1 /* Optimize and expand sanitizer functions.
2 Copyright (C) 2014-2020 Free Software Foundation, Inc.
3 Contributed by Marek Polacek <polacek@redhat.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
23 #include "coretypes.h"
28 #include "tree-pass.h"
29 #include "tree-ssa-operands.h"
30 #include "gimple-pretty-print.h"
31 #include "fold-const.h"
32 #include "gimple-iterator.h"
33 #include "stringpool.h"
37 #include "tree-hash-traits.h"
38 #include "gimple-ssa.h"
39 #include "tree-phinodes.h"
40 #include "ssa-iterators.h"
42 #include "gimple-iterator.h"
43 #include "gimple-walk.h"
49 /* This is used to carry information about basic blocks. It is
50 attached to the AUX field of the standard CFG block. */
54 /* True if this BB might call (directly or indirectly) free/munmap
55 or similar operation. */
56 bool has_freeing_call_p;
58 /* True if HAS_FREEING_CALL_P flag has been computed. */
59 bool has_freeing_call_computed_p;
61 /* True if there is a block with HAS_FREEING_CALL_P flag set
62 on any path between an immediate dominator of BB, denoted
64 bool imm_dom_path_with_freeing_call_p;
66 /* True if IMM_DOM_PATH_WITH_FREEING_CALL_P has been computed. */
67 bool imm_dom_path_with_freeing_call_computed_p;
69 /* Number of possibly freeing calls encountered in this bb
71 uint64_t freeing_call_events;
73 /* True if BB is currently being visited during computation
74 of IMM_DOM_PATH_WITH_FREEING_CALL_P flag. */
77 /* True if this BB has been visited in the dominator walk. */
81 /* If T has a single definition of form T = T2, return T2. */
84 maybe_get_single_definition (tree t)
86 if (TREE_CODE (t) == SSA_NAME)
88 gimple *g = SSA_NAME_DEF_STMT (t);
89 if (gimple_assign_single_p (g))
90 return gimple_assign_rhs1 (g);
95 /* Tree triplet for vptr_check_map. */
96 struct sanopt_tree_triplet
101 /* Traits class for tree triplet hash maps below. */
103 struct sanopt_tree_triplet_hash : typed_noop_remove <sanopt_tree_triplet>
105 typedef sanopt_tree_triplet value_type;
106 typedef sanopt_tree_triplet compare_type;
109 hash (const sanopt_tree_triplet &ref)
111 inchash::hash hstate (0);
112 inchash::add_expr (ref.t1, hstate);
113 inchash::add_expr (ref.t2, hstate);
114 inchash::add_expr (ref.t3, hstate);
115 return hstate.end ();
119 equal (const sanopt_tree_triplet &ref1, const sanopt_tree_triplet &ref2)
121 return operand_equal_p (ref1.t1, ref2.t1, 0)
122 && operand_equal_p (ref1.t2, ref2.t2, 0)
123 && operand_equal_p (ref1.t3, ref2.t3, 0);
127 mark_deleted (sanopt_tree_triplet &ref)
129 ref.t1 = reinterpret_cast<tree> (1);
132 static const bool empty_zero_p = true;
135 mark_empty (sanopt_tree_triplet &ref)
141 is_deleted (const sanopt_tree_triplet &ref)
143 return ref.t1 == reinterpret_cast<tree> (1);
147 is_empty (const sanopt_tree_triplet &ref)
149 return ref.t1 == NULL;
153 /* Tree couple for ptr_check_map. */
154 struct sanopt_tree_couple
160 /* Traits class for tree triplet hash maps below. */
162 struct sanopt_tree_couple_hash : typed_noop_remove <sanopt_tree_couple>
164 typedef sanopt_tree_couple value_type;
165 typedef sanopt_tree_couple compare_type;
168 hash (const sanopt_tree_couple &ref)
170 inchash::hash hstate (0);
171 inchash::add_expr (ref.ptr, hstate);
172 hstate.add_int (ref.pos_p);
173 return hstate.end ();
177 equal (const sanopt_tree_couple &ref1, const sanopt_tree_couple &ref2)
179 return operand_equal_p (ref1.ptr, ref2.ptr, 0)
180 && ref1.pos_p == ref2.pos_p;
184 mark_deleted (sanopt_tree_couple &ref)
186 ref.ptr = reinterpret_cast<tree> (1);
189 static const bool empty_zero_p = true;
192 mark_empty (sanopt_tree_couple &ref)
198 is_deleted (const sanopt_tree_couple &ref)
200 return ref.ptr == reinterpret_cast<tree> (1);
204 is_empty (const sanopt_tree_couple &ref)
206 return ref.ptr == NULL;
210 /* This is used to carry various hash maps and variables used
211 in sanopt_optimize_walker. */
216 /* This map maps a pointer (the first argument of UBSAN_NULL) to
217 a vector of UBSAN_NULL call statements that check this pointer. */
218 hash_map<tree, auto_vec<gimple *> > null_check_map;
220 /* This map maps a pointer (the second argument of ASAN_CHECK) to
221 a vector of ASAN_CHECK call statements that check the access. */
222 hash_map<tree_operand_hash, auto_vec<gimple *> > asan_check_map;
224 /* This map maps a tree triplet (the first, second and fourth argument
225 of UBSAN_VPTR) to a vector of UBSAN_VPTR call statements that check
226 that virtual table pointer. */
227 hash_map<sanopt_tree_triplet_hash, auto_vec<gimple *> > vptr_check_map;
229 /* This map maps a couple (tree and boolean) to a vector of UBSAN_PTR
230 call statements that check that pointer overflow. */
231 hash_map<sanopt_tree_couple_hash, auto_vec<gimple *> > ptr_check_map;
233 /* Number of IFN_ASAN_CHECK statements. */
234 int asan_num_accesses;
236 /* True when the current functions constains an ASAN_MARK. */
237 bool contains_asan_mark;
240 /* Return true if there might be any call to free/munmap operation
241 on any path in between DOM (which should be imm(BB)) and BB. */
244 imm_dom_path_with_freeing_call (basic_block bb, basic_block dom)
246 sanopt_info *info = (sanopt_info *) bb->aux;
250 if (info->imm_dom_path_with_freeing_call_computed_p)
251 return info->imm_dom_path_with_freeing_call_p;
253 info->being_visited_p = true;
255 FOR_EACH_EDGE (e, ei, bb->preds)
257 sanopt_info *pred_info = (sanopt_info *) e->src->aux;
262 if ((pred_info->imm_dom_path_with_freeing_call_computed_p
263 && pred_info->imm_dom_path_with_freeing_call_p)
264 || (pred_info->has_freeing_call_computed_p
265 && pred_info->has_freeing_call_p))
267 info->imm_dom_path_with_freeing_call_computed_p = true;
268 info->imm_dom_path_with_freeing_call_p = true;
269 info->being_visited_p = false;
274 FOR_EACH_EDGE (e, ei, bb->preds)
276 sanopt_info *pred_info = (sanopt_info *) e->src->aux;
281 if (pred_info->has_freeing_call_computed_p)
284 gimple_stmt_iterator gsi;
285 for (gsi = gsi_start_bb (e->src); !gsi_end_p (gsi); gsi_next (&gsi))
287 gimple *stmt = gsi_stmt (gsi);
290 if ((is_gimple_call (stmt) && !nonfreeing_call_p (stmt))
291 || ((asm_stmt = dyn_cast <gasm *> (stmt))
292 && (gimple_asm_clobbers_memory_p (asm_stmt)
293 || gimple_asm_volatile_p (asm_stmt))))
295 pred_info->has_freeing_call_p = true;
300 pred_info->has_freeing_call_computed_p = true;
301 if (pred_info->has_freeing_call_p)
303 info->imm_dom_path_with_freeing_call_computed_p = true;
304 info->imm_dom_path_with_freeing_call_p = true;
305 info->being_visited_p = false;
310 FOR_EACH_EDGE (e, ei, bb->preds)
316 for (src = e->src; src != dom; )
318 sanopt_info *pred_info = (sanopt_info *) src->aux;
319 if (pred_info->being_visited_p)
321 basic_block imm = get_immediate_dominator (CDI_DOMINATORS, src);
322 if (imm_dom_path_with_freeing_call (src, imm))
324 info->imm_dom_path_with_freeing_call_computed_p = true;
325 info->imm_dom_path_with_freeing_call_p = true;
326 info->being_visited_p = false;
333 info->imm_dom_path_with_freeing_call_computed_p = true;
334 info->imm_dom_path_with_freeing_call_p = false;
335 info->being_visited_p = false;
339 /* Get the first dominating check from the list of stored checks.
340 Non-dominating checks are silently dropped. */
343 maybe_get_dominating_check (auto_vec<gimple *> &v)
345 for (; !v.is_empty (); v.pop ())
347 gimple *g = v.last ();
348 sanopt_info *si = (sanopt_info *) gimple_bb (g)->aux;
350 /* At this point we shouldn't have any statements
351 that aren't dominating the current BB. */
357 /* Optimize away redundant UBSAN_NULL calls. */
360 maybe_optimize_ubsan_null_ifn (class sanopt_ctx *ctx, gimple *stmt)
362 gcc_assert (gimple_call_num_args (stmt) == 3);
363 tree ptr = gimple_call_arg (stmt, 0);
364 tree cur_align = gimple_call_arg (stmt, 2);
365 gcc_assert (TREE_CODE (cur_align) == INTEGER_CST);
368 auto_vec<gimple *> &v = ctx->null_check_map.get_or_insert (ptr);
369 gimple *g = maybe_get_dominating_check (v);
372 /* For this PTR we don't have any UBSAN_NULL stmts recorded, so there's
373 nothing to optimize yet. */
378 /* We already have recorded a UBSAN_NULL check for this pointer. Perhaps we
379 can drop this one. But only if this check doesn't specify stricter
382 tree align = gimple_call_arg (g, 2);
383 int kind = tree_to_shwi (gimple_call_arg (g, 1));
384 /* If this is a NULL pointer check where we had segv anyway, we can
386 if (integer_zerop (align)
387 && (kind == UBSAN_LOAD_OF
388 || kind == UBSAN_STORE_OF
389 || kind == UBSAN_MEMBER_ACCESS))
391 /* Otherwise remove the check in non-recovering mode, or if the
392 stmts have same location. */
393 else if (integer_zerop (align))
394 remove = (flag_sanitize_recover & SANITIZE_NULL) == 0
395 || flag_sanitize_undefined_trap_on_error
396 || gimple_location (g) == gimple_location (stmt);
397 else if (tree_int_cst_le (cur_align, align))
398 remove = (flag_sanitize_recover & SANITIZE_ALIGNMENT) == 0
399 || flag_sanitize_undefined_trap_on_error
400 || gimple_location (g) == gimple_location (stmt);
402 if (!remove && gimple_bb (g) == gimple_bb (stmt)
403 && tree_int_cst_compare (cur_align, align) == 0)
411 /* Return true when pointer PTR for a given CUR_OFFSET is already sanitized
412 in a given sanitization context CTX. */
415 has_dominating_ubsan_ptr_check (sanopt_ctx *ctx, tree ptr,
416 offset_int &cur_offset)
418 bool pos_p = !wi::neg_p (cur_offset);
419 sanopt_tree_couple couple;
421 couple.pos_p = pos_p;
423 auto_vec<gimple *> &v = ctx->ptr_check_map.get_or_insert (couple);
424 gimple *g = maybe_get_dominating_check (v);
428 /* We already have recorded a UBSAN_PTR check for this pointer. Perhaps we
429 can drop this one. But only if this check doesn't specify larger offset.
431 tree offset = gimple_call_arg (g, 1);
432 gcc_assert (TREE_CODE (offset) == INTEGER_CST);
433 offset_int ooffset = wi::sext (wi::to_offset (offset), POINTER_SIZE);
437 if (wi::les_p (cur_offset, ooffset))
440 else if (!pos_p && wi::les_p (ooffset, cur_offset))
446 /* Record UBSAN_PTR check of given context CTX. Register pointer PTR on
447 a given OFFSET that it's handled by GIMPLE STMT. */
450 record_ubsan_ptr_check_stmt (sanopt_ctx *ctx, gimple *stmt, tree ptr,
451 const offset_int &offset)
453 sanopt_tree_couple couple;
455 couple.pos_p = !wi::neg_p (offset);
457 auto_vec<gimple *> &v = ctx->ptr_check_map.get_or_insert (couple);
461 /* Optimize away redundant UBSAN_PTR calls. */
464 maybe_optimize_ubsan_ptr_ifn (sanopt_ctx *ctx, gimple *stmt)
466 poly_int64 bitsize, pbitpos;
468 int volatilep = 0, reversep, unsignedp = 0;
471 gcc_assert (gimple_call_num_args (stmt) == 2);
472 tree ptr = gimple_call_arg (stmt, 0);
473 tree off = gimple_call_arg (stmt, 1);
475 if (TREE_CODE (off) != INTEGER_CST)
478 if (integer_zerop (off))
481 offset_int cur_offset = wi::sext (wi::to_offset (off), POINTER_SIZE);
482 if (has_dominating_ubsan_ptr_check (ctx, ptr, cur_offset))
486 if (TREE_CODE (base) == ADDR_EXPR)
488 base = TREE_OPERAND (base, 0);
490 HOST_WIDE_INT bitpos;
491 base = get_inner_reference (base, &bitsize, &pbitpos, &offset, &mode,
492 &unsignedp, &reversep, &volatilep);
493 if ((offset == NULL_TREE || TREE_CODE (offset) == INTEGER_CST)
495 && !DECL_REGISTER (base)
496 && pbitpos.is_constant (&bitpos))
498 offset_int expr_offset;
500 expr_offset = wi::to_offset (offset) + bitpos / BITS_PER_UNIT;
502 expr_offset = bitpos / BITS_PER_UNIT;
503 expr_offset = wi::sext (expr_offset, POINTER_SIZE);
504 offset_int total_offset = expr_offset + cur_offset;
505 if (total_offset != wi::sext (total_offset, POINTER_SIZE))
507 record_ubsan_ptr_check_stmt (ctx, stmt, ptr, cur_offset);
511 /* If BASE is a fixed size automatic variable or
512 global variable defined in the current TU, we don't have
513 to instrument anything if offset is within address
516 || TREE_CODE (base) == PARM_DECL
517 || TREE_CODE (base) == RESULT_DECL)
518 && DECL_SIZE_UNIT (base)
519 && TREE_CODE (DECL_SIZE_UNIT (base)) == INTEGER_CST
520 && (!is_global_var (base) || decl_binds_to_current_def_p (base)))
522 offset_int base_size = wi::to_offset (DECL_SIZE_UNIT (base));
523 if (!wi::neg_p (expr_offset)
524 && wi::les_p (total_offset, base_size))
526 if (!wi::neg_p (total_offset)
527 && wi::les_p (total_offset, base_size))
532 /* Following expression: UBSAN_PTR (&MEM_REF[ptr + x], y) can be
535 1) sign (x) == sign (y), then check for dominating check of (x + y)
536 2) sign (x) != sign (y), then first check if we have a dominating
537 check for ptr + x. If so, then we have 2 situations:
538 a) sign (x) == sign (x + y), here we are done, example:
539 UBSAN_PTR (&MEM_REF[ptr + 100], -50)
540 b) check for dominating check of ptr + x + y.
543 bool sign_cur_offset = !wi::neg_p (cur_offset);
544 bool sign_expr_offset = !wi::neg_p (expr_offset);
547 = build1 (ADDR_EXPR, build_pointer_type (TREE_TYPE (base)), base);
550 if (sign_cur_offset == sign_expr_offset)
552 if (has_dominating_ubsan_ptr_check (ctx, base_addr, total_offset))
559 if (!has_dominating_ubsan_ptr_check (ctx, base_addr, expr_offset))
560 ; /* Don't record base_addr + expr_offset, it's not a guarding
564 bool sign_total_offset = !wi::neg_p (total_offset);
565 if (sign_expr_offset == sign_total_offset)
569 if (has_dominating_ubsan_ptr_check (ctx, base_addr,
578 /* Record a new dominating check for base_addr + total_offset. */
579 if (add && !operand_equal_p (base, base_addr, 0))
580 record_ubsan_ptr_check_stmt (ctx, stmt, base_addr,
585 /* For this PTR we don't have any UBSAN_PTR stmts recorded, so there's
586 nothing to optimize yet. */
587 record_ubsan_ptr_check_stmt (ctx, stmt, ptr, cur_offset);
592 /* Optimize away redundant UBSAN_VPTR calls. The second argument
593 is the value loaded from the virtual table, so rely on FRE to find out
594 when we can actually optimize. */
597 maybe_optimize_ubsan_vptr_ifn (class sanopt_ctx *ctx, gimple *stmt)
599 gcc_assert (gimple_call_num_args (stmt) == 5);
600 sanopt_tree_triplet triplet;
601 triplet.t1 = gimple_call_arg (stmt, 0);
602 triplet.t2 = gimple_call_arg (stmt, 1);
603 triplet.t3 = gimple_call_arg (stmt, 3);
605 auto_vec<gimple *> &v = ctx->vptr_check_map.get_or_insert (triplet);
606 gimple *g = maybe_get_dominating_check (v);
609 /* For this PTR we don't have any UBSAN_VPTR stmts recorded, so there's
610 nothing to optimize yet. */
618 /* Returns TRUE if ASan check of length LEN in block BB can be removed
619 if preceded by checks in V. */
622 can_remove_asan_check (auto_vec<gimple *> &v, tree len, basic_block bb)
626 gimple *to_pop = NULL;
628 basic_block last_bb = bb;
629 bool cleanup = false;
631 FOR_EACH_VEC_ELT_REVERSE (v, i, g)
633 basic_block gbb = gimple_bb (g);
634 sanopt_info *si = (sanopt_info *) gbb->aux;
635 if (gimple_uid (g) < si->freeing_call_events)
637 /* If there is a potentially freeing call after g in gbb, we should
638 remove it from the vector, can't use in optimization. */
643 tree glen = gimple_call_arg (g, 2);
644 gcc_assert (TREE_CODE (glen) == INTEGER_CST);
646 /* If we've checked only smaller length than we want to check now,
647 we can't remove the current stmt. If g is in the same basic block,
648 we want to remove it though, as the current stmt is better. */
649 if (tree_int_cst_lt (glen, len))
659 while (last_bb != gbb)
661 /* Paths from last_bb to bb have been checked before.
662 gbb is necessarily a dominator of last_bb, but not necessarily
663 immediate dominator. */
664 if (((sanopt_info *) last_bb->aux)->freeing_call_events)
667 basic_block imm = get_immediate_dominator (CDI_DOMINATORS, last_bb);
669 if (imm_dom_path_with_freeing_call (last_bb, imm))
681 unsigned int j = 0, l = v.length ();
682 for (i = 0; i < l; i++)
684 && (gimple_uid (v[i])
686 gimple_bb (v[i])->aux)->freeing_call_events))
698 /* Optimize away redundant ASAN_CHECK calls. */
701 maybe_optimize_asan_check_ifn (class sanopt_ctx *ctx, gimple *stmt)
703 gcc_assert (gimple_call_num_args (stmt) == 4);
704 tree ptr = gimple_call_arg (stmt, 1);
705 tree len = gimple_call_arg (stmt, 2);
706 basic_block bb = gimple_bb (stmt);
707 sanopt_info *info = (sanopt_info *) bb->aux;
709 if (TREE_CODE (len) != INTEGER_CST)
711 if (integer_zerop (len))
714 gimple_set_uid (stmt, info->freeing_call_events);
716 auto_vec<gimple *> *ptr_checks = &ctx->asan_check_map.get_or_insert (ptr);
718 tree base_addr = maybe_get_single_definition (ptr);
719 auto_vec<gimple *> *base_checks = NULL;
722 base_checks = &ctx->asan_check_map.get_or_insert (base_addr);
723 /* Original pointer might have been invalidated. */
724 ptr_checks = ctx->asan_check_map.get (ptr);
727 gimple *g = maybe_get_dominating_check (*ptr_checks);
731 /* Try with base address as well. */
732 g2 = maybe_get_dominating_check (*base_checks);
734 if (g == NULL && g2 == NULL)
736 /* For this PTR we don't have any ASAN_CHECK stmts recorded, so there's
737 nothing to optimize yet. */
738 ptr_checks->safe_push (stmt);
740 base_checks->safe_push (stmt);
747 remove = can_remove_asan_check (*ptr_checks, len, bb);
749 if (!remove && base_checks)
750 /* Try with base address as well. */
751 remove = can_remove_asan_check (*base_checks, len, bb);
755 ptr_checks->safe_push (stmt);
757 base_checks->safe_push (stmt);
763 /* Try to optimize away redundant UBSAN_NULL and ASAN_CHECK calls.
765 We walk blocks in the CFG via a depth first search of the dominator
766 tree; we push unique UBSAN_NULL or ASAN_CHECK statements into a vector
767 in the NULL_CHECK_MAP or ASAN_CHECK_MAP hash maps as we enter the
768 blocks. When leaving a block, we mark the block as visited; then
769 when checking the statements in the vector, we ignore statements that
770 are coming from already visited blocks, because these cannot dominate
771 anything anymore. CTX is a sanopt context. */
774 sanopt_optimize_walker (basic_block bb, class sanopt_ctx *ctx)
777 gimple_stmt_iterator gsi;
778 sanopt_info *info = (sanopt_info *) bb->aux;
779 bool asan_check_optimize = (flag_sanitize & SANITIZE_ADDRESS) != 0;
781 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi);)
783 gimple *stmt = gsi_stmt (gsi);
786 if (!is_gimple_call (stmt))
788 /* Handle asm volatile or asm with "memory" clobber
789 the same as potentionally freeing call. */
790 gasm *asm_stmt = dyn_cast <gasm *> (stmt);
792 && asan_check_optimize
793 && (gimple_asm_clobbers_memory_p (asm_stmt)
794 || gimple_asm_volatile_p (asm_stmt)))
795 info->freeing_call_events++;
800 if (asan_check_optimize && !nonfreeing_call_p (stmt))
801 info->freeing_call_events++;
803 /* If __asan_before_dynamic_init ("module"); is followed by
804 __asan_after_dynamic_init (); without intervening memory loads/stores,
805 there is nothing to guard, so optimize both away. */
806 if (asan_check_optimize
807 && gimple_call_builtin_p (stmt, BUILT_IN_ASAN_BEFORE_DYNAMIC_INIT))
811 if (single_imm_use (gimple_vdef (stmt), &use, &use_stmt))
813 if (is_gimple_call (use_stmt)
814 && gimple_call_builtin_p (use_stmt,
815 BUILT_IN_ASAN_AFTER_DYNAMIC_INIT))
817 unlink_stmt_vdef (use_stmt);
818 gimple_stmt_iterator gsi2 = gsi_for_stmt (use_stmt);
819 gsi_remove (&gsi2, true);
825 if (gimple_call_internal_p (stmt))
826 switch (gimple_call_internal_fn (stmt))
829 remove = maybe_optimize_ubsan_null_ifn (ctx, stmt);
832 remove = maybe_optimize_ubsan_vptr_ifn (ctx, stmt);
835 remove = maybe_optimize_ubsan_ptr_ifn (ctx, stmt);
838 if (asan_check_optimize)
839 remove = maybe_optimize_asan_check_ifn (ctx, stmt);
841 ctx->asan_num_accesses++;
844 ctx->contains_asan_mark = true;
852 /* Drop this check. */
853 if (dump_file && (dump_flags & TDF_DETAILS))
855 fprintf (dump_file, "Optimizing out: ");
856 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
858 unlink_stmt_vdef (stmt);
859 gsi_remove (&gsi, true);
863 if (dump_file && (dump_flags & TDF_DETAILS))
865 fprintf (dump_file, "Leaving: ");
866 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
873 if (asan_check_optimize)
875 info->has_freeing_call_p = info->freeing_call_events != 0;
876 info->has_freeing_call_computed_p = true;
879 for (son = first_dom_son (CDI_DOMINATORS, bb);
881 son = next_dom_son (CDI_DOMINATORS, son))
882 sanopt_optimize_walker (son, ctx);
884 /* We're leaving this BB, so mark it to that effect. */
885 info->visited_p = true;
888 /* Try to remove redundant sanitizer checks in function FUN. */
891 sanopt_optimize (function *fun, bool *contains_asan_mark)
893 class sanopt_ctx ctx;
894 ctx.asan_num_accesses = 0;
895 ctx.contains_asan_mark = false;
897 /* Set up block info for each basic block. */
898 alloc_aux_for_blocks (sizeof (sanopt_info));
900 /* We're going to do a dominator walk, so ensure that we have
901 dominance information. */
902 calculate_dominance_info (CDI_DOMINATORS);
904 /* Recursively walk the dominator tree optimizing away
906 sanopt_optimize_walker (ENTRY_BLOCK_PTR_FOR_FN (fun), &ctx);
908 free_aux_for_blocks ();
910 *contains_asan_mark = ctx.contains_asan_mark;
911 return ctx.asan_num_accesses;
914 /* Perform optimization of sanitize functions. */
918 const pass_data pass_data_sanopt =
920 GIMPLE_PASS, /* type */
922 OPTGROUP_NONE, /* optinfo_flags */
924 ( PROP_ssa | PROP_cfg | PROP_gimple_leh ), /* properties_required */
925 0, /* properties_provided */
926 0, /* properties_destroyed */
927 0, /* todo_flags_start */
928 TODO_update_ssa, /* todo_flags_finish */
931 class pass_sanopt : public gimple_opt_pass
934 pass_sanopt (gcc::context *ctxt)
935 : gimple_opt_pass (pass_data_sanopt, ctxt)
938 /* opt_pass methods: */
939 virtual bool gate (function *) { return flag_sanitize; }
940 virtual unsigned int execute (function *);
942 }; // class pass_sanopt
944 /* Sanitize all ASAN_MARK unpoison calls that are not reachable by a BB
945 that contains an ASAN_MARK poison. All these ASAN_MARK unpoison call
946 can be removed as all variables are unpoisoned in a function prologue. */
949 sanitize_asan_mark_unpoison (void)
951 /* 1) Find all BBs that contain an ASAN_MARK poison call. */
952 auto_sbitmap with_poison (last_basic_block_for_fn (cfun) + 1);
953 bitmap_clear (with_poison);
956 FOR_EACH_BB_FN (bb, cfun)
958 if (bitmap_bit_p (with_poison, bb->index))
961 gimple_stmt_iterator gsi;
962 for (gsi = gsi_last_bb (bb); !gsi_end_p (gsi); gsi_prev (&gsi))
964 gimple *stmt = gsi_stmt (gsi);
965 if (asan_mark_p (stmt, ASAN_MARK_POISON))
967 bitmap_set_bit (with_poison, bb->index);
973 auto_sbitmap poisoned (last_basic_block_for_fn (cfun) + 1);
974 bitmap_clear (poisoned);
975 auto_sbitmap worklist (last_basic_block_for_fn (cfun) + 1);
976 bitmap_copy (worklist, with_poison);
978 /* 2) Propagate the information to all reachable blocks. */
979 while (!bitmap_empty_p (worklist))
981 unsigned i = bitmap_first_set_bit (worklist);
982 bitmap_clear_bit (worklist, i);
983 basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
988 FOR_EACH_EDGE (e, ei, bb->succs)
989 if (!bitmap_bit_p (poisoned, e->dest->index))
991 bitmap_set_bit (poisoned, e->dest->index);
992 bitmap_set_bit (worklist, e->dest->index);
996 /* 3) Iterate all BBs not included in POISONED BBs and remove unpoison
997 ASAN_MARK preceding an ASAN_MARK poison (which can still happen). */
998 FOR_EACH_BB_FN (bb, cfun)
1000 if (bitmap_bit_p (poisoned, bb->index))
1003 gimple_stmt_iterator gsi;
1004 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi);)
1006 gimple *stmt = gsi_stmt (gsi);
1007 if (gimple_call_internal_p (stmt, IFN_ASAN_MARK))
1009 if (asan_mark_p (stmt, ASAN_MARK_POISON))
1014 fprintf (dump_file, "Removing ASAN_MARK unpoison\n");
1015 unlink_stmt_vdef (stmt);
1016 release_defs (stmt);
1017 gsi_remove (&gsi, true);
1027 /* Return true when STMT is either ASAN_CHECK call or a call of a function
1028 that can contain an ASAN_CHECK. */
1031 maybe_contains_asan_check (gimple *stmt)
1033 if (is_gimple_call (stmt))
1035 if (gimple_call_internal_p (stmt, IFN_ASAN_MARK))
1038 return !(gimple_call_flags (stmt) & ECF_CONST);
1040 else if (is_a<gasm *> (stmt))
1046 /* Sanitize all ASAN_MARK poison calls that are not followed by an ASAN_CHECK
1047 call. These calls can be removed. */
1050 sanitize_asan_mark_poison (void)
1052 /* 1) Find all BBs that possibly contain an ASAN_CHECK. */
1053 auto_sbitmap with_check (last_basic_block_for_fn (cfun) + 1);
1054 bitmap_clear (with_check);
1057 FOR_EACH_BB_FN (bb, cfun)
1059 gimple_stmt_iterator gsi;
1060 for (gsi = gsi_last_bb (bb); !gsi_end_p (gsi); gsi_prev (&gsi))
1062 gimple *stmt = gsi_stmt (gsi);
1063 if (maybe_contains_asan_check (stmt))
1065 bitmap_set_bit (with_check, bb->index);
1071 auto_sbitmap can_reach_check (last_basic_block_for_fn (cfun) + 1);
1072 bitmap_clear (can_reach_check);
1073 auto_sbitmap worklist (last_basic_block_for_fn (cfun) + 1);
1074 bitmap_copy (worklist, with_check);
1076 /* 2) Propagate the information to all definitions blocks. */
1077 while (!bitmap_empty_p (worklist))
1079 unsigned i = bitmap_first_set_bit (worklist);
1080 bitmap_clear_bit (worklist, i);
1081 basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
1086 FOR_EACH_EDGE (e, ei, bb->preds)
1087 if (!bitmap_bit_p (can_reach_check, e->src->index))
1089 bitmap_set_bit (can_reach_check, e->src->index);
1090 bitmap_set_bit (worklist, e->src->index);
1094 /* 3) Iterate all BBs not included in CAN_REACH_CHECK BBs and remove poison
1095 ASAN_MARK not followed by a call to function having an ASAN_CHECK. */
1096 FOR_EACH_BB_FN (bb, cfun)
1098 if (bitmap_bit_p (can_reach_check, bb->index))
1101 gimple_stmt_iterator gsi;
1102 for (gsi = gsi_last_bb (bb); !gsi_end_p (gsi);)
1104 gimple *stmt = gsi_stmt (gsi);
1105 if (maybe_contains_asan_check (stmt))
1107 else if (asan_mark_p (stmt, ASAN_MARK_POISON))
1110 fprintf (dump_file, "Removing ASAN_MARK poison\n");
1111 unlink_stmt_vdef (stmt);
1112 release_defs (stmt);
1113 gimple_stmt_iterator gsi2 = gsi;
1115 gsi_remove (&gsi2, true);
1124 /* Rewrite all usages of tree OP which is a PARM_DECL with a VAR_DECL
1125 that is it's DECL_VALUE_EXPR. */
1128 rewrite_usage_of_param (tree *op, int *walk_subtrees, void *)
1130 if (TREE_CODE (*op) == PARM_DECL && DECL_HAS_VALUE_EXPR_P (*op))
1132 *op = DECL_VALUE_EXPR (*op);
1139 /* For a given function FUN, rewrite all addressable parameters so that
1140 a new automatic variable is introduced. Right after function entry
1141 a parameter is assigned to the variable. */
1144 sanitize_rewrite_addressable_params (function *fun)
1147 gimple_seq stmts = NULL;
1148 bool has_any_addressable_param = false;
1149 auto_vec<tree> clear_value_expr_list;
1151 for (tree arg = DECL_ARGUMENTS (current_function_decl);
1152 arg; arg = DECL_CHAIN (arg))
1154 tree type = TREE_TYPE (arg);
1155 if (TREE_ADDRESSABLE (arg)
1156 && !TREE_ADDRESSABLE (type)
1157 && !TREE_THIS_VOLATILE (arg)
1158 && TREE_CODE (TYPE_SIZE (type)) == INTEGER_CST)
1160 TREE_ADDRESSABLE (arg) = 0;
1161 DECL_NOT_GIMPLE_REG_P (arg) = 0;
1162 /* The parameter is no longer addressable. */
1163 has_any_addressable_param = true;
1165 /* Create a new automatic variable. */
1166 tree var = build_decl (DECL_SOURCE_LOCATION (arg),
1167 VAR_DECL, DECL_NAME (arg), type);
1168 TREE_ADDRESSABLE (var) = 1;
1169 DECL_IGNORED_P (var) = 1;
1171 gimple_add_tmp_var (var);
1173 /* We skip parameters that have a DECL_VALUE_EXPR. */
1174 if (DECL_HAS_VALUE_EXPR_P (arg))
1180 "Rewriting parameter whose address is taken: ");
1181 print_generic_expr (dump_file, arg, dump_flags);
1182 fputc ('\n', dump_file);
1185 SET_DECL_PT_UID (var, DECL_PT_UID (arg));
1187 /* Assign value of parameter to newly created variable. */
1188 if ((TREE_CODE (type) == COMPLEX_TYPE
1189 || TREE_CODE (type) == VECTOR_TYPE))
1191 /* We need to create a SSA name that will be used for the
1193 tree tmp = get_or_create_ssa_default_def (cfun, arg);
1194 g = gimple_build_assign (var, tmp);
1195 gimple_set_location (g, DECL_SOURCE_LOCATION (arg));
1196 gimple_seq_add_stmt (&stmts, g);
1200 g = gimple_build_assign (var, arg);
1201 gimple_set_location (g, DECL_SOURCE_LOCATION (arg));
1202 gimple_seq_add_stmt (&stmts, g);
1205 if (target_for_debug_bind (arg))
1207 g = gimple_build_debug_bind (arg, var, NULL);
1208 gimple_seq_add_stmt (&stmts, g);
1209 clear_value_expr_list.safe_push (arg);
1212 DECL_HAS_VALUE_EXPR_P (arg) = 1;
1213 SET_DECL_VALUE_EXPR (arg, var);
1217 if (!has_any_addressable_param)
1220 /* Replace all usages of PARM_DECLs with the newly
1221 created variable VAR. */
1223 FOR_EACH_BB_FN (bb, fun)
1225 gimple_stmt_iterator gsi;
1226 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); gsi_next (&gsi))
1228 gimple *stmt = gsi_stmt (gsi);
1229 gimple_stmt_iterator it = gsi_for_stmt (stmt);
1230 walk_gimple_stmt (&it, NULL, rewrite_usage_of_param, NULL);
1232 for (gsi = gsi_start_phis (bb); !gsi_end_p (gsi); gsi_next (&gsi))
1234 gphi *phi = dyn_cast<gphi *> (gsi_stmt (gsi));
1235 for (unsigned i = 0; i < gimple_phi_num_args (phi); ++i)
1237 hash_set<tree> visited_nodes;
1238 walk_tree (gimple_phi_arg_def_ptr (phi, i),
1239 rewrite_usage_of_param, NULL, &visited_nodes);
1244 /* Unset value expr for parameters for which we created debug bind
1248 FOR_EACH_VEC_ELT (clear_value_expr_list, i, arg)
1250 DECL_HAS_VALUE_EXPR_P (arg) = 0;
1251 SET_DECL_VALUE_EXPR (arg, NULL_TREE);
1254 /* Insert default assignments at the beginning of a function. */
1255 basic_block entry_bb = ENTRY_BLOCK_PTR_FOR_FN (fun);
1256 entry_bb = split_edge (single_succ_edge (entry_bb));
1258 gimple_stmt_iterator gsi = gsi_start_bb (entry_bb);
1259 gsi_insert_seq_before (&gsi, stmts, GSI_NEW_STMT);
1263 pass_sanopt::execute (function *fun)
1266 int asan_num_accesses = 0;
1267 bool contains_asan_mark = false;
1269 /* Try to remove redundant checks. */
1272 & (SANITIZE_NULL | SANITIZE_ALIGNMENT
1273 | SANITIZE_ADDRESS | SANITIZE_VPTR | SANITIZE_POINTER_OVERFLOW)))
1274 asan_num_accesses = sanopt_optimize (fun, &contains_asan_mark);
1275 else if (flag_sanitize & SANITIZE_ADDRESS)
1277 gimple_stmt_iterator gsi;
1278 FOR_EACH_BB_FN (bb, fun)
1279 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); gsi_next (&gsi))
1281 gimple *stmt = gsi_stmt (gsi);
1282 if (gimple_call_internal_p (stmt, IFN_ASAN_CHECK))
1283 ++asan_num_accesses;
1284 else if (gimple_call_internal_p (stmt, IFN_ASAN_MARK))
1285 contains_asan_mark = true;
1289 if (contains_asan_mark)
1291 sanitize_asan_mark_unpoison ();
1292 sanitize_asan_mark_poison ();
1295 if (asan_sanitize_stack_p ())
1296 sanitize_rewrite_addressable_params (fun);
1298 bool use_calls = param_asan_instrumentation_with_call_threshold < INT_MAX
1299 && asan_num_accesses >= param_asan_instrumentation_with_call_threshold;
1301 hash_map<tree, tree> shadow_vars_mapping;
1302 bool need_commit_edge_insert = false;
1303 FOR_EACH_BB_FN (bb, fun)
1305 gimple_stmt_iterator gsi;
1306 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi); )
1308 gimple *stmt = gsi_stmt (gsi);
1309 bool no_next = false;
1311 if (!is_gimple_call (stmt))
1317 if (gimple_call_internal_p (stmt))
1319 enum internal_fn ifn = gimple_call_internal_fn (stmt);
1322 case IFN_UBSAN_NULL:
1323 no_next = ubsan_expand_null_ifn (&gsi);
1325 case IFN_UBSAN_BOUNDS:
1326 no_next = ubsan_expand_bounds_ifn (&gsi);
1328 case IFN_UBSAN_OBJECT_SIZE:
1329 no_next = ubsan_expand_objsize_ifn (&gsi);
1332 no_next = ubsan_expand_ptr_ifn (&gsi);
1334 case IFN_UBSAN_VPTR:
1335 no_next = ubsan_expand_vptr_ifn (&gsi);
1337 case IFN_ASAN_CHECK:
1338 no_next = asan_expand_check_ifn (&gsi, use_calls);
1341 no_next = asan_expand_mark_ifn (&gsi);
1343 case IFN_ASAN_POISON:
1344 no_next = asan_expand_poison_ifn (&gsi,
1345 &need_commit_edge_insert,
1346 shadow_vars_mapping);
1352 else if (gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
1354 tree callee = gimple_call_fndecl (stmt);
1355 switch (DECL_FUNCTION_CODE (callee))
1357 case BUILT_IN_UNREACHABLE:
1358 if (sanitize_flags_p (SANITIZE_UNREACHABLE))
1359 no_next = ubsan_instrument_unreachable (&gsi);
1366 if (dump_file && (dump_flags & TDF_DETAILS))
1368 fprintf (dump_file, "Expanded: ");
1369 print_gimple_stmt (dump_file, stmt, 0, dump_flags);
1377 if (need_commit_edge_insert)
1378 gsi_commit_edge_inserts ();
1386 make_pass_sanopt (gcc::context *ctxt)
1388 return new pass_sanopt (ctxt);
projects / platform / upstream / gcc.git / blob