BB), pred_end(BB))) {
|
|
|
|
|
if (!PDT->dominates(BB, PRED))
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-06 07:14:40 +08:00
|
|
|
static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
|
|
|
|
|
const DominatorTree *DT,
|
2017-05-24 08:29:12 +08:00
|
|
|
const PostDominatorTree *PDT,
|
2017-05-06 07:14:40 +08:00
|
|
|
const SanitizerCoverageOptions &Options) {
|
[sancov] Instrument reachable blocks that end in unreachable
Summary:
These sorts of blocks often contain calls to noreturn functions, like
longjmp, throw, or trap. If they don't end the program, they are
"interesting" from the perspective of sanitizer coverage, so we should
instrument them. This was discussed in https://reviews.llvm.org/D57982.
Reviewers: kcc, vitalybuka
Subscribers: llvm-commits, craig.topper, efriedma, morehouse, hiraditya
Tags: #llvm
Differential Revision: https://reviews.llvm.org/D58740
llvm-svn: 355152
2019-03-01 06:54:30 +08:00
|
|
|
// Don't insert coverage for blocks containing nothing but unreachable: we
|
|
|
|
|
// will never call __sanitizer_cov() for them, so counting them in
|
2016-09-30 01:43:24 +08:00
|
|
|
// NumberOfInstrumentedBlocks() might complicate calculation of code coverage
|
|
|
|
|
// percentage. Also, unreachable instructions frequently have no debug
|
|
|
|
|
// locations.
|
[sancov] Instrument reachable blocks that end in unreachable
Summary:
These sorts of blocks often contain calls to noreturn functions, like
longjmp, throw, or trap. If they don't end the program, they are
"interesting" from the perspective of sanitizer coverage, so we should
instrument them. This was discussed in https://reviews.llvm.org/D57982.
Reviewers: kcc, vitalybuka
Subscribers: llvm-commits, craig.topper, efriedma, morehouse, hiraditya
Tags: #llvm
Differential Revision: https://reviews.llvm.org/D58740
llvm-svn: 355152
2019-03-01 06:54:30 +08:00
|
|
|
if (isa<UnreachableInst>(BB->getFirstNonPHIOrDbgOrLifetime()))
|
2016-09-30 01:43:24 +08:00
|
|
|
return false;
|
|
|
|
|
|
2017-03-24 07:30:41 +08:00
|
|
|
// Don't insert coverage into blocks without a valid insertion point
|
|
|
|
|
// (catchswitch blocks).
|
|
|
|
|
if (BB->getFirstInsertionPt() == BB->end())
|
|
|
|
|
return false;
|
|
|
|
|
|
2017-05-06 07:14:40 +08:00
|
|
|
if (Options.NoPrune || &F.getEntryBlock() == BB)
|
2016-03-24 07:15:03 +08:00
|
|
|
return true;
|
|
|
|
|
|
2017-07-25 10:07:38 +08:00
|
|
|
if (Options.CoverageType == SanitizerCoverageOptions::SCK_Function &&
|
|
|
|
|
&F.getEntryBlock() != BB)
|
|
|
|
|
return false;
|
|
|
|
|
|
2017-05-25 09:41:46 +08:00
|
|
|
// Do not instrument full dominators, or full post-dominators with multiple
|
|
|
|
|
// predecessors.
|
|
|
|
|
return !isFullDominator(BB, DT)
|
|
|
|
|
&& !(isFullPostDominator(BB, PDT) && !BB->getSinglePredecessor());
|
2016-02-26 09:17:22 +08:00
|
|
|
}
|
|
|
|
|
|
2019-02-01 07:43:00 +08:00
|
|
|
|
|
|
|
|
// Returns true iff From->To is a backedge.
|
|
|
|
|
// A twist here is that we treat From->To as a backedge if
|
|
|
|
|
// * To dominates From or
|
|
|
|
|
// * To->UniqueSuccessor dominates From
|
|
|
|
|
static bool IsBackEdge(BasicBlock *From, BasicBlock *To,
|
|
|
|
|
const DominatorTree *DT) {
|
|
|
|
|
if (DT->dominates(To, From))
|
|
|
|
|
return true;
|
|
|
|
|
if (auto Next = To->getUniqueSuccessor())
|
|
|
|
|
if (DT->dominates(Next, From))
|
|
|
|
|
return true;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Prunes uninteresting Cmp instrumentation:
|
|
|
|
|
// * CMP instructions that feed into loop backedge branch.
|
|
|
|
|
//
|
|
|
|
|
// Note that Cmp pruning is controlled by the same flag as the
|
|
|
|
|
// BB pruning.
|
|
|
|
|
static bool IsInterestingCmp(ICmpInst *CMP, const DominatorTree *DT,
|
|
|
|
|
const SanitizerCoverageOptions &Options) {
|
|
|
|
|
if (!Options.NoPrune)
|
|
|
|
|
if (CMP->hasOneUse())
|
|
|
|
|
if (auto BR = dyn_cast<BranchInst>(CMP->user_back()))
|
|
|
|
|
for (BasicBlock *B : BR->successors())
|
|
|
|
|
if (IsBackEdge(BR->getParent(), B, DT))
|
|
|
|
|
return false;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::instrumentFunction(
|
|
|
|
|
Function &F, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
|
|
|
|
|
if (F.empty())
|
|
|
|
|
return;
|
|
|
|
|
if (F.getName().find(".module_ctor") != std::string::npos)
|
|
|
|
|
return; // Should not instrument sanitizer init functions.
|
|
|
|
|
if (F.getName().startswith("__sanitizer_"))
|
|
|
|
|
return; // Don't instrument __sanitizer_* callbacks.
|
|
|
|
|
// Don't touch available_externally functions, their actual body is elewhere.
|
|
|
|
|
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage)
|
|
|
|
|
return;
|
|
|
|
|
// Don't instrument MSVC CRT configuration helpers. They may run before normal
|
|
|
|
|
// initialization.
|
|
|
|
|
if (F.getName() == "__local_stdio_printf_options" ||
|
|
|
|
|
F.getName() == "__local_stdio_scanf_options")
|
|
|
|
|
return;
|
|
|
|
|
if (isa<UnreachableInst>(F.getEntryBlock().getTerminator()))
|
|
|
|
|
return;
|
|
|
|
|
// Don't instrument functions using SEH for now. Splitting basic blocks like
|
|
|
|
|
// we do for coverage breaks WinEHPrepare.
|
|
|
|
|
// FIXME: Remove this when SEH no longer uses landingpad pattern matching.
|
|
|
|
|
if (F.hasPersonalityFn() &&
|
|
|
|
|
isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
|
|
|
|
|
return;
|
2015-05-07 09:00:31 +08:00
|
|
|
if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
|
2019-03-13 02:20:25 +08:00
|
|
|
SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
|
2016-03-19 07:29:29 +08:00
|
|
|
SmallVector<Instruction *, 8> IndirCalls;
|
2016-02-26 09:17:22 +08:00
|
|
|
SmallVector<BasicBlock *, 16> BlocksToInstrument;
|
2016-03-19 07:29:29 +08:00
|
|
|
SmallVector<Instruction *, 8> CmpTraceTargets;
|
|
|
|
|
SmallVector<Instruction *, 8> SwitchTraceTargets;
|
2016-08-30 09:12:10 +08:00
|
|
|
SmallVector<BinaryOperator *, 8> DivTraceTargets;
|
|
|
|
|
SmallVector<GetElementPtrInst *, 8> GepTraceTargets;
|
2016-02-26 09:17:22 +08:00
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
const DominatorTree *DT = DTCallback(F);
|
|
|
|
|
const PostDominatorTree *PDT = PDTCallback(F);
|
2017-08-31 06:49:31 +08:00
|
|
|
bool IsLeafFunc = true;
|
2016-03-22 07:08:16 +08:00
|
|
|
|
2014-11-12 06:14:37 +08:00
|
|
|
for (auto &BB : F) {
|
2017-05-24 08:29:12 +08:00
|
|
|
if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
|
2016-02-26 09:17:22 +08:00
|
|
|
BlocksToInstrument.push_back(&BB);
|
2015-03-21 09:29:36 +08:00
|
|
|
for (auto &Inst : BB) {
|
2015-05-07 09:00:31 +08:00
|
|
|
if (Options.IndirectCalls) {
|
2014-11-12 06:14:37 +08:00
|
|
|
CallSite CS(&Inst);
|
|
|
|
|
if (CS && !CS.getCalledFunction())
|
|
|
|
|
IndirCalls.push_back(&Inst);
|
|
|
|
|
}
|
2015-07-31 09:33:06 +08:00
|
|
|
if (Options.TraceCmp) {
|
2019-02-01 07:43:00 +08:00
|
|
|
if (ICmpInst *CMP = dyn_cast<ICmpInst>(&Inst))
|
|
|
|
|
if (IsInterestingCmp(CMP, DT, Options))
|
|
|
|
|
CmpTraceTargets.push_back(&Inst);
|
2015-07-31 09:33:06 +08:00
|
|
|
if (isa<SwitchInst>(&Inst))
|
|
|
|
|
SwitchTraceTargets.push_back(&Inst);
|
|
|
|
|
}
|
2016-08-30 09:12:10 +08:00
|
|
|
if (Options.TraceDiv)
|
|
|
|
|
if (BinaryOperator *BO = dyn_cast<BinaryOperator>(&Inst))
|
|
|
|
|
if (BO->getOpcode() == Instruction::SDiv ||
|
|
|
|
|
BO->getOpcode() == Instruction::UDiv)
|
|
|
|
|
DivTraceTargets.push_back(BO);
|
|
|
|
|
if (Options.TraceGep)
|
|
|
|
|
if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(&Inst))
|
|
|
|
|
GepTraceTargets.push_back(GEP);
|
2017-08-31 06:49:31 +08:00
|
|
|
if (Options.StackDepth)
|
|
|
|
|
if (isa<InvokeInst>(Inst) ||
|
|
|
|
|
(isa<CallInst>(Inst) && !isa<IntrinsicInst>(Inst)))
|
|
|
|
|
IsLeafFunc = false;
|
|
|
|
|
}
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
2016-02-26 09:17:22 +08:00
|
|
|
|
2017-08-31 06:49:31 +08:00
|
|
|
InjectCoverage(F, BlocksToInstrument, IsLeafFunc);
|
2015-03-21 09:29:36 +08:00
|
|
|
InjectCoverageForIndirectCalls(F, IndirCalls);
|
|
|
|
|
InjectTraceForCmp(F, CmpTraceTargets);
|
2015-07-31 09:33:06 +08:00
|
|
|
InjectTraceForSwitch(F, SwitchTraceTargets);
|
2016-08-30 09:12:10 +08:00
|
|
|
InjectTraceForDiv(F, DivTraceTargets);
|
|
|
|
|
InjectTraceForGep(F, GepTraceTargets);
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
2017-06-03 07:13:44 +08:00
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
GlobalVariable *ModuleSanitizerCoverage::CreateFunctionLocalArrayInSection(
|
2017-06-03 07:13:44 +08:00
|
|
|
size_t NumElements, Function &F, Type *Ty, const char *Section) {
|
|
|
|
|
ArrayType *ArrayTy = ArrayType::get(Ty, NumElements);
|
|
|
|
|
auto Array = new GlobalVariable(
|
|
|
|
|
*CurModule, ArrayTy, false, GlobalVariable::PrivateLinkage,
|
|
|
|
|
Constant::getNullValue(ArrayTy), "__sancov_gen_");
|
2018-10-13 07:21:48 +08:00
|
|
|
|
2019-01-16 05:21:01 +08:00
|
|
|
if (TargetTriple.supportsCOMDAT() && !F.isInterposable())
|
2018-11-08 08:57:33 +08:00
|
|
|
if (auto Comdat =
|
|
|
|
|
GetOrCreateFunctionComdat(F, TargetTriple, CurModuleUniqueId))
|
2018-10-13 07:21:48 +08:00
|
|
|
Array->setComdat(Comdat);
|
2017-06-03 07:13:44 +08:00
|
|
|
Array->setSection(getSectionName(Section));
|
2017-08-01 03:49:45 +08:00
|
|
|
Array->setAlignment(Ty->isPointerTy() ? DL->getPointerSize()
|
|
|
|
|
: Ty->getPrimitiveSizeInBits() / 8);
|
2018-10-12 21:59:31 +08:00
|
|
|
GlobalsToAppendToUsed.push_back(Array);
|
2018-09-14 05:45:55 +08:00
|
|
|
GlobalsToAppendToCompilerUsed.push_back(Array);
|
|
|
|
|
MDNode *MD = MDNode::get(F.getContext(), ValueAsMetadata::get(&F));
|
|
|
|
|
Array->addMetadata(LLVMContext::MD_associated, *MD);
|
|
|
|
|
|
2017-06-03 07:13:44 +08:00
|
|
|
return Array;
|
|
|
|
|
}
|
2017-07-28 07:36:49 +08:00
|
|
|
|
2017-08-29 07:46:11 +08:00
|
|
|
GlobalVariable *
|
2019-09-05 04:30:29 +08:00
|
|
|
ModuleSanitizerCoverage::CreatePCArray(Function &F,
|
|
|
|
|
ArrayRef<BasicBlock *> AllBlocks) {
|
2017-07-28 07:36:49 +08:00
|
|
|
size_t N = AllBlocks.size();
|
|
|
|
|
assert(N);
|
2017-08-26 03:29:47 +08:00
|
|
|
SmallVector<Constant *, 32> PCs;
|
2017-07-28 07:36:49 +08:00
|
|
|
IRBuilder<> IRB(&*F.getEntryBlock().getFirstInsertionPt());
|
2017-08-26 03:29:47 +08:00
|
|
|
for (size_t i = 0; i < N; i++) {
|
|
|
|
|
if (&F.getEntryBlock() == AllBlocks[i]) {
|
|
|
|
|
PCs.push_back((Constant *)IRB.CreatePointerCast(&F, IntptrPtrTy));
|
|
|
|
|
PCs.push_back((Constant *)IRB.CreateIntToPtr(
|
|
|
|
|
ConstantInt::get(IntptrTy, 1), IntptrPtrTy));
|
|
|
|
|
} else {
|
|
|
|
|
PCs.push_back((Constant *)IRB.CreatePointerCast(
|
|
|
|
|
BlockAddress::get(AllBlocks[i]), IntptrPtrTy));
|
|
|
|
|
PCs.push_back((Constant *)IRB.CreateIntToPtr(
|
|
|
|
|
ConstantInt::get(IntptrTy, 0), IntptrPtrTy));
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-08-29 07:46:11 +08:00
|
|
|
auto *PCArray = CreateFunctionLocalArrayInSection(N * 2, F, IntptrPtrTy,
|
|
|
|
|
SanCovPCsSectionName);
|
|
|
|
|
PCArray->setInitializer(
|
2017-08-26 03:29:47 +08:00
|
|
|
ConstantArray::get(ArrayType::get(IntptrPtrTy, N * 2), PCs));
|
2017-08-29 07:46:11 +08:00
|
|
|
PCArray->setConstant(true);
|
2017-08-25 09:24:54 +08:00
|
|
|
|
2017-08-29 07:46:11 +08:00
|
|
|
return PCArray;
|
2017-07-28 07:36:49 +08:00
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::CreateFunctionLocalArrays(
|
2017-07-28 07:36:49 +08:00
|
|
|
Function &F, ArrayRef<BasicBlock *> AllBlocks) {
|
2018-10-12 21:59:31 +08:00
|
|
|
if (Options.TracePCGuard)
|
2017-06-03 07:13:44 +08:00
|
|
|
FunctionGuardArray = CreateFunctionLocalArrayInSection(
|
2017-07-28 07:36:49 +08:00
|
|
|
AllBlocks.size(), F, Int32Ty, SanCovGuardsSectionName);
|
2018-10-12 21:59:31 +08:00
|
|
|
|
2018-09-14 05:45:55 +08:00
|
|
|
if (Options.Inline8bitCounters)
|
2017-06-09 06:58:19 +08:00
|
|
|
Function8bitCounterArray = CreateFunctionLocalArrayInSection(
|
2017-07-28 07:36:49 +08:00
|
|
|
AllBlocks.size(), F, Int8Ty, SanCovCountersSectionName);
|
2018-10-12 21:59:31 +08:00
|
|
|
|
2018-09-14 05:45:55 +08:00
|
|
|
if (Options.PCTable)
|
2017-08-29 07:46:11 +08:00
|
|
|
FunctionPCsArray = CreatePCArray(F, AllBlocks);
|
2016-09-30 01:43:24 +08:00
|
|
|
}
|
2014-11-12 06:14:37 +08:00
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
bool ModuleSanitizerCoverage::InjectCoverage(Function &F,
|
|
|
|
|
ArrayRef<BasicBlock *> AllBlocks,
|
|
|
|
|
bool IsLeafFunc) {
|
2016-09-30 01:43:24 +08:00
|
|
|
if (AllBlocks.empty()) return false;
|
2017-07-28 07:36:49 +08:00
|
|
|
CreateFunctionLocalArrays(F, AllBlocks);
|
2017-07-25 10:07:38 +08:00
|
|
|
for (size_t i = 0, N = AllBlocks.size(); i < N; i++)
|
2017-08-31 06:49:31 +08:00
|
|
|
InjectCoverageAtBlock(F, *AllBlocks[i], i, IsLeafFunc);
|
2017-07-25 10:07:38 +08:00
|
|
|
return true;
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// On every indirect call we call a run-time function
|
|
|
|
|
// __sanitizer_cov_indir_call* with two parameters:
|
|
|
|
|
// - callee address,
|
2016-03-19 07:29:29 +08:00
|
|
|
// - global cache array that contains CacheSize pointers (zero-initialized).
|
2014-11-12 06:14:37 +08:00
|
|
|
// The cache is used to speed up recording the caller-callee pairs.
|
|
|
|
|
// The address of the caller is passed implicitly via caller PC.
|
2016-03-19 07:29:29 +08:00
|
|
|
// CacheSize is encoded in the name of the run-time function.
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls(
|
2014-11-12 06:14:37 +08:00
|
|
|
Function &F, ArrayRef<Instruction *> IndirCalls) {
|
2016-03-19 07:29:29 +08:00
|
|
|
if (IndirCalls.empty())
|
|
|
|
|
return;
|
2017-06-09 06:58:19 +08:00
|
|
|
assert(Options.TracePC || Options.TracePCGuard || Options.Inline8bitCounters);
|
2014-11-12 06:14:37 +08:00
|
|
|
for (auto I : IndirCalls) {
|
|
|
|
|
IRBuilder<> IRB(I);
|
|
|
|
|
CallSite CS(I);
|
|
|
|
|
Value *Callee = CS.getCalledValue();
|
2016-03-19 07:29:29 +08:00
|
|
|
if (isa<InlineAsm>(Callee))
|
|
|
|
|
continue;
|
2017-04-20 06:42:11 +08:00
|
|
|
IRB.CreateCall(SanCovTracePCIndir, IRB.CreatePointerCast(Callee, IntptrTy));
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-31 09:33:06 +08:00
|
|
|
// For every switch statement we insert a call:
|
|
|
|
|
// __sanitizer_cov_trace_switch(CondValue,
|
|
|
|
|
// {NumCases, ValueSizeInBits, Case0Value, Case1Value, Case2Value, ... })
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectTraceForSwitch(
|
2016-03-19 07:29:29 +08:00
|
|
|
Function &, ArrayRef<Instruction *> SwitchTraceTargets) {
|
2015-07-31 09:33:06 +08:00
|
|
|
for (auto I : SwitchTraceTargets) {
|
|
|
|
|
if (SwitchInst *SI = dyn_cast<SwitchInst>(I)) {
|
|
|
|
|
IRBuilder<> IRB(I);
|
|
|
|
|
SmallVector<Constant *, 16> Initializers;
|
|
|
|
|
Value *Cond = SI->getCondition();
|
2015-08-11 08:24:39 +08:00
|
|
|
if (Cond->getType()->getScalarSizeInBits() >
|
|
|
|
|
Int64Ty->getScalarSizeInBits())
|
|
|
|
|
continue;
|
2015-07-31 09:33:06 +08:00
|
|
|
Initializers.push_back(ConstantInt::get(Int64Ty, SI->getNumCases()));
|
|
|
|
|
Initializers.push_back(
|
|
|
|
|
ConstantInt::get(Int64Ty, Cond->getType()->getScalarSizeInBits()));
|
|
|
|
|
if (Cond->getType()->getScalarSizeInBits() <
|
|
|
|
|
Int64Ty->getScalarSizeInBits())
|
|
|
|
|
Cond = IRB.CreateIntCast(Cond, Int64Ty, false);
|
2016-03-19 07:29:29 +08:00
|
|
|
for (auto It : SI->cases()) {
|
2015-07-31 09:33:06 +08:00
|
|
|
Constant *C = It.getCaseValue();
|
|
|
|
|
if (C->getType()->getScalarSizeInBits() <
|
|
|
|
|
Int64Ty->getScalarSizeInBits())
|
|
|
|
|
C = ConstantExpr::getCast(CastInst::ZExt, It.getCaseValue(), Int64Ty);
|
|
|
|
|
Initializers.push_back(C);
|
|
|
|
|
}
|
2018-04-14 03:47:57 +08:00
|
|
|
llvm::sort(Initializers.begin() + 2, Initializers.end(),
|
|
|
|
|
[](const Constant *A, const Constant *B) {
|
|
|
|
|
return cast<ConstantInt>(A)->getLimitedValue() <
|
|
|
|
|
cast<ConstantInt>(B)->getLimitedValue();
|
|
|
|
|
});
|
2015-07-31 09:33:06 +08:00
|
|
|
ArrayType *ArrayOfInt64Ty = ArrayType::get(Int64Ty, Initializers.size());
|
|
|
|
|
GlobalVariable *GV = new GlobalVariable(
|
|
|
|
|
*CurModule, ArrayOfInt64Ty, false, GlobalVariable::InternalLinkage,
|
|
|
|
|
ConstantArray::get(ArrayOfInt64Ty, Initializers),
|
|
|
|
|
"__sancov_gen_cov_switch_values");
|
|
|
|
|
IRB.CreateCall(SanCovTraceSwitchFunction,
|
|
|
|
|
{Cond, IRB.CreatePointerCast(GV, Int64PtrTy)});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectTraceForDiv(
|
2016-08-30 09:12:10 +08:00
|
|
|
Function &, ArrayRef<BinaryOperator *> DivTraceTargets) {
|
|
|
|
|
for (auto BO : DivTraceTargets) {
|
|
|
|
|
IRBuilder<> IRB(BO);
|
|
|
|
|
Value *A1 = BO->getOperand(1);
|
|
|
|
|
if (isa<ConstantInt>(A1)) continue;
|
|
|
|
|
if (!A1->getType()->isIntegerTy())
|
|
|
|
|
continue;
|
|
|
|
|
uint64_t TypeSize = DL->getTypeStoreSizeInBits(A1->getType());
|
|
|
|
|
int CallbackIdx = TypeSize == 32 ? 0 :
|
|
|
|
|
TypeSize == 64 ? 1 : -1;
|
|
|
|
|
if (CallbackIdx < 0) continue;
|
|
|
|
|
auto Ty = Type::getIntNTy(*C, TypeSize);
|
|
|
|
|
IRB.CreateCall(SanCovTraceDivFunction[CallbackIdx],
|
|
|
|
|
{IRB.CreateIntCast(A1, Ty, true)});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectTraceForGep(
|
2016-08-30 09:12:10 +08:00
|
|
|
Function &, ArrayRef<GetElementPtrInst *> GepTraceTargets) {
|
|
|
|
|
for (auto GEP : GepTraceTargets) {
|
|
|
|
|
IRBuilder<> IRB(GEP);
|
|
|
|
|
for (auto I = GEP->idx_begin(); I != GEP->idx_end(); ++I)
|
2016-09-27 09:55:08 +08:00
|
|
|
if (!isa<ConstantInt>(*I) && (*I)->getType()->isIntegerTy())
|
2016-08-30 09:12:10 +08:00
|
|
|
IRB.CreateCall(SanCovTraceGepFunction,
|
|
|
|
|
{IRB.CreateIntCast(*I, IntptrTy, true)});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectTraceForCmp(
|
2016-03-19 07:29:29 +08:00
|
|
|
Function &, ArrayRef<Instruction *> CmpTraceTargets) {
|
2015-03-21 09:29:36 +08:00
|
|
|
for (auto I : CmpTraceTargets) {
|
|
|
|
|
if (ICmpInst *ICMP = dyn_cast<ICmpInst>(I)) {
|
|
|
|
|
IRBuilder<> IRB(ICMP);
|
|
|
|
|
Value *A0 = ICMP->getOperand(0);
|
|
|
|
|
Value *A1 = ICMP->getOperand(1);
|
2016-03-19 07:29:29 +08:00
|
|
|
if (!A0->getType()->isIntegerTy())
|
|
|
|
|
continue;
|
2015-03-21 09:29:36 +08:00
|
|
|
uint64_t TypeSize = DL->getTypeStoreSizeInBits(A0->getType());
|
2016-08-18 09:25:28 +08:00
|
|
|
int CallbackIdx = TypeSize == 8 ? 0 :
|
|
|
|
|
TypeSize == 16 ? 1 :
|
|
|
|
|
TypeSize == 32 ? 2 :
|
|
|
|
|
TypeSize == 64 ? 3 : -1;
|
|
|
|
|
if (CallbackIdx < 0) continue;
|
2015-05-07 05:35:25 +08:00
|
|
|
// __sanitizer_cov_trace_cmp((type_size << 32) | predicate, A0, A1);
|
2017-08-10 23:00:13 +08:00
|
|
|
auto CallbackFunc = SanCovTraceCmpFunction[CallbackIdx];
|
|
|
|
|
bool FirstIsConst = isa<ConstantInt>(A0);
|
|
|
|
|
bool SecondIsConst = isa<ConstantInt>(A1);
|
|
|
|
|
// If both are const, then we don't need such a comparison.
|
|
|
|
|
if (FirstIsConst && SecondIsConst) continue;
|
|
|
|
|
// If only one is const, then make it the first callback argument.
|
|
|
|
|
if (FirstIsConst || SecondIsConst) {
|
|
|
|
|
CallbackFunc = SanCovTraceConstCmpFunction[CallbackIdx];
|
2017-08-29 07:38:12 +08:00
|
|
|
if (SecondIsConst)
|
2017-08-10 23:00:13 +08:00
|
|
|
std::swap(A0, A1);
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-18 09:25:28 +08:00
|
|
|
auto Ty = Type::getIntNTy(*C, TypeSize);
|
2017-08-29 07:38:12 +08:00
|
|
|
IRB.CreateCall(CallbackFunc, {IRB.CreateIntCast(A0, Ty, true),
|
2017-08-10 23:00:13 +08:00
|
|
|
IRB.CreateIntCast(A1, Ty, true)});
|
2015-03-21 09:29:36 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB,
|
|
|
|
|
size_t Idx,
|
|
|
|
|
bool IsLeafFunc) {
|
2015-08-15 01:03:45 +08:00
|
|
|
BasicBlock::iterator IP = BB.getFirstInsertionPt();
|
2015-01-03 08:54:43 +08:00
|
|
|
bool IsEntryBB = &BB == &F.getEntryBlock();
|
2015-06-12 09:48:47 +08:00
|
|
|
DebugLoc EntryLoc;
|
|
|
|
|
if (IsEntryBB) {
|
2016-03-11 10:14:16 +08:00
|
|
|
if (auto SP = F.getSubprogram())
|
2015-06-12 09:48:47 +08:00
|
|
|
EntryLoc = DebugLoc::get(SP->getScopeLine(), 0, SP);
|
2015-08-15 00:45:42 +08:00
|
|
|
// Keep static allocas and llvm.localescape calls in the entry block. Even
|
|
|
|
|
// if we aren't splitting the block, it's nice for allocas to be before
|
|
|
|
|
// calls.
|
|
|
|
|
IP = PrepareToSplitEntryBlock(BB, IP);
|
2015-06-12 09:48:47 +08:00
|
|
|
} else {
|
|
|
|
|
EntryLoc = IP->getDebugLoc();
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-14 01:39:10 +08:00
|
|
|
IRBuilder<> IRB(&*IP);
|
2014-11-12 06:14:37 +08:00
|
|
|
IRB.SetCurrentDebugLocation(EntryLoc);
|
2016-02-18 05:34:43 +08:00
|
|
|
if (Options.TracePC) {
|
2016-07-15 01:59:01 +08:00
|
|
|
IRB.CreateCall(SanCovTracePC); // gets the PC using GET_CALLER_PC.
|
|
|
|
|
IRB.CreateCall(EmptyAsm, {}); // Avoids callback merge.
|
2017-06-09 06:58:19 +08:00
|
|
|
}
|
|
|
|
|
if (Options.TracePCGuard) {
|
2016-09-30 01:43:24 +08:00
|
|
|
auto GuardPtr = IRB.CreateIntToPtr(
|
|
|
|
|
IRB.CreateAdd(IRB.CreatePointerCast(FunctionGuardArray, IntptrTy),
|
|
|
|
|
ConstantInt::get(IntptrTy, Idx * 4)),
|
|
|
|
|
Int32PtrTy);
|
2016-09-14 09:39:35 +08:00
|
|
|
IRB.CreateCall(SanCovTracePCGuard, GuardPtr);
|
|
|
|
|
IRB.CreateCall(EmptyAsm, {}); // Avoids callback merge.
|
2015-02-04 09:21:45 +08:00
|
|
|
}
|
2017-06-09 06:58:19 +08:00
|
|
|
if (Options.Inline8bitCounters) {
|
|
|
|
|
auto CounterPtr = IRB.CreateGEP(
|
2019-02-02 04:44:47 +08:00
|
|
|
Function8bitCounterArray->getValueType(), Function8bitCounterArray,
|
2017-06-09 06:58:19 +08:00
|
|
|
{ConstantInt::get(IntptrTy, 0), ConstantInt::get(IntptrTy, Idx)});
|
2019-02-02 04:44:24 +08:00
|
|
|
auto Load = IRB.CreateLoad(Int8Ty, CounterPtr);
|
2017-06-09 06:58:19 +08:00
|
|
|
auto Inc = IRB.CreateAdd(Load, ConstantInt::get(Int8Ty, 1));
|
|
|
|
|
auto Store = IRB.CreateStore(Inc, CounterPtr);
|
|
|
|
|
SetNoSanitizeMetadata(Load);
|
|
|
|
|
SetNoSanitizeMetadata(Store);
|
|
|
|
|
}
|
2017-08-31 06:49:31 +08:00
|
|
|
if (Options.StackDepth && IsEntryBB && !IsLeafFunc) {
|
2017-08-19 02:43:30 +08:00
|
|
|
// Check stack depth. If it's the deepest so far, record it.
|
2019-07-22 20:42:48 +08:00
|
|
|
Module *M = F.getParent();
|
|
|
|
|
Function *GetFrameAddr = Intrinsic::getDeclaration(
|
|
|
|
|
M, Intrinsic::frameaddress,
|
|
|
|
|
IRB.getInt8PtrTy(M->getDataLayout().getAllocaAddrSpace()));
|
2017-08-19 02:43:30 +08:00
|
|
|
auto FrameAddrPtr =
|
|
|
|
|
IRB.CreateCall(GetFrameAddr, {Constant::getNullValue(Int32Ty)});
|
|
|
|
|
auto FrameAddrInt = IRB.CreatePtrToInt(FrameAddrPtr, IntptrTy);
|
2019-02-02 04:44:24 +08:00
|
|
|
auto LowestStack = IRB.CreateLoad(IntptrTy, SanCovLowestStack);
|
2017-08-19 02:43:30 +08:00
|
|
|
auto IsStackLower = IRB.CreateICmpULT(FrameAddrInt, LowestStack);
|
|
|
|
|
auto ThenTerm = SplitBlockAndInsertIfThen(IsStackLower, &*IP, false);
|
|
|
|
|
IRBuilder<> ThenIRB(ThenTerm);
|
2017-08-31 06:49:31 +08:00
|
|
|
auto Store = ThenIRB.CreateStore(FrameAddrInt, SanCovLowestStack);
|
|
|
|
|
SetNoSanitizeMetadata(LowestStack);
|
|
|
|
|
SetNoSanitizeMetadata(Store);
|
2017-08-19 02:43:30 +08:00
|
|
|
}
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|
|
|
|
|
|
2017-06-03 07:13:44 +08:00
|
|
|
std::string
|
2019-09-05 04:30:29 +08:00
|
|
|
ModuleSanitizerCoverage::getSectionName(const std::string &Section) const {
|
2019-01-15 05:02:02 +08:00
|
|
|
if (TargetTriple.isOSBinFormatCOFF()) {
|
[libFuzzer] Port to Windows
Summary:
Port libFuzzer to windows-msvc.
This patch allows libFuzzer targets to be built and run on Windows, using -fsanitize=fuzzer and/or fsanitize=fuzzer-no-link. It allows these forms of coverage instrumentation to work on Windows as well.
It does not fix all issues, such as those with -fsanitize-coverage=stack-depth, which is not usable on Windows as of this patch.
It also does not fix any libFuzzer integration tests. Nearly all of them fail to compile, fixing them will come in a later patch, so libFuzzer tests are disabled on Windows until them.
Patch By: metzman
Reviewers: morehouse, rnk
Reviewed By: morehouse, rnk
Subscribers: #sanitizers, delcypher, morehouse, kcc, eraman
Differential Revision: https://reviews.llvm.org/D51022
llvm-svn: 341082
2018-08-30 23:54:44 +08:00
|
|
|
if (Section == SanCovCountersSectionName)
|
|
|
|
|
return ".SCOV$CM";
|
|
|
|
|
if (Section == SanCovPCsSectionName)
|
|
|
|
|
return ".SCOVP$M";
|
|
|
|
|
return ".SCOV$GM"; // For SanCovGuardsSectionName.
|
|
|
|
|
}
|
2017-02-03 09:08:06 +08:00
|
|
|
if (TargetTriple.isOSBinFormatMachO())
|
2017-06-03 07:13:44 +08:00
|
|
|
return "__DATA,__" + Section;
|
|
|
|
|
return "__" + Section;
|
2017-02-03 09:08:06 +08:00
|
|
|
}
|
|
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
std::string
|
|
|
|
|
ModuleSanitizerCoverage::getSectionStart(const std::string &Section) const {
|
|
|
|
|
if (TargetTriple.isOSBinFormatMachO())
|
|
|
|
|
return "\1section$start$__DATA$__" + Section;
|
|
|
|
|
return "__start___" + Section;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string
|
|
|
|
|
ModuleSanitizerCoverage::getSectionEnd(const std::string &Section) const {
|
|
|
|
|
if (TargetTriple.isOSBinFormatMachO())
|
|
|
|
|
return "\1section$end$__DATA$__" + Section;
|
|
|
|
|
return "__stop___" + Section;
|
|
|
|
|
}
|
2017-02-03 09:08:06 +08:00
|
|
|
|
2019-09-05 04:30:29 +08:00
|
|
|
char ModuleSanitizerCoverageLegacyPass::ID = 0;
|
|
|
|
|
INITIALIZE_PASS_BEGIN(ModuleSanitizerCoverageLegacyPass, "sancov",
|
2019-07-26 04:53:15 +08:00
|
|
|
"Pass for instrumenting coverage on functions", false,
|
|
|
|
|
false)
|
2016-02-27 13:50:40 +08:00
|
|
|
INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
|
2017-05-24 08:29:12 +08:00
|
|
|
INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
|
2019-09-05 04:30:29 +08:00
|
|
|
INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
|
2019-07-26 04:53:15 +08:00
|
|
|
"Pass for instrumenting coverage on functions", false,
|
|
|
|
|
false)
|
|
|
|
|
ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
|
2015-05-07 09:00:31 +08:00
|
|
|
const SanitizerCoverageOptions &Options) {
|
2019-07-26 04:53:15 +08:00
|
|
|
return new ModuleSanitizerCoverageLegacyPass(Options);
|
2014-11-12 06:14:37 +08:00
|
|
|
}
|