1 /* UndefinedBehaviorSanitizer, undefined behavior detector.
2 Copyright (C) 2013-2022 Free Software Foundation, Inc.
3 Contributed by Marek Polacek <polacek@redhat.com>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
23 #include "coretypes.h"
26 #include "c-family/c-common.h"
29 #include "tree-pass.h"
34 #include "tree-pretty-print.h"
35 #include "stor-layout.h"
37 #include "gimple-iterator.h"
42 #include "stringpool.h"
45 #include "gimplify-me.h"
48 #include "tree-object-size.h"
50 #include "gimple-fold.h"
53 /* Map from a tree to a VAR_DECL tree. */
55 struct GTY((for_user)) tree_type_map {
56 struct tree_map_base type;
60 struct tree_type_map_cache_hasher : ggc_cache_ptr_hash<tree_type_map>
62 static inline hashval_t
63 hash (tree_type_map *t)
65 return TYPE_UID (t->type.from);
69 equal (tree_type_map *a, tree_type_map *b)
71 return a->type.from == b->type.from;
75 keep_cache_entry (tree_type_map *&m)
77 return ggc_marked_p (m->type.from);
82 hash_table<tree_type_map_cache_hasher> *decl_tree_for_type;
84 /* Lookup a VAR_DECL for TYPE, and return it if we find one. */
87 decl_for_type_lookup (tree type)
89 /* If the hash table is not initialized yet, create it now. */
90 if (decl_tree_for_type == NULL)
93 = hash_table<tree_type_map_cache_hasher>::create_ggc (10);
94 /* That also means we don't have to bother with the lookup. */
98 struct tree_type_map *h, in;
101 h = decl_tree_for_type->find_with_hash (&in, TYPE_UID (type));
102 return h ? h->decl : NULL_TREE;
105 /* Insert a mapping TYPE->DECL in the VAR_DECL for type hashtable. */
108 decl_for_type_insert (tree type, tree decl)
110 struct tree_type_map *h;
112 h = ggc_alloc<tree_type_map> ();
115 *decl_tree_for_type->find_slot_with_hash (h, TYPE_UID (type), INSERT) = h;
118 /* Helper routine, which encodes a value in the pointer_sized_int_node.
119 Arguments with precision <= POINTER_SIZE are passed directly,
120 the rest is passed by reference. T is a value we are to encode.
121 PHASE determines when this function is called. */
124 ubsan_encode_value (tree t, enum ubsan_encode_value_phase phase)
126 tree type = TREE_TYPE (t);
127 scalar_mode mode = SCALAR_TYPE_MODE (type);
128 const unsigned int bitsize = GET_MODE_BITSIZE (mode);
129 if (bitsize <= POINTER_SIZE)
130 switch (TREE_CODE (type))
135 return fold_build1 (NOP_EXPR, pointer_sized_int_node, t);
138 tree itype = build_nonstandard_integer_type (bitsize, true);
139 t = fold_build1 (VIEW_CONVERT_EXPR, itype, t);
140 return fold_convert (pointer_sized_int_node, t);
147 if (!DECL_P (t) || !TREE_ADDRESSABLE (t))
149 /* The reason for this is that we don't want to pessimize
150 code by making vars unnecessarily addressable. */
152 if (phase != UBSAN_ENCODE_VALUE_GENERIC)
154 var = create_tmp_var (type);
155 mark_addressable (var);
159 var = create_tmp_var_raw (type);
160 TREE_ADDRESSABLE (var) = 1;
161 DECL_CONTEXT (var) = current_function_decl;
163 if (phase == UBSAN_ENCODE_VALUE_RTL)
165 rtx mem = assign_stack_temp_for_type (mode, GET_MODE_SIZE (mode),
167 SET_DECL_RTL (var, mem);
168 expand_assignment (var, t, false);
169 return build_fold_addr_expr (var);
171 if (phase != UBSAN_ENCODE_VALUE_GENERIC)
173 tree tem = build2 (MODIFY_EXPR, void_type_node, var, t);
174 t = build_fold_addr_expr (var);
175 return build2 (COMPOUND_EXPR, TREE_TYPE (t), tem, t);
179 var = build4 (TARGET_EXPR, type, var, t, NULL_TREE, NULL_TREE);
180 return build_fold_addr_expr (var);
184 return build_fold_addr_expr (t);
188 /* Cached ubsan_get_type_descriptor_type () return value. */
189 static GTY(()) tree ubsan_type_descriptor_type;
192 struct __ubsan_type_descriptor
194 unsigned short __typekind;
195 unsigned short __typeinfo;
201 ubsan_get_type_descriptor_type (void)
203 static const char *field_names[3]
204 = { "__typekind", "__typeinfo", "__typename" };
207 if (ubsan_type_descriptor_type)
208 return ubsan_type_descriptor_type;
210 tree itype = build_range_type (sizetype, size_zero_node, NULL_TREE);
211 tree flex_arr_type = build_array_type (char_type_node, itype);
213 ret = make_node (RECORD_TYPE);
214 for (int i = 0; i < 3; i++)
216 fields[i] = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
217 get_identifier (field_names[i]),
218 (i == 2) ? flex_arr_type
219 : short_unsigned_type_node);
220 DECL_CONTEXT (fields[i]) = ret;
222 DECL_CHAIN (fields[i - 1]) = fields[i];
224 tree type_decl = build_decl (input_location, TYPE_DECL,
225 get_identifier ("__ubsan_type_descriptor"),
227 DECL_IGNORED_P (type_decl) = 1;
228 DECL_ARTIFICIAL (type_decl) = 1;
229 TYPE_FIELDS (ret) = fields[0];
230 TYPE_NAME (ret) = type_decl;
231 TYPE_STUB_DECL (ret) = type_decl;
232 TYPE_ARTIFICIAL (ret) = 1;
234 ubsan_type_descriptor_type = ret;
238 /* Cached ubsan_get_source_location_type () return value. */
239 static GTY(()) tree ubsan_source_location_type;
242 struct __ubsan_source_location
244 const char *__filename;
246 unsigned int __column;
251 ubsan_get_source_location_type (void)
253 static const char *field_names[3]
254 = { "__filename", "__line", "__column" };
256 if (ubsan_source_location_type)
257 return ubsan_source_location_type;
259 tree const_char_type = build_qualified_type (char_type_node,
262 ret = make_node (RECORD_TYPE);
263 for (int i = 0; i < 3; i++)
265 fields[i] = build_decl (UNKNOWN_LOCATION, FIELD_DECL,
266 get_identifier (field_names[i]),
267 (i == 0) ? build_pointer_type (const_char_type)
268 : unsigned_type_node);
269 DECL_CONTEXT (fields[i]) = ret;
271 DECL_CHAIN (fields[i - 1]) = fields[i];
273 tree type_decl = build_decl (input_location, TYPE_DECL,
274 get_identifier ("__ubsan_source_location"),
276 DECL_IGNORED_P (type_decl) = 1;
277 DECL_ARTIFICIAL (type_decl) = 1;
278 TYPE_FIELDS (ret) = fields[0];
279 TYPE_NAME (ret) = type_decl;
280 TYPE_STUB_DECL (ret) = type_decl;
281 TYPE_ARTIFICIAL (ret) = 1;
283 ubsan_source_location_type = ret;
287 /* Helper routine that returns a CONSTRUCTOR of __ubsan_source_location
288 type with its fields filled from a location_t LOC. */
291 ubsan_source_location (location_t loc)
293 expanded_location xloc;
294 tree type = ubsan_get_source_location_type ();
296 xloc = expand_location (loc);
298 if (xloc.file == NULL)
300 str = build_int_cst (ptr_type_node, 0);
306 /* Fill in the values from LOC. */
307 size_t len = strlen (xloc.file) + 1;
308 str = build_string (len, xloc.file);
309 TREE_TYPE (str) = build_array_type_nelts (char_type_node, len);
310 TREE_READONLY (str) = 1;
311 TREE_STATIC (str) = 1;
312 str = build_fold_addr_expr (str);
314 tree ctor = build_constructor_va (type, 3, NULL_TREE, str, NULL_TREE,
315 build_int_cst (unsigned_type_node,
316 xloc.line), NULL_TREE,
317 build_int_cst (unsigned_type_node,
319 TREE_CONSTANT (ctor) = 1;
320 TREE_STATIC (ctor) = 1;
325 /* This routine returns a magic number for TYPE. */
327 static unsigned short
328 get_ubsan_type_info_for_type (tree type)
330 if (TREE_CODE (type) == REAL_TYPE)
331 return tree_to_uhwi (TYPE_SIZE (type));
332 else if (INTEGRAL_TYPE_P (type))
334 int prec = exact_log2 (tree_to_uhwi (TYPE_SIZE (type)));
335 gcc_assert (prec != -1);
336 return (prec << 1) | !TYPE_UNSIGNED (type);
342 /* Counters for internal labels. ubsan_ids[0] for Lubsan_type,
343 ubsan_ids[1] for Lubsan_data labels. */
344 static GTY(()) unsigned int ubsan_ids[2];
346 /* Helper routine that returns ADDR_EXPR of a VAR_DECL of a type
347 descriptor. It first looks into the hash table; if not found,
348 create the VAR_DECL, put it into the hash table and return the
349 ADDR_EXPR of it. TYPE describes a particular type. PSTYLE is
350 an enum controlling how we want to print the type. */
353 ubsan_type_descriptor (tree type, enum ubsan_print_style pstyle)
355 /* See through any typedefs. */
356 type = TYPE_MAIN_VARIANT (type);
358 tree decl = decl_for_type_lookup (type);
359 /* It is possible that some of the earlier created DECLs were found
360 unused, in that case they weren't emitted and varpool_node::get
361 returns NULL node on them. But now we really need them. Thus,
363 if (decl != NULL_TREE && varpool_node::get (decl))
364 return build_fold_addr_expr (decl);
366 tree dtype = ubsan_get_type_descriptor_type ();
368 const char *tname = NULL;
369 pretty_printer pretty_name;
370 unsigned char deref_depth = 0;
371 unsigned short tkind, tinfo;
373 /* Get the name of the type, or the name of the pointer type. */
374 if (pstyle == UBSAN_PRINT_POINTER)
376 gcc_assert (POINTER_TYPE_P (type));
377 type2 = TREE_TYPE (type);
379 /* Remove any '*' operators from TYPE. */
380 while (POINTER_TYPE_P (type2))
381 deref_depth++, type2 = TREE_TYPE (type2);
383 if (TREE_CODE (type2) == METHOD_TYPE)
384 type2 = TYPE_METHOD_BASETYPE (type2);
387 /* If an array, get its type. */
388 type2 = strip_array_types (type2);
390 if (pstyle == UBSAN_PRINT_ARRAY)
392 while (POINTER_TYPE_P (type2))
393 deref_depth++, type2 = TREE_TYPE (type2);
396 if (TYPE_NAME (type2) != NULL)
398 if (TREE_CODE (TYPE_NAME (type2)) == IDENTIFIER_NODE)
399 tname = IDENTIFIER_POINTER (TYPE_NAME (type2));
400 else if (DECL_NAME (TYPE_NAME (type2)) != NULL)
401 tname = IDENTIFIER_POINTER (DECL_NAME (TYPE_NAME (type2)));
405 /* We weren't able to determine the type name. */
408 pp_quote (&pretty_name);
411 if (pstyle == UBSAN_PRINT_POINTER)
413 pp_printf (&pretty_name, "%s%s%s%s%s%s%s",
414 TYPE_VOLATILE (type2) ? "volatile " : "",
415 TYPE_READONLY (type2) ? "const " : "",
416 TYPE_RESTRICT (type2) ? "restrict " : "",
417 TYPE_ATOMIC (type2) ? "_Atomic " : "",
418 TREE_CODE (type2) == RECORD_TYPE
420 : TREE_CODE (type2) == UNION_TYPE
421 ? "union " : "", tname,
422 deref_depth == 0 ? "" : " ");
423 while (deref_depth-- > 0)
424 pp_star (&pretty_name);
426 else if (pstyle == UBSAN_PRINT_ARRAY)
428 /* Pretty print the array dimensions. */
429 gcc_assert (TREE_CODE (type) == ARRAY_TYPE);
431 pp_string (&pretty_name, tname);
432 pp_space (&pretty_name);
433 while (deref_depth-- > 0)
434 pp_star (&pretty_name);
435 while (TREE_CODE (t) == ARRAY_TYPE)
437 pp_left_bracket (&pretty_name);
438 tree dom = TYPE_DOMAIN (t);
440 && TYPE_MAX_VALUE (dom) != NULL_TREE
441 && TREE_CODE (TYPE_MAX_VALUE (dom)) == INTEGER_CST)
443 unsigned HOST_WIDE_INT m;
444 if (tree_fits_uhwi_p (TYPE_MAX_VALUE (dom))
445 && (m = tree_to_uhwi (TYPE_MAX_VALUE (dom))) + 1 != 0)
446 pp_unsigned_wide_integer (&pretty_name, m + 1);
448 pp_wide_int (&pretty_name,
449 wi::add (wi::to_widest (TYPE_MAX_VALUE (dom)), 1),
450 TYPE_SIGN (TREE_TYPE (dom)));
453 /* ??? We can't determine the variable name; print VLA unspec. */
454 pp_star (&pretty_name);
455 pp_right_bracket (&pretty_name);
459 /* Save the tree with stripped types. */
463 pp_string (&pretty_name, tname);
465 pp_quote (&pretty_name);
467 switch (TREE_CODE (eltype))
475 /* FIXME: libubsan right now only supports float, double and
476 long double type formats. */
477 if (TYPE_MODE (eltype) == TYPE_MODE (float_type_node)
478 || TYPE_MODE (eltype) == TYPE_MODE (double_type_node)
479 || TYPE_MODE (eltype) == TYPE_MODE (long_double_type_node))
488 tinfo = get_ubsan_type_info_for_type (eltype);
490 /* Create a new VAR_DECL of type descriptor. */
491 const char *tmp = pp_formatted_text (&pretty_name);
492 size_t len = strlen (tmp) + 1;
493 tree str = build_string (len, tmp);
494 TREE_TYPE (str) = build_array_type_nelts (char_type_node, len);
495 TREE_READONLY (str) = 1;
496 TREE_STATIC (str) = 1;
499 ASM_GENERATE_INTERNAL_LABEL (tmp_name, "Lubsan_type", ubsan_ids[0]++);
500 decl = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (tmp_name),
502 TREE_STATIC (decl) = 1;
503 TREE_PUBLIC (decl) = 0;
504 DECL_ARTIFICIAL (decl) = 1;
505 DECL_IGNORED_P (decl) = 1;
506 DECL_EXTERNAL (decl) = 0;
508 = size_binop (PLUS_EXPR, DECL_SIZE (decl), TYPE_SIZE (TREE_TYPE (str)));
509 DECL_SIZE_UNIT (decl)
510 = size_binop (PLUS_EXPR, DECL_SIZE_UNIT (decl),
511 TYPE_SIZE_UNIT (TREE_TYPE (str)));
513 tree ctor = build_constructor_va (dtype, 3, NULL_TREE,
514 build_int_cst (short_unsigned_type_node,
516 build_int_cst (short_unsigned_type_node,
517 tinfo), NULL_TREE, str);
518 TREE_CONSTANT (ctor) = 1;
519 TREE_STATIC (ctor) = 1;
520 DECL_INITIAL (decl) = ctor;
521 varpool_node::finalize_decl (decl);
523 /* Save the VAR_DECL into the hash table. */
524 decl_for_type_insert (type, decl);
526 return build_fold_addr_expr (decl);
529 /* Create a structure for the ubsan library. NAME is a name of the new
530 structure. LOCCNT is number of locations, PLOC points to array of
531 locations. The arguments in ... are of __ubsan_type_descriptor type
532 and there are at most two of them, followed by NULL_TREE, followed
533 by optional extra arguments and another NULL_TREE. */
536 ubsan_create_data (const char *name, int loccnt, const location_t *ploc, ...)
541 vec<tree, va_gc> *saved_args = NULL;
545 /* It is possible that PCH zapped table with definitions of sanitizer
546 builtins. Reinitialize them if needed. */
547 initialize_sanitizer_builtins ();
549 /* Firstly, create a pointer to type descriptor type. */
550 tree td_type = ubsan_get_type_descriptor_type ();
551 td_type = build_pointer_type (td_type);
553 /* Create the structure type. */
554 ret = make_node (RECORD_TYPE);
555 for (j = 0; j < loccnt; j++)
557 gcc_checking_assert (i < 2);
558 fields[i] = build_decl (UNKNOWN_LOCATION, FIELD_DECL, NULL_TREE,
559 ubsan_get_source_location_type ());
560 DECL_CONTEXT (fields[i]) = ret;
562 DECL_CHAIN (fields[i - 1]) = fields[i];
566 va_start (args, ploc);
567 for (t = va_arg (args, tree); t != NULL_TREE;
568 i++, t = va_arg (args, tree))
570 gcc_checking_assert (i < 4);
571 /* Save the tree arguments for later use. */
572 vec_safe_push (saved_args, t);
573 fields[i] = build_decl (UNKNOWN_LOCATION, FIELD_DECL, NULL_TREE,
575 DECL_CONTEXT (fields[i]) = ret;
577 DECL_CHAIN (fields[i - 1]) = fields[i];
580 for (t = va_arg (args, tree); t != NULL_TREE;
581 i++, t = va_arg (args, tree))
583 gcc_checking_assert (i < 6);
584 /* Save the tree arguments for later use. */
585 vec_safe_push (saved_args, t);
586 fields[i] = build_decl (UNKNOWN_LOCATION, FIELD_DECL, NULL_TREE,
588 DECL_CONTEXT (fields[i]) = ret;
590 DECL_CHAIN (fields[i - 1]) = fields[i];
594 tree type_decl = build_decl (input_location, TYPE_DECL,
595 get_identifier (name), ret);
596 DECL_IGNORED_P (type_decl) = 1;
597 DECL_ARTIFICIAL (type_decl) = 1;
598 TYPE_FIELDS (ret) = fields[0];
599 TYPE_NAME (ret) = type_decl;
600 TYPE_STUB_DECL (ret) = type_decl;
601 TYPE_ARTIFICIAL (ret) = 1;
604 /* Now, fill in the type. */
606 ASM_GENERATE_INTERNAL_LABEL (tmp_name, "Lubsan_data", ubsan_ids[1]++);
607 tree var = build_decl (UNKNOWN_LOCATION, VAR_DECL, get_identifier (tmp_name),
609 TREE_STATIC (var) = 1;
610 TREE_PUBLIC (var) = 0;
611 DECL_ARTIFICIAL (var) = 1;
612 DECL_IGNORED_P (var) = 1;
613 DECL_EXTERNAL (var) = 0;
615 vec<constructor_elt, va_gc> *v;
617 tree ctor = build_constructor (ret, v);
619 /* If desirable, set the __ubsan_source_location element. */
620 for (j = 0; j < loccnt; j++)
622 location_t loc = LOCATION_LOCUS (ploc[j]);
623 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, ubsan_source_location (loc));
626 size_t nelts = vec_safe_length (saved_args);
627 for (i = 0; i < nelts; i++)
629 t = (*saved_args)[i];
630 CONSTRUCTOR_APPEND_ELT (v, NULL_TREE, t);
633 TREE_CONSTANT (ctor) = 1;
634 TREE_STATIC (ctor) = 1;
635 DECL_INITIAL (var) = ctor;
636 varpool_node::finalize_decl (var);
641 /* Shared between *build_builtin_unreachable. */
644 sanitize_unreachable_fn (tree *data, location_t loc)
647 bool san = sanitize_flags_p (SANITIZE_UNREACHABLE);
649 ? (flag_sanitize_trap & SANITIZE_UNREACHABLE)
650 : flag_unreachable_traps)
652 fn = builtin_decl_explicit (BUILT_IN_TRAP);
657 /* Call ubsan_create_data first as it initializes SANITIZER built-ins. */
658 *data = ubsan_create_data ("__ubsan_unreachable_data", 1, &loc,
659 NULL_TREE, NULL_TREE);
660 fn = builtin_decl_explicit (BUILT_IN_UBSAN_HANDLE_BUILTIN_UNREACHABLE);
661 *data = build_fold_addr_expr_loc (loc, *data);
665 fn = builtin_decl_explicit (BUILT_IN_UNREACHABLE);
671 /* Rewrite a gcall to __builtin_unreachable for -fsanitize=unreachable. Called
672 by the sanopt pass. */
675 ubsan_instrument_unreachable (gimple_stmt_iterator *gsi)
677 location_t loc = gimple_location (gsi_stmt (*gsi));
678 gimple *g = gimple_build_builtin_unreachable (loc);
679 gsi_replace (gsi, g, false);
683 /* Return true if T is a call to a libubsan routine. */
686 is_ubsan_builtin_p (tree t)
688 return TREE_CODE (t) == FUNCTION_DECL
689 && fndecl_built_in_p (t, BUILT_IN_NORMAL)
690 && strncmp (IDENTIFIER_POINTER (DECL_NAME (t)),
691 "__builtin___ubsan_", 18) == 0;
694 /* Create a callgraph edge for statement STMT. */
697 ubsan_create_edge (gimple *stmt)
699 gcall *call_stmt = dyn_cast <gcall *> (stmt);
700 basic_block bb = gimple_bb (stmt);
701 cgraph_node *node = cgraph_node::get (current_function_decl);
702 tree decl = gimple_call_fndecl (call_stmt);
704 node->create_edge (cgraph_node::get_create (decl), call_stmt, bb->count);
707 /* Expand the UBSAN_BOUNDS special builtin function. */
710 ubsan_expand_bounds_ifn (gimple_stmt_iterator *gsi)
712 gimple *stmt = gsi_stmt (*gsi);
713 location_t loc = gimple_location (stmt);
714 gcc_assert (gimple_call_num_args (stmt) == 3);
716 /* Pick up the arguments of the UBSAN_BOUNDS call. */
717 tree type = TREE_TYPE (TREE_TYPE (gimple_call_arg (stmt, 0)));
718 tree index = gimple_call_arg (stmt, 1);
719 tree orig_index = index;
720 tree bound = gimple_call_arg (stmt, 2);
722 gimple_stmt_iterator gsi_orig = *gsi;
724 /* Create condition "if (index > bound)". */
725 basic_block then_bb, fallthru_bb;
726 gimple_stmt_iterator cond_insert_point
727 = create_cond_insert_point (gsi, false, false, true,
728 &then_bb, &fallthru_bb);
729 index = fold_convert (TREE_TYPE (bound), index);
730 index = force_gimple_operand_gsi (&cond_insert_point, index,
732 false, GSI_NEW_STMT);
733 gimple *g = gimple_build_cond (GT_EXPR, index, bound, NULL_TREE, NULL_TREE);
734 gimple_set_location (g, loc);
735 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
737 /* Generate __ubsan_handle_out_of_bounds call. */
738 *gsi = gsi_after_labels (then_bb);
739 if (flag_sanitize_trap & SANITIZE_BOUNDS)
740 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
744 = ubsan_create_data ("__ubsan_out_of_bounds_data", 1, &loc,
745 ubsan_type_descriptor (type, UBSAN_PRINT_ARRAY),
746 ubsan_type_descriptor (TREE_TYPE (orig_index)),
747 NULL_TREE, NULL_TREE);
748 data = build_fold_addr_expr_loc (loc, data);
749 enum built_in_function bcode
750 = (flag_sanitize_recover & SANITIZE_BOUNDS)
751 ? BUILT_IN_UBSAN_HANDLE_OUT_OF_BOUNDS
752 : BUILT_IN_UBSAN_HANDLE_OUT_OF_BOUNDS_ABORT;
753 tree fn = builtin_decl_explicit (bcode);
754 tree val = ubsan_encode_value (orig_index, UBSAN_ENCODE_VALUE_GIMPLE);
755 val = force_gimple_operand_gsi (gsi, val, true, NULL_TREE, true,
757 g = gimple_build_call (fn, 2, data, val);
759 gimple_set_location (g, loc);
760 gsi_insert_before (gsi, g, GSI_SAME_STMT);
762 /* Get rid of the UBSAN_BOUNDS call from the IR. */
763 unlink_stmt_vdef (stmt);
764 gsi_remove (&gsi_orig, true);
766 /* Point GSI to next logical statement. */
767 *gsi = gsi_start_bb (fallthru_bb);
771 /* Expand UBSAN_NULL internal call. The type is kept on the ckind
772 argument which is a constant, because the middle-end treats pointer
773 conversions as useless and therefore the type of the first argument
774 could be changed to any other pointer type. */
777 ubsan_expand_null_ifn (gimple_stmt_iterator *gsip)
779 gimple_stmt_iterator gsi = *gsip;
780 gimple *stmt = gsi_stmt (gsi);
781 location_t loc = gimple_location (stmt);
782 gcc_assert (gimple_call_num_args (stmt) == 3);
783 tree ptr = gimple_call_arg (stmt, 0);
784 tree ckind = gimple_call_arg (stmt, 1);
785 tree align = gimple_call_arg (stmt, 2);
786 tree check_align = NULL_TREE;
789 basic_block cur_bb = gsi_bb (gsi);
792 if (!integer_zerop (align))
794 unsigned int ptralign = get_pointer_alignment (ptr) / BITS_PER_UNIT;
795 if (compare_tree_int (align, ptralign) == 1)
797 check_align = make_ssa_name (pointer_sized_int_node);
798 g = gimple_build_assign (check_align, NOP_EXPR, ptr);
799 gimple_set_location (g, loc);
800 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
803 check_null = sanitize_flags_p (SANITIZE_NULL);
805 if (check_align == NULL_TREE && !check_null)
807 gsi_remove (gsip, true);
808 /* Unlink the UBSAN_NULLs vops before replacing it. */
809 unlink_stmt_vdef (stmt);
813 /* Split the original block holding the pointer dereference. */
814 edge e = split_block (cur_bb, stmt);
816 /* Get a hold on the 'condition block', the 'then block' and the
818 basic_block cond_bb = e->src;
819 basic_block fallthru_bb = e->dest;
820 basic_block then_bb = create_empty_bb (cond_bb);
821 add_bb_to_loop (then_bb, cond_bb->loop_father);
822 loops_state_set (LOOPS_NEED_FIXUP);
824 /* Make an edge coming from the 'cond block' into the 'then block';
825 this edge is unlikely taken, so set up the probability accordingly. */
826 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
827 e->probability = profile_probability::very_unlikely ();
828 then_bb->count = e->count ();
830 /* Connect 'then block' with the 'else block'. This is needed
831 as the ubsan routines we call in the 'then block' are not noreturn.
832 The 'then block' only has one outcoming edge. */
833 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
835 /* Set up the fallthrough basic block. */
836 e = find_edge (cond_bb, fallthru_bb);
837 e->flags = EDGE_FALSE_VALUE;
838 e->probability = profile_probability::very_likely ();
840 /* Update dominance info for the newly created then_bb; note that
841 fallthru_bb's dominance info has already been updated by
843 if (dom_info_available_p (CDI_DOMINATORS))
844 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
846 /* Put the ubsan builtin call into the newly created BB. */
847 if (flag_sanitize_trap & ((check_align ? SANITIZE_ALIGNMENT + 0 : 0)
848 | (check_null ? SANITIZE_NULL + 0 : 0)))
849 g = gimple_build_call (builtin_decl_implicit (BUILT_IN_TRAP), 0);
852 enum built_in_function bcode
853 = (flag_sanitize_recover & ((check_align ? SANITIZE_ALIGNMENT + 0 : 0)
854 | (check_null ? SANITIZE_NULL + 0 : 0)))
855 ? BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_V1
856 : BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_V1_ABORT;
857 tree fn = builtin_decl_implicit (bcode);
858 int align_log = tree_log2 (align);
860 = ubsan_create_data ("__ubsan_null_data", 1, &loc,
861 ubsan_type_descriptor (TREE_TYPE (ckind),
862 UBSAN_PRINT_POINTER),
864 build_int_cst (unsigned_char_type_node,
866 fold_convert (unsigned_char_type_node, ckind),
868 data = build_fold_addr_expr_loc (loc, data);
869 g = gimple_build_call (fn, 2, data,
870 check_align ? check_align
871 : build_zero_cst (pointer_sized_int_node));
873 gimple_stmt_iterator gsi2 = gsi_start_bb (then_bb);
874 gimple_set_location (g, loc);
875 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
877 /* Unlink the UBSAN_NULLs vops before replacing it. */
878 unlink_stmt_vdef (stmt);
882 g = gimple_build_cond (EQ_EXPR, ptr, build_int_cst (TREE_TYPE (ptr), 0),
883 NULL_TREE, NULL_TREE);
884 gimple_set_location (g, loc);
886 /* Replace the UBSAN_NULL with a GIMPLE_COND stmt. */
887 gsi_replace (&gsi, g, false);
895 /* Split the block with the condition again. */
896 e = split_block (cond_bb, stmt);
897 basic_block cond1_bb = e->src;
898 basic_block cond2_bb = e->dest;
900 /* Make an edge coming from the 'cond1 block' into the 'then block';
901 this edge is unlikely taken, so set up the probability
903 e = make_edge (cond1_bb, then_bb, EDGE_TRUE_VALUE);
904 e->probability = profile_probability::very_unlikely ();
906 /* Set up the fallthrough basic block. */
907 e = find_edge (cond1_bb, cond2_bb);
908 e->flags = EDGE_FALSE_VALUE;
909 e->probability = profile_probability::very_likely ();
911 /* Update dominance info. */
912 if (dom_info_available_p (CDI_DOMINATORS))
914 set_immediate_dominator (CDI_DOMINATORS, fallthru_bb, cond1_bb);
915 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond1_bb);
918 gsi2 = gsi_start_bb (cond2_bb);
921 tree mask = build_int_cst (pointer_sized_int_node,
922 tree_to_uhwi (align) - 1);
923 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
924 BIT_AND_EXPR, check_align, mask);
925 gimple_set_location (g, loc);
927 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
929 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
931 g = gimple_build_cond (NE_EXPR, gimple_assign_lhs (g),
932 build_int_cst (pointer_sized_int_node, 0),
933 NULL_TREE, NULL_TREE);
934 gimple_set_location (g, loc);
936 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
938 /* Replace the UBSAN_NULL with a GIMPLE_COND stmt. */
939 gsi_replace (&gsi, g, false);
944 #define OBJSZ_MAX_OFFSET (1024 * 16)
946 /* Expand UBSAN_OBJECT_SIZE internal call. */
949 ubsan_expand_objsize_ifn (gimple_stmt_iterator *gsi)
951 gimple *stmt = gsi_stmt (*gsi);
952 location_t loc = gimple_location (stmt);
953 gcc_assert (gimple_call_num_args (stmt) == 4);
955 tree ptr = gimple_call_arg (stmt, 0);
956 tree offset = gimple_call_arg (stmt, 1);
957 tree size = gimple_call_arg (stmt, 2);
958 tree ckind = gimple_call_arg (stmt, 3);
959 gimple_stmt_iterator gsi_orig = *gsi;
962 /* See if we can discard the check. */
963 if (TREE_CODE (size) == INTEGER_CST
964 && integer_all_onesp (size))
965 /* Yes, __builtin_object_size couldn't determine the
967 else if (TREE_CODE (offset) == INTEGER_CST
968 && wi::to_widest (offset) >= -OBJSZ_MAX_OFFSET
969 && wi::to_widest (offset) <= -1)
970 /* The offset is in range [-16K, -1]. */;
973 /* if (offset > objsize) */
974 basic_block then_bb, fallthru_bb;
975 gimple_stmt_iterator cond_insert_point
976 = create_cond_insert_point (gsi, false, false, true,
977 &then_bb, &fallthru_bb);
978 g = gimple_build_cond (GT_EXPR, offset, size, NULL_TREE, NULL_TREE);
979 gimple_set_location (g, loc);
980 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
982 /* If the offset is small enough, we don't need the second
984 if (TREE_CODE (offset) == INTEGER_CST
985 && wi::to_widest (offset) >= 0
986 && wi::to_widest (offset) <= OBJSZ_MAX_OFFSET)
987 *gsi = gsi_after_labels (then_bb);
990 /* Don't issue run-time error if (ptr > ptr + offset). That
991 may happen when computing a POINTER_PLUS_EXPR. */
992 basic_block then2_bb, fallthru2_bb;
994 gimple_stmt_iterator gsi2 = gsi_after_labels (then_bb);
995 cond_insert_point = create_cond_insert_point (&gsi2, false, false,
998 /* Convert the pointer to an integer type. */
999 tree p = make_ssa_name (pointer_sized_int_node);
1000 g = gimple_build_assign (p, NOP_EXPR, ptr);
1001 gimple_set_location (g, loc);
1002 gsi_insert_before (&cond_insert_point, g, GSI_NEW_STMT);
1003 p = gimple_assign_lhs (g);
1004 /* Compute ptr + offset. */
1005 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1006 PLUS_EXPR, p, offset);
1007 gimple_set_location (g, loc);
1008 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
1009 /* Now build the conditional and put it into the IR. */
1010 g = gimple_build_cond (LE_EXPR, p, gimple_assign_lhs (g),
1011 NULL_TREE, NULL_TREE);
1012 gimple_set_location (g, loc);
1013 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
1014 *gsi = gsi_after_labels (then2_bb);
1017 /* Generate __ubsan_handle_type_mismatch call. */
1018 if (flag_sanitize_trap & SANITIZE_OBJECT_SIZE)
1019 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
1023 = ubsan_create_data ("__ubsan_objsz_data", 1, &loc,
1024 ubsan_type_descriptor (TREE_TYPE (ptr),
1025 UBSAN_PRINT_POINTER),
1027 build_zero_cst (unsigned_char_type_node),
1030 data = build_fold_addr_expr_loc (loc, data);
1031 enum built_in_function bcode
1032 = (flag_sanitize_recover & SANITIZE_OBJECT_SIZE)
1033 ? BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_V1
1034 : BUILT_IN_UBSAN_HANDLE_TYPE_MISMATCH_V1_ABORT;
1035 tree p = make_ssa_name (pointer_sized_int_node);
1036 g = gimple_build_assign (p, NOP_EXPR, ptr);
1037 gimple_set_location (g, loc);
1038 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1039 g = gimple_build_call (builtin_decl_explicit (bcode), 2, data, p);
1041 gimple_set_location (g, loc);
1042 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1044 /* Point GSI to next logical statement. */
1045 *gsi = gsi_start_bb (fallthru_bb);
1047 /* Get rid of the UBSAN_OBJECT_SIZE call from the IR. */
1048 unlink_stmt_vdef (stmt);
1049 gsi_remove (&gsi_orig, true);
1053 /* Get rid of the UBSAN_OBJECT_SIZE call from the IR. */
1054 unlink_stmt_vdef (stmt);
1055 gsi_remove (gsi, true);
1059 /* Expand UBSAN_PTR internal call. */
1062 ubsan_expand_ptr_ifn (gimple_stmt_iterator *gsip)
1064 gimple_stmt_iterator gsi = *gsip;
1065 gimple *stmt = gsi_stmt (gsi);
1066 location_t loc = gimple_location (stmt);
1067 gcc_assert (gimple_call_num_args (stmt) == 2);
1068 tree ptr = gimple_call_arg (stmt, 0);
1069 tree off = gimple_call_arg (stmt, 1);
1071 if (integer_zerop (off))
1073 gsi_remove (gsip, true);
1074 unlink_stmt_vdef (stmt);
1078 basic_block cur_bb = gsi_bb (gsi);
1079 tree ptrplusoff = make_ssa_name (pointer_sized_int_node);
1080 tree ptri = make_ssa_name (pointer_sized_int_node);
1081 int pos_neg = get_range_pos_neg (off);
1083 /* Split the original block holding the pointer dereference. */
1084 edge e = split_block (cur_bb, stmt);
1086 /* Get a hold on the 'condition block', the 'then block' and the
1088 basic_block cond_bb = e->src;
1089 basic_block fallthru_bb = e->dest;
1090 basic_block then_bb = create_empty_bb (cond_bb);
1091 basic_block cond_pos_bb = NULL, cond_neg_bb = NULL;
1092 add_bb_to_loop (then_bb, cond_bb->loop_father);
1093 loops_state_set (LOOPS_NEED_FIXUP);
1095 /* Set up the fallthrough basic block. */
1096 e->flags = EDGE_FALSE_VALUE;
1099 e->probability = profile_probability::very_likely ();
1101 /* Connect 'then block' with the 'else block'. This is needed
1102 as the ubsan routines we call in the 'then block' are not noreturn.
1103 The 'then block' only has one outcoming edge. */
1104 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1106 /* Make an edge coming from the 'cond block' into the 'then block';
1107 this edge is unlikely taken, so set up the probability
1109 e = make_edge (cond_bb, then_bb, EDGE_TRUE_VALUE);
1110 e->probability = profile_probability::very_unlikely ();
1111 then_bb->count = e->count ();
1115 e->probability = profile_probability::even ();
1117 e = split_block (fallthru_bb, (gimple *) NULL);
1118 cond_neg_bb = e->src;
1119 fallthru_bb = e->dest;
1120 e->probability = profile_probability::very_likely ();
1121 e->flags = EDGE_FALSE_VALUE;
1123 e = make_edge (cond_neg_bb, then_bb, EDGE_TRUE_VALUE);
1124 e->probability = profile_probability::very_unlikely ();
1125 then_bb->count = e->count ();
1127 cond_pos_bb = create_empty_bb (cond_bb);
1128 add_bb_to_loop (cond_pos_bb, cond_bb->loop_father);
1130 e = make_edge (cond_bb, cond_pos_bb, EDGE_TRUE_VALUE);
1131 e->probability = profile_probability::even ();
1132 cond_pos_bb->count = e->count ();
1134 e = make_edge (cond_pos_bb, then_bb, EDGE_TRUE_VALUE);
1135 e->probability = profile_probability::very_unlikely ();
1137 e = make_edge (cond_pos_bb, fallthru_bb, EDGE_FALSE_VALUE);
1138 e->probability = profile_probability::very_likely ();
1140 make_single_succ_edge (then_bb, fallthru_bb, EDGE_FALLTHRU);
1143 gimple *g = gimple_build_assign (ptri, NOP_EXPR, ptr);
1144 gimple_set_location (g, loc);
1145 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1146 g = gimple_build_assign (ptrplusoff, PLUS_EXPR, ptri, off);
1147 gimple_set_location (g, loc);
1148 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1150 /* Update dominance info for the newly created then_bb; note that
1151 fallthru_bb's dominance info has already been updated by
1153 if (dom_info_available_p (CDI_DOMINATORS))
1155 set_immediate_dominator (CDI_DOMINATORS, then_bb, cond_bb);
1158 set_immediate_dominator (CDI_DOMINATORS, cond_pos_bb, cond_bb);
1159 set_immediate_dominator (CDI_DOMINATORS, fallthru_bb, cond_bb);
1163 /* Put the ubsan builtin call into the newly created BB. */
1164 if (flag_sanitize_trap & SANITIZE_POINTER_OVERFLOW)
1165 g = gimple_build_call (builtin_decl_implicit (BUILT_IN_TRAP), 0);
1168 enum built_in_function bcode
1169 = (flag_sanitize_recover & SANITIZE_POINTER_OVERFLOW)
1170 ? BUILT_IN_UBSAN_HANDLE_POINTER_OVERFLOW
1171 : BUILT_IN_UBSAN_HANDLE_POINTER_OVERFLOW_ABORT;
1172 tree fn = builtin_decl_implicit (bcode);
1174 = ubsan_create_data ("__ubsan_ptrovf_data", 1, &loc,
1175 NULL_TREE, NULL_TREE);
1176 data = build_fold_addr_expr_loc (loc, data);
1177 g = gimple_build_call (fn, 3, data, ptr, ptrplusoff);
1179 gimple_stmt_iterator gsi2 = gsi_start_bb (then_bb);
1180 gimple_set_location (g, loc);
1181 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
1183 /* Unlink the UBSAN_PTRs vops before replacing it. */
1184 unlink_stmt_vdef (stmt);
1186 if (TREE_CODE (off) == INTEGER_CST)
1187 g = gimple_build_cond (wi::neg_p (wi::to_wide (off)) ? LT_EXPR : GE_EXPR,
1188 ptri, fold_build1 (NEGATE_EXPR, sizetype, off),
1189 NULL_TREE, NULL_TREE);
1190 else if (pos_neg != 3)
1191 g = gimple_build_cond (pos_neg == 1 ? LT_EXPR : GT_EXPR,
1192 ptrplusoff, ptri, NULL_TREE, NULL_TREE);
1195 gsi2 = gsi_start_bb (cond_pos_bb);
1196 g = gimple_build_cond (LT_EXPR, ptrplusoff, ptri, NULL_TREE, NULL_TREE);
1197 gimple_set_location (g, loc);
1198 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
1200 gsi2 = gsi_start_bb (cond_neg_bb);
1201 g = gimple_build_cond (GT_EXPR, ptrplusoff, ptri, NULL_TREE, NULL_TREE);
1202 gimple_set_location (g, loc);
1203 gsi_insert_after (&gsi2, g, GSI_NEW_STMT);
1205 tree t = gimple_build (&gsi, true, GSI_SAME_STMT,
1206 loc, NOP_EXPR, ssizetype, off);
1207 g = gimple_build_cond (GE_EXPR, t, ssize_int (0),
1208 NULL_TREE, NULL_TREE);
1210 gimple_set_location (g, loc);
1211 /* Replace the UBSAN_PTR with a GIMPLE_COND stmt. */
1212 gsi_replace (&gsi, g, false);
1217 /* Cached __ubsan_vptr_type_cache decl. */
1218 static GTY(()) tree ubsan_vptr_type_cache_decl;
1220 /* Expand UBSAN_VPTR internal call. The type is kept on the ckind
1221 argument which is a constant, because the middle-end treats pointer
1222 conversions as useless and therefore the type of the first argument
1223 could be changed to any other pointer type. */
1226 ubsan_expand_vptr_ifn (gimple_stmt_iterator *gsip)
1228 gimple_stmt_iterator gsi = *gsip;
1229 gimple *stmt = gsi_stmt (gsi);
1230 location_t loc = gimple_location (stmt);
1231 gcc_assert (gimple_call_num_args (stmt) == 5);
1232 tree op = gimple_call_arg (stmt, 0);
1233 tree vptr = gimple_call_arg (stmt, 1);
1234 tree str_hash = gimple_call_arg (stmt, 2);
1235 tree ti_decl_addr = gimple_call_arg (stmt, 3);
1236 tree ckind_tree = gimple_call_arg (stmt, 4);
1237 ubsan_null_ckind ckind = (ubsan_null_ckind) tree_to_uhwi (ckind_tree);
1238 tree type = TREE_TYPE (TREE_TYPE (ckind_tree));
1240 basic_block fallthru_bb = NULL;
1242 if (ckind == UBSAN_DOWNCAST_POINTER)
1244 /* Guard everything with if (op != NULL) { ... }. */
1245 basic_block then_bb;
1246 gimple_stmt_iterator cond_insert_point
1247 = create_cond_insert_point (gsip, false, false, true,
1248 &then_bb, &fallthru_bb);
1249 g = gimple_build_cond (NE_EXPR, op, build_zero_cst (TREE_TYPE (op)),
1250 NULL_TREE, NULL_TREE);
1251 gimple_set_location (g, loc);
1252 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
1253 *gsip = gsi_after_labels (then_bb);
1254 gsi_remove (&gsi, false);
1255 gsi_insert_before (gsip, stmt, GSI_NEW_STMT);
1259 tree htype = TREE_TYPE (str_hash);
1260 tree cst = wide_int_to_tree (htype,
1261 wi::uhwi (((uint64_t) 0x9ddfea08 << 32)
1263 g = gimple_build_assign (make_ssa_name (htype), BIT_XOR_EXPR,
1265 gimple_set_location (g, loc);
1266 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1267 g = gimple_build_assign (make_ssa_name (htype), MULT_EXPR,
1268 gimple_assign_lhs (g), cst);
1269 gimple_set_location (g, loc);
1270 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1271 tree t1 = gimple_assign_lhs (g);
1272 g = gimple_build_assign (make_ssa_name (htype), LSHIFT_EXPR,
1273 t1, build_int_cst (integer_type_node, 47));
1274 gimple_set_location (g, loc);
1275 tree t2 = gimple_assign_lhs (g);
1276 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1277 g = gimple_build_assign (make_ssa_name (htype), BIT_XOR_EXPR,
1279 gimple_set_location (g, loc);
1280 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1281 g = gimple_build_assign (make_ssa_name (htype), BIT_XOR_EXPR,
1282 t2, gimple_assign_lhs (g));
1283 gimple_set_location (g, loc);
1284 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1285 g = gimple_build_assign (make_ssa_name (htype), MULT_EXPR,
1286 gimple_assign_lhs (g), cst);
1287 gimple_set_location (g, loc);
1288 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1289 tree t3 = gimple_assign_lhs (g);
1290 g = gimple_build_assign (make_ssa_name (htype), LSHIFT_EXPR,
1291 t3, build_int_cst (integer_type_node, 47));
1292 gimple_set_location (g, loc);
1293 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1294 g = gimple_build_assign (make_ssa_name (htype), BIT_XOR_EXPR,
1295 t3, gimple_assign_lhs (g));
1296 gimple_set_location (g, loc);
1297 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1298 g = gimple_build_assign (make_ssa_name (htype), MULT_EXPR,
1299 gimple_assign_lhs (g), cst);
1300 gimple_set_location (g, loc);
1301 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1302 if (!useless_type_conversion_p (pointer_sized_int_node, htype))
1304 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1305 NOP_EXPR, gimple_assign_lhs (g));
1306 gimple_set_location (g, loc);
1307 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1309 tree hash = gimple_assign_lhs (g);
1311 if (ubsan_vptr_type_cache_decl == NULL_TREE)
1313 tree atype = build_array_type_nelts (pointer_sized_int_node, 128);
1314 tree array = build_decl (UNKNOWN_LOCATION, VAR_DECL,
1315 get_identifier ("__ubsan_vptr_type_cache"),
1317 DECL_ARTIFICIAL (array) = 1;
1318 DECL_IGNORED_P (array) = 1;
1319 TREE_PUBLIC (array) = 1;
1320 TREE_STATIC (array) = 1;
1321 DECL_EXTERNAL (array) = 1;
1322 DECL_VISIBILITY (array) = VISIBILITY_DEFAULT;
1323 DECL_VISIBILITY_SPECIFIED (array) = 1;
1324 varpool_node::finalize_decl (array);
1325 ubsan_vptr_type_cache_decl = array;
1328 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1330 build_int_cst (pointer_sized_int_node, 127));
1331 gimple_set_location (g, loc);
1332 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1334 tree c = build4_loc (loc, ARRAY_REF, pointer_sized_int_node,
1335 ubsan_vptr_type_cache_decl, gimple_assign_lhs (g),
1336 NULL_TREE, NULL_TREE);
1337 g = gimple_build_assign (make_ssa_name (pointer_sized_int_node),
1339 gimple_set_location (g, loc);
1340 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1342 basic_block then_bb, fallthru2_bb;
1343 gimple_stmt_iterator cond_insert_point
1344 = create_cond_insert_point (gsip, false, false, true,
1345 &then_bb, &fallthru2_bb);
1346 g = gimple_build_cond (NE_EXPR, gimple_assign_lhs (g), hash,
1347 NULL_TREE, NULL_TREE);
1348 gimple_set_location (g, loc);
1349 gsi_insert_after (&cond_insert_point, g, GSI_NEW_STMT);
1350 *gsip = gsi_after_labels (then_bb);
1351 if (fallthru_bb == NULL)
1352 fallthru_bb = fallthru2_bb;
1355 = ubsan_create_data ("__ubsan_vptr_data", 1, &loc,
1356 ubsan_type_descriptor (type), NULL_TREE, ti_decl_addr,
1357 build_int_cst (unsigned_char_type_node, ckind),
1359 data = build_fold_addr_expr_loc (loc, data);
1360 enum built_in_function bcode
1361 = (flag_sanitize_recover & SANITIZE_VPTR)
1362 ? BUILT_IN_UBSAN_HANDLE_DYNAMIC_TYPE_CACHE_MISS
1363 : BUILT_IN_UBSAN_HANDLE_DYNAMIC_TYPE_CACHE_MISS_ABORT;
1365 g = gimple_build_call (builtin_decl_explicit (bcode), 3, data, op, hash);
1366 gimple_set_location (g, loc);
1367 gsi_insert_before (gsip, g, GSI_SAME_STMT);
1369 /* Point GSI to next logical statement. */
1370 *gsip = gsi_start_bb (fallthru_bb);
1372 /* Get rid of the UBSAN_VPTR call from the IR. */
1373 unlink_stmt_vdef (stmt);
1374 gsi_remove (&gsi, true);
1378 /* Instrument a memory reference. BASE is the base of MEM, IS_LHS says
1379 whether the pointer is on the left hand side of the assignment. */
1382 instrument_mem_ref (tree mem, tree base, gimple_stmt_iterator *iter,
1385 enum ubsan_null_ckind ikind = is_lhs ? UBSAN_STORE_OF : UBSAN_LOAD_OF;
1386 unsigned int align = 0;
1387 if (sanitize_flags_p (SANITIZE_ALIGNMENT))
1389 align = min_align_of_type (TREE_TYPE (base));
1393 if (align == 0 && !sanitize_flags_p (SANITIZE_NULL))
1395 tree t = TREE_OPERAND (base, 0);
1396 if (!POINTER_TYPE_P (TREE_TYPE (t)))
1398 if (RECORD_OR_UNION_TYPE_P (TREE_TYPE (base)) && mem != base)
1399 ikind = UBSAN_MEMBER_ACCESS;
1400 tree kind = build_int_cst (build_pointer_type (TREE_TYPE (base)), ikind);
1401 tree alignt = build_int_cst (pointer_sized_int_node, align);
1402 gcall *g = gimple_build_call_internal (IFN_UBSAN_NULL, 3, t, kind, alignt);
1403 gimple_set_location (g, gimple_location (gsi_stmt (*iter)));
1404 gsi_insert_before (iter, g, GSI_SAME_STMT);
1407 /* Perform the pointer instrumentation. */
1410 instrument_null (gimple_stmt_iterator gsi, tree t, bool is_lhs)
1412 /* Handle also e.g. &s->i. */
1413 if (TREE_CODE (t) == ADDR_EXPR)
1414 t = TREE_OPERAND (t, 0);
1415 tree base = get_base_address (t);
1416 if (base != NULL_TREE
1417 && TREE_CODE (base) == MEM_REF
1418 && TREE_CODE (TREE_OPERAND (base, 0)) == SSA_NAME)
1419 instrument_mem_ref (t, base, &gsi, is_lhs);
1422 /* Instrument pointer arithmetics PTR p+ OFF. */
1425 instrument_pointer_overflow (gimple_stmt_iterator *gsi, tree ptr, tree off)
1427 if (TYPE_PRECISION (sizetype) != POINTER_SIZE)
1429 gcall *g = gimple_build_call_internal (IFN_UBSAN_PTR, 2, ptr, off);
1430 gimple_set_location (g, gimple_location (gsi_stmt (*gsi)));
1431 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1434 /* Instrument pointer arithmetics if any. */
1437 maybe_instrument_pointer_overflow (gimple_stmt_iterator *gsi, tree t)
1439 if (TYPE_PRECISION (sizetype) != POINTER_SIZE)
1442 /* Handle also e.g. &s->i. */
1443 if (TREE_CODE (t) == ADDR_EXPR)
1444 t = TREE_OPERAND (t, 0);
1446 if (!handled_component_p (t) && TREE_CODE (t) != MEM_REF)
1449 poly_int64 bitsize, bitpos, bytepos;
1452 int volatilep = 0, reversep, unsignedp = 0;
1453 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
1454 &unsignedp, &reversep, &volatilep);
1455 tree moff = NULL_TREE;
1457 bool decl_p = DECL_P (inner);
1462 || TREE_CODE (inner) == PARM_DECL
1463 || TREE_CODE (inner) == RESULT_DECL)
1464 && DECL_REGISTER (inner))
1467 /* If BASE is a fixed size automatic variable or
1468 global variable defined in the current TU and bitpos
1469 fits, don't instrument anything. */
1470 poly_int64 base_size;
1471 if (offset == NULL_TREE
1472 && maybe_ne (bitpos, 0)
1474 || TREE_CODE (base) == PARM_DECL
1475 || TREE_CODE (base) == RESULT_DECL)
1476 && poly_int_tree_p (DECL_SIZE (base), &base_size)
1477 && known_ge (base_size, bitpos)
1478 && (!is_global_var (base) || decl_binds_to_current_def_p (base)))
1481 else if (TREE_CODE (inner) == MEM_REF)
1483 base = TREE_OPERAND (inner, 0);
1484 if (TREE_CODE (base) == ADDR_EXPR
1485 && DECL_P (TREE_OPERAND (base, 0))
1486 && !TREE_ADDRESSABLE (TREE_OPERAND (base, 0))
1487 && !is_global_var (TREE_OPERAND (base, 0)))
1489 moff = TREE_OPERAND (inner, 1);
1490 if (integer_zerop (moff))
1496 if (!POINTER_TYPE_P (TREE_TYPE (base)) && !DECL_P (base))
1498 bytepos = bits_to_bytes_round_down (bitpos);
1499 if (offset == NULL_TREE && known_eq (bytepos, 0) && moff == NULL_TREE)
1502 tree base_addr = base;
1504 base_addr = build1 (ADDR_EXPR,
1505 build_pointer_type (TREE_TYPE (base)), base);
1507 if (maybe_ne (bytepos, 0))
1510 t = fold_build2 (PLUS_EXPR, TREE_TYPE (t), t,
1511 build_int_cst (TREE_TYPE (t), bytepos));
1513 t = size_int (bytepos);
1518 t = fold_build2 (PLUS_EXPR, TREE_TYPE (t), t,
1519 fold_convert (TREE_TYPE (t), moff));
1521 t = fold_convert (sizetype, moff);
1523 t = force_gimple_operand_gsi (gsi, t, true, NULL_TREE, true,
1525 base_addr = force_gimple_operand_gsi (gsi, base_addr, true, NULL_TREE, true,
1527 instrument_pointer_overflow (gsi, base_addr, t);
1530 /* Build an ubsan builtin call for the signed-integer-overflow
1531 sanitization. CODE says what kind of builtin are we building,
1532 LOC is a location, LHSTYPE is the type of LHS, OP0 and OP1
1533 are operands of the binary operation. */
1536 ubsan_build_overflow_builtin (tree_code code, location_t loc, tree lhstype,
1537 tree op0, tree op1, tree *datap)
1539 if (flag_sanitize_trap & SANITIZE_SI_OVERFLOW)
1540 return build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
1543 if (datap && *datap)
1546 data = ubsan_create_data ("__ubsan_overflow_data", 1, &loc,
1547 ubsan_type_descriptor (lhstype), NULL_TREE,
1551 enum built_in_function fn_code;
1556 fn_code = (flag_sanitize_recover & SANITIZE_SI_OVERFLOW)
1557 ? BUILT_IN_UBSAN_HANDLE_ADD_OVERFLOW
1558 : BUILT_IN_UBSAN_HANDLE_ADD_OVERFLOW_ABORT;
1561 fn_code = (flag_sanitize_recover & SANITIZE_SI_OVERFLOW)
1562 ? BUILT_IN_UBSAN_HANDLE_SUB_OVERFLOW
1563 : BUILT_IN_UBSAN_HANDLE_SUB_OVERFLOW_ABORT;
1566 fn_code = (flag_sanitize_recover & SANITIZE_SI_OVERFLOW)
1567 ? BUILT_IN_UBSAN_HANDLE_MUL_OVERFLOW
1568 : BUILT_IN_UBSAN_HANDLE_MUL_OVERFLOW_ABORT;
1571 fn_code = (flag_sanitize_recover & SANITIZE_SI_OVERFLOW)
1572 ? BUILT_IN_UBSAN_HANDLE_NEGATE_OVERFLOW
1573 : BUILT_IN_UBSAN_HANDLE_NEGATE_OVERFLOW_ABORT;
1578 tree fn = builtin_decl_explicit (fn_code);
1579 return build_call_expr_loc (loc, fn, 2 + (code != NEGATE_EXPR),
1580 build_fold_addr_expr_loc (loc, data),
1581 ubsan_encode_value (op0, UBSAN_ENCODE_VALUE_RTL),
1583 ? ubsan_encode_value (op1,
1584 UBSAN_ENCODE_VALUE_RTL)
1588 /* Perform the signed integer instrumentation. GSI is the iterator
1589 pointing at statement we are trying to instrument. */
1592 instrument_si_overflow (gimple_stmt_iterator gsi)
1594 gimple *stmt = gsi_stmt (gsi);
1595 tree_code code = gimple_assign_rhs_code (stmt);
1596 tree lhs = gimple_assign_lhs (stmt);
1597 tree lhstype = TREE_TYPE (lhs);
1598 tree lhsinner = VECTOR_TYPE_P (lhstype) ? TREE_TYPE (lhstype) : lhstype;
1602 /* If this is not a signed operation, don't instrument anything here.
1603 Also punt on bit-fields. */
1604 if (!INTEGRAL_TYPE_P (lhsinner)
1605 || TYPE_OVERFLOW_WRAPS (lhsinner)
1606 || maybe_ne (GET_MODE_BITSIZE (TYPE_MODE (lhsinner)),
1607 TYPE_PRECISION (lhsinner)))
1618 i = UBSAN_CHECK_{ADD,SUB,MUL} (u, 5); */
1619 a = gimple_assign_rhs1 (stmt);
1620 b = gimple_assign_rhs2 (stmt);
1621 g = gimple_build_call_internal (code == PLUS_EXPR
1622 ? IFN_UBSAN_CHECK_ADD
1623 : code == MINUS_EXPR
1624 ? IFN_UBSAN_CHECK_SUB
1625 : IFN_UBSAN_CHECK_MUL, 2, a, b);
1626 gimple_call_set_lhs (g, lhs);
1627 gsi_replace (&gsi, g, true);
1630 /* Represent i = -u;
1632 i = UBSAN_CHECK_SUB (0, u); */
1633 a = build_zero_cst (lhstype);
1634 b = gimple_assign_rhs1 (stmt);
1635 g = gimple_build_call_internal (IFN_UBSAN_CHECK_SUB, 2, a, b);
1636 gimple_call_set_lhs (g, lhs);
1637 gsi_replace (&gsi, g, true);
1640 /* Transform i = ABS_EXPR<u>;
1642 _N = UBSAN_CHECK_SUB (0, u);
1643 i = ABS_EXPR<_N>; */
1644 a = build_zero_cst (lhstype);
1645 b = gimple_assign_rhs1 (stmt);
1646 g = gimple_build_call_internal (IFN_UBSAN_CHECK_SUB, 2, a, b);
1647 a = make_ssa_name (lhstype);
1648 gimple_call_set_lhs (g, a);
1649 gimple_set_location (g, gimple_location (stmt));
1650 gsi_insert_before (&gsi, g, GSI_SAME_STMT);
1651 gimple_assign_set_rhs1 (stmt, a);
1659 /* Instrument loads from (non-bitfield) bool and C++ enum values
1660 to check if the memory value is outside of the range of the valid
1664 instrument_bool_enum_load (gimple_stmt_iterator *gsi)
1666 gimple *stmt = gsi_stmt (*gsi);
1667 tree rhs = gimple_assign_rhs1 (stmt);
1668 tree type = TREE_TYPE (rhs);
1669 tree minv = NULL_TREE, maxv = NULL_TREE;
1671 if (TREE_CODE (type) == BOOLEAN_TYPE
1672 && sanitize_flags_p (SANITIZE_BOOL))
1674 minv = boolean_false_node;
1675 maxv = boolean_true_node;
1677 else if (TREE_CODE (type) == ENUMERAL_TYPE
1678 && sanitize_flags_p (SANITIZE_ENUM)
1679 && TREE_TYPE (type) != NULL_TREE
1680 && TREE_CODE (TREE_TYPE (type)) == INTEGER_TYPE
1681 && (TYPE_PRECISION (TREE_TYPE (type))
1682 < GET_MODE_PRECISION (SCALAR_INT_TYPE_MODE (type))))
1684 minv = TYPE_MIN_VALUE (TREE_TYPE (type));
1685 maxv = TYPE_MAX_VALUE (TREE_TYPE (type));
1690 int modebitsize = GET_MODE_BITSIZE (SCALAR_INT_TYPE_MODE (type));
1691 poly_int64 bitsize, bitpos;
1694 int volatilep = 0, reversep, unsignedp = 0;
1695 tree base = get_inner_reference (rhs, &bitsize, &bitpos, &offset, &mode,
1696 &unsignedp, &reversep, &volatilep);
1697 tree utype = build_nonstandard_integer_type (modebitsize, 1);
1699 if ((VAR_P (base) && DECL_HARD_REGISTER (base))
1700 || !multiple_p (bitpos, modebitsize)
1701 || maybe_ne (bitsize, modebitsize)
1702 || GET_MODE_BITSIZE (SCALAR_INT_TYPE_MODE (utype)) != modebitsize
1703 || TREE_CODE (gimple_assign_lhs (stmt)) != SSA_NAME)
1706 bool ends_bb = stmt_ends_bb_p (stmt);
1707 location_t loc = gimple_location (stmt);
1708 tree lhs = gimple_assign_lhs (stmt);
1709 tree ptype = build_pointer_type (TREE_TYPE (rhs));
1710 tree atype = reference_alias_ptr_type (rhs);
1711 gimple *g = gimple_build_assign (make_ssa_name (ptype),
1712 build_fold_addr_expr (rhs));
1713 gimple_set_location (g, loc);
1714 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1715 tree mem = build2 (MEM_REF, utype, gimple_assign_lhs (g),
1716 build_int_cst (atype, 0));
1717 tree urhs = make_ssa_name (utype);
1720 gimple_assign_set_lhs (stmt, urhs);
1721 g = gimple_build_assign (lhs, NOP_EXPR, urhs);
1722 gimple_set_location (g, loc);
1723 edge e = find_fallthru_edge (gimple_bb (stmt)->succs);
1724 gsi_insert_on_edge_immediate (e, g);
1725 gimple_assign_set_rhs_from_tree (gsi, mem);
1727 *gsi = gsi_for_stmt (g);
1732 g = gimple_build_assign (urhs, mem);
1733 gimple_set_location (g, loc);
1734 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1736 minv = fold_convert (utype, minv);
1737 maxv = fold_convert (utype, maxv);
1738 if (!integer_zerop (minv))
1740 g = gimple_build_assign (make_ssa_name (utype), MINUS_EXPR, urhs, minv);
1741 gimple_set_location (g, loc);
1742 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1745 gimple_stmt_iterator gsi2 = *gsi;
1746 basic_block then_bb, fallthru_bb;
1747 *gsi = create_cond_insert_point (gsi, true, false, true,
1748 &then_bb, &fallthru_bb);
1749 g = gimple_build_cond (GT_EXPR, gimple_assign_lhs (g),
1750 int_const_binop (MINUS_EXPR, maxv, minv),
1751 NULL_TREE, NULL_TREE);
1752 gimple_set_location (g, loc);
1753 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1757 gimple_assign_set_rhs_with_ops (&gsi2, NOP_EXPR, urhs);
1761 gsi2 = gsi_after_labels (then_bb);
1762 if (flag_sanitize_trap & (TREE_CODE (type) == BOOLEAN_TYPE
1763 ? SANITIZE_BOOL : SANITIZE_ENUM))
1764 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
1767 tree data = ubsan_create_data ("__ubsan_invalid_value_data", 1, &loc,
1768 ubsan_type_descriptor (type), NULL_TREE,
1770 data = build_fold_addr_expr_loc (loc, data);
1771 enum built_in_function bcode
1772 = (flag_sanitize_recover & (TREE_CODE (type) == BOOLEAN_TYPE
1773 ? SANITIZE_BOOL : SANITIZE_ENUM))
1774 ? BUILT_IN_UBSAN_HANDLE_LOAD_INVALID_VALUE
1775 : BUILT_IN_UBSAN_HANDLE_LOAD_INVALID_VALUE_ABORT;
1776 tree fn = builtin_decl_explicit (bcode);
1778 tree val = ubsan_encode_value (urhs, UBSAN_ENCODE_VALUE_GIMPLE);
1779 val = force_gimple_operand_gsi (&gsi2, val, true, NULL_TREE, true,
1781 g = gimple_build_call (fn, 2, data, val);
1783 gimple_set_location (g, loc);
1784 gsi_insert_before (&gsi2, g, GSI_SAME_STMT);
1785 ubsan_create_edge (g);
1786 *gsi = gsi_for_stmt (stmt);
1789 /* Determine if we can propagate given LOCATION to ubsan_data descriptor to use
1790 new style handlers. Libubsan uses heuristics to destinguish between old and
1791 new styles and relies on these properties for filename:
1793 a) Location's filename must not be NULL.
1794 b) Location's filename must not be equal to "".
1795 c) Location's filename must not be equal to "\1".
1796 d) First two bytes of filename must not contain '\xff' symbol. */
1799 ubsan_use_new_style_p (location_t loc)
1801 if (loc == UNKNOWN_LOCATION)
1804 expanded_location xloc = expand_location (loc);
1805 if (xloc.file == NULL || startswith (xloc.file, "\1")
1806 || xloc.file[0] == '\0' || xloc.file[0] == '\xff'
1807 || xloc.file[1] == '\xff')
1813 /* Instrument float point-to-integer conversion. TYPE is an integer type of
1814 destination, EXPR is floating-point expression. */
1817 ubsan_instrument_float_cast (location_t loc, tree type, tree expr)
1819 tree expr_type = TREE_TYPE (expr);
1820 tree t, tt, fn, min, max;
1821 machine_mode mode = TYPE_MODE (expr_type);
1822 int prec = TYPE_PRECISION (type);
1823 bool uns_p = TYPE_UNSIGNED (type);
1824 if (loc == UNKNOWN_LOCATION)
1825 loc = input_location;
1827 /* Float to integer conversion first truncates toward zero, so
1828 even signed char c = 127.875f; is not problematic.
1829 Therefore, we should complain only if EXPR is unordered or smaller
1830 or equal than TYPE_MIN_VALUE - 1.0 or greater or equal than
1831 TYPE_MAX_VALUE + 1.0. */
1832 if (REAL_MODE_FORMAT (mode)->b == 2)
1834 /* For maximum, TYPE_MAX_VALUE might not be representable
1835 in EXPR_TYPE, e.g. if TYPE is 64-bit long long and
1836 EXPR_TYPE is IEEE single float, but TYPE_MAX_VALUE + 1.0 is
1837 either representable or infinity. */
1838 REAL_VALUE_TYPE maxval = dconst1;
1839 SET_REAL_EXP (&maxval, REAL_EXP (&maxval) + prec - !uns_p);
1840 real_convert (&maxval, mode, &maxval);
1841 max = build_real (expr_type, maxval);
1843 /* For unsigned, assume -1.0 is always representable. */
1845 min = build_minus_one_cst (expr_type);
1848 /* TYPE_MIN_VALUE is generally representable (or -inf),
1849 but TYPE_MIN_VALUE - 1.0 might not be. */
1850 REAL_VALUE_TYPE minval = dconstm1, minval2;
1851 SET_REAL_EXP (&minval, REAL_EXP (&minval) + prec - 1);
1852 real_convert (&minval, mode, &minval);
1853 real_arithmetic (&minval2, MINUS_EXPR, &minval, &dconst1);
1854 real_convert (&minval2, mode, &minval2);
1855 if (real_compare (EQ_EXPR, &minval, &minval2)
1856 && !real_isinf (&minval))
1858 /* If TYPE_MIN_VALUE - 1.0 is not representable and
1859 rounds to TYPE_MIN_VALUE, we need to subtract
1860 more. As REAL_MODE_FORMAT (mode)->p is the number
1861 of base digits, we want to subtract a number that
1862 will be 1 << (REAL_MODE_FORMAT (mode)->p - 1)
1863 times smaller than minval. */
1865 gcc_assert (prec > REAL_MODE_FORMAT (mode)->p);
1866 SET_REAL_EXP (&minval2,
1867 REAL_EXP (&minval2) + prec - 1
1868 - REAL_MODE_FORMAT (mode)->p + 1);
1869 real_arithmetic (&minval2, MINUS_EXPR, &minval, &minval2);
1870 real_convert (&minval2, mode, &minval2);
1872 min = build_real (expr_type, minval2);
1875 else if (REAL_MODE_FORMAT (mode)->b == 10)
1877 /* For _Decimal128 up to 34 decimal digits, - sign,
1878 dot, e, exponent. */
1881 int p = REAL_MODE_FORMAT (mode)->p;
1882 REAL_VALUE_TYPE maxval, minval;
1884 /* Use mpfr_snprintf rounding to compute the smallest
1885 representable decimal number greater or equal than
1886 1 << (prec - !uns_p). */
1887 mpfr_init2 (m, prec + 2);
1888 mpfr_set_ui_2exp (m, 1, prec - !uns_p, MPFR_RNDN);
1889 mpfr_snprintf (buf, sizeof buf, "%.*RUe", p - 1, m);
1890 decimal_real_from_string (&maxval, buf);
1891 max = build_real (expr_type, maxval);
1893 /* For unsigned, assume -1.0 is always representable. */
1895 min = build_minus_one_cst (expr_type);
1898 /* Use mpfr_snprintf rounding to compute the largest
1899 representable decimal number less or equal than
1900 (-1 << (prec - 1)) - 1. */
1901 mpfr_set_si_2exp (m, -1, prec - 1, MPFR_RNDN);
1902 mpfr_sub_ui (m, m, 1, MPFR_RNDN);
1903 mpfr_snprintf (buf, sizeof buf, "%.*RDe", p - 1, m);
1904 decimal_real_from_string (&minval, buf);
1905 min = build_real (expr_type, minval);
1912 if (HONOR_NANS (mode))
1914 t = fold_build2 (UNLE_EXPR, boolean_type_node, expr, min);
1915 tt = fold_build2 (UNGE_EXPR, boolean_type_node, expr, max);
1919 t = fold_build2 (LE_EXPR, boolean_type_node, expr, min);
1920 tt = fold_build2 (GE_EXPR, boolean_type_node, expr, max);
1922 t = fold_build2 (TRUTH_OR_EXPR, boolean_type_node, t, tt);
1923 if (integer_zerop (t))
1926 if (flag_sanitize_trap & SANITIZE_FLOAT_CAST)
1927 fn = build_call_expr_loc (loc, builtin_decl_explicit (BUILT_IN_TRAP), 0);
1930 location_t *loc_ptr = NULL;
1931 unsigned num_locations = 0;
1932 /* Figure out if we can propagate location to ubsan_data and use new
1933 style handlers in libubsan. */
1934 if (ubsan_use_new_style_p (loc))
1939 /* Create the __ubsan_handle_float_cast_overflow fn call. */
1940 tree data = ubsan_create_data ("__ubsan_float_cast_overflow_data",
1941 num_locations, loc_ptr,
1942 ubsan_type_descriptor (expr_type),
1943 ubsan_type_descriptor (type), NULL_TREE,
1945 enum built_in_function bcode
1946 = (flag_sanitize_recover & SANITIZE_FLOAT_CAST)
1947 ? BUILT_IN_UBSAN_HANDLE_FLOAT_CAST_OVERFLOW
1948 : BUILT_IN_UBSAN_HANDLE_FLOAT_CAST_OVERFLOW_ABORT;
1949 fn = builtin_decl_explicit (bcode);
1950 fn = build_call_expr_loc (loc, fn, 2,
1951 build_fold_addr_expr_loc (loc, data),
1952 ubsan_encode_value (expr));
1955 return fold_build3 (COND_EXPR, void_type_node, t, fn, integer_zero_node);
1958 /* Instrument values passed to function arguments with nonnull attribute. */
1961 instrument_nonnull_arg (gimple_stmt_iterator *gsi)
1963 gimple *stmt = gsi_stmt (*gsi);
1965 /* infer_nonnull_range needs flag_delete_null_pointer_checks set,
1966 while for nonnull sanitization it is clear. */
1967 int save_flag_delete_null_pointer_checks = flag_delete_null_pointer_checks;
1968 flag_delete_null_pointer_checks = 1;
1969 loc[0] = gimple_location (stmt);
1970 loc[1] = UNKNOWN_LOCATION;
1971 for (unsigned int i = 0; i < gimple_call_num_args (stmt); i++)
1973 tree arg = gimple_call_arg (stmt, i);
1974 if (POINTER_TYPE_P (TREE_TYPE (arg))
1975 && infer_nonnull_range_by_attribute (stmt, arg))
1978 if (!is_gimple_val (arg))
1980 g = gimple_build_assign (make_ssa_name (TREE_TYPE (arg)), arg);
1981 gimple_set_location (g, loc[0]);
1982 gsi_insert_before (gsi, g, GSI_SAME_STMT);
1983 arg = gimple_assign_lhs (g);
1986 basic_block then_bb, fallthru_bb;
1987 *gsi = create_cond_insert_point (gsi, true, false, true,
1988 &then_bb, &fallthru_bb);
1989 g = gimple_build_cond (EQ_EXPR, arg,
1990 build_zero_cst (TREE_TYPE (arg)),
1991 NULL_TREE, NULL_TREE);
1992 gimple_set_location (g, loc[0]);
1993 gsi_insert_after (gsi, g, GSI_NEW_STMT);
1995 *gsi = gsi_after_labels (then_bb);
1996 if (flag_sanitize_trap & SANITIZE_NONNULL_ATTRIBUTE)
1997 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
2000 tree data = ubsan_create_data ("__ubsan_nonnull_arg_data",
2002 build_int_cst (integer_type_node,
2005 data = build_fold_addr_expr_loc (loc[0], data);
2006 enum built_in_function bcode
2007 = (flag_sanitize_recover & SANITIZE_NONNULL_ATTRIBUTE)
2008 ? BUILT_IN_UBSAN_HANDLE_NONNULL_ARG
2009 : BUILT_IN_UBSAN_HANDLE_NONNULL_ARG_ABORT;
2010 tree fn = builtin_decl_explicit (bcode);
2012 g = gimple_build_call (fn, 1, data);
2014 gimple_set_location (g, loc[0]);
2015 gsi_insert_before (gsi, g, GSI_SAME_STMT);
2016 ubsan_create_edge (g);
2018 *gsi = gsi_for_stmt (stmt);
2020 flag_delete_null_pointer_checks = save_flag_delete_null_pointer_checks;
2023 /* Instrument returns in functions with returns_nonnull attribute. */
2026 instrument_nonnull_return (gimple_stmt_iterator *gsi)
2028 greturn *stmt = as_a <greturn *> (gsi_stmt (*gsi));
2030 tree arg = gimple_return_retval (stmt);
2031 /* infer_nonnull_range needs flag_delete_null_pointer_checks set,
2032 while for nonnull return sanitization it is clear. */
2033 int save_flag_delete_null_pointer_checks = flag_delete_null_pointer_checks;
2034 flag_delete_null_pointer_checks = 1;
2035 loc[0] = gimple_location (stmt);
2036 loc[1] = UNKNOWN_LOCATION;
2038 && POINTER_TYPE_P (TREE_TYPE (arg))
2039 && is_gimple_val (arg)
2040 && infer_nonnull_range_by_attribute (stmt, arg))
2042 basic_block then_bb, fallthru_bb;
2043 *gsi = create_cond_insert_point (gsi, true, false, true,
2044 &then_bb, &fallthru_bb);
2045 gimple *g = gimple_build_cond (EQ_EXPR, arg,
2046 build_zero_cst (TREE_TYPE (arg)),
2047 NULL_TREE, NULL_TREE);
2048 gimple_set_location (g, loc[0]);
2049 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2051 *gsi = gsi_after_labels (then_bb);
2052 if (flag_sanitize_trap & SANITIZE_RETURNS_NONNULL_ATTRIBUTE)
2053 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
2056 tree data = ubsan_create_data ("__ubsan_nonnull_return_data",
2057 1, &loc[1], NULL_TREE, NULL_TREE);
2058 data = build_fold_addr_expr_loc (loc[0], data);
2059 tree data2 = ubsan_create_data ("__ubsan_nonnull_return_data",
2060 1, &loc[0], NULL_TREE, NULL_TREE);
2061 data2 = build_fold_addr_expr_loc (loc[0], data2);
2062 enum built_in_function bcode
2063 = (flag_sanitize_recover & SANITIZE_RETURNS_NONNULL_ATTRIBUTE)
2064 ? BUILT_IN_UBSAN_HANDLE_NONNULL_RETURN_V1
2065 : BUILT_IN_UBSAN_HANDLE_NONNULL_RETURN_V1_ABORT;
2066 tree fn = builtin_decl_explicit (bcode);
2068 g = gimple_build_call (fn, 2, data, data2);
2070 gimple_set_location (g, loc[0]);
2071 gsi_insert_before (gsi, g, GSI_SAME_STMT);
2072 ubsan_create_edge (g);
2073 *gsi = gsi_for_stmt (stmt);
2075 flag_delete_null_pointer_checks = save_flag_delete_null_pointer_checks;
2078 /* Instrument memory references. Here we check whether the pointer
2079 points to an out-of-bounds location. */
2082 instrument_object_size (gimple_stmt_iterator *gsi, tree t, bool is_lhs)
2084 gimple *stmt = gsi_stmt (*gsi);
2085 location_t loc = gimple_location (stmt);
2087 tree index = NULL_TREE;
2088 HOST_WIDE_INT size_in_bytes;
2090 type = TREE_TYPE (t);
2091 if (VOID_TYPE_P (type))
2094 switch (TREE_CODE (t))
2097 if (TREE_CODE (t) == COMPONENT_REF
2098 && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
2100 tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
2101 t = build3 (COMPONENT_REF, TREE_TYPE (repr), TREE_OPERAND (t, 0),
2102 repr, TREE_OPERAND (t, 2));
2106 index = TREE_OPERAND (t, 1);
2118 size_in_bytes = int_size_in_bytes (type);
2119 if (size_in_bytes <= 0)
2122 poly_int64 bitsize, bitpos;
2125 int volatilep = 0, reversep, unsignedp = 0;
2126 tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode,
2127 &unsignedp, &reversep, &volatilep);
2129 if (!multiple_p (bitpos, BITS_PER_UNIT)
2130 || maybe_ne (bitsize, size_in_bytes * BITS_PER_UNIT))
2133 bool decl_p = DECL_P (inner);
2138 || TREE_CODE (inner) == PARM_DECL
2139 || TREE_CODE (inner) == RESULT_DECL)
2140 && DECL_REGISTER (inner))
2142 if (t == inner && !is_global_var (t))
2146 else if (TREE_CODE (inner) == MEM_REF)
2147 base = TREE_OPERAND (inner, 0);
2150 tree ptr = build1 (ADDR_EXPR, build_pointer_type (TREE_TYPE (t)), t);
2152 while (TREE_CODE (base) == SSA_NAME)
2154 gimple *def_stmt = SSA_NAME_DEF_STMT (base);
2155 if (gimple_assign_ssa_name_copy_p (def_stmt)
2156 || (gimple_assign_cast_p (def_stmt)
2157 && POINTER_TYPE_P (TREE_TYPE (gimple_assign_rhs1 (def_stmt))))
2158 || (is_gimple_assign (def_stmt)
2159 && gimple_assign_rhs_code (def_stmt) == POINTER_PLUS_EXPR))
2161 tree rhs1 = gimple_assign_rhs1 (def_stmt);
2162 if (TREE_CODE (rhs1) == SSA_NAME
2163 && SSA_NAME_OCCURS_IN_ABNORMAL_PHI (rhs1))
2172 if (!POINTER_TYPE_P (TREE_TYPE (base)) && !DECL_P (base))
2176 tree base_addr = base;
2177 gimple *bos_stmt = NULL;
2179 base_addr = build1 (ADDR_EXPR,
2180 build_pointer_type (TREE_TYPE (base)), base);
2181 if (compute_builtin_object_size (base_addr, OST_DYNAMIC, &sizet))
2185 if (LOCATION_LOCUS (loc) == UNKNOWN_LOCATION)
2186 loc = input_location;
2187 /* Generate __builtin_dynamic_object_size call. */
2188 sizet = builtin_decl_explicit (BUILT_IN_DYNAMIC_OBJECT_SIZE);
2189 sizet = build_call_expr_loc (loc, sizet, 2, base_addr,
2191 sizet = force_gimple_operand_gsi (gsi, sizet, false, NULL_TREE, true,
2193 /* If the call above didn't end up being an integer constant, go one
2194 statement back and get the __builtin_object_size stmt. Save it,
2195 we might need it later. */
2196 if (SSA_VAR_P (sizet))
2199 bos_stmt = gsi_stmt (*gsi);
2201 /* Move on to where we were. */
2208 /* Generate UBSAN_OBJECT_SIZE (ptr, ptr+sizeof(*ptr)-base, objsize, ckind)
2210 /* ptr + sizeof (*ptr) - base */
2211 t = fold_build2 (MINUS_EXPR, sizetype,
2212 fold_convert (pointer_sized_int_node, ptr),
2213 fold_convert (pointer_sized_int_node, base_addr));
2214 t = fold_build2 (PLUS_EXPR, sizetype, t, TYPE_SIZE_UNIT (type));
2216 /* Perhaps we can omit the check. */
2217 if (TREE_CODE (t) == INTEGER_CST
2218 && TREE_CODE (sizet) == INTEGER_CST
2219 && tree_int_cst_le (t, sizet))
2222 if (index != NULL_TREE
2223 && TREE_CODE (index) == SSA_NAME
2224 && TREE_CODE (sizet) == INTEGER_CST)
2226 gimple *def = SSA_NAME_DEF_STMT (index);
2227 if (is_gimple_assign (def)
2228 && gimple_assign_rhs_code (def) == BIT_AND_EXPR
2229 && TREE_CODE (gimple_assign_rhs2 (def)) == INTEGER_CST)
2231 tree cst = gimple_assign_rhs2 (def);
2232 tree sz = fold_build2 (EXACT_DIV_EXPR, sizetype, sizet,
2233 TYPE_SIZE_UNIT (type));
2234 if (tree_int_cst_sgn (cst) >= 0
2235 && tree_int_cst_lt (cst, sz))
2241 && decl_function_context (base) == current_function_decl
2242 && !TREE_ADDRESSABLE (base))
2243 mark_addressable (base);
2246 && gimple_call_builtin_p (bos_stmt, BUILT_IN_DYNAMIC_OBJECT_SIZE))
2247 ubsan_create_edge (bos_stmt);
2249 /* We have to emit the check. */
2250 t = force_gimple_operand_gsi (gsi, t, true, NULL_TREE, true,
2252 ptr = force_gimple_operand_gsi (gsi, ptr, true, NULL_TREE, true,
2254 tree ckind = build_int_cst (unsigned_char_type_node,
2255 is_lhs ? UBSAN_STORE_OF : UBSAN_LOAD_OF);
2256 gimple *g = gimple_build_call_internal (IFN_UBSAN_OBJECT_SIZE, 4,
2257 ptr, t, sizet, ckind);
2258 gimple_set_location (g, loc);
2259 gsi_insert_before (gsi, g, GSI_SAME_STMT);
2262 /* Instrument values passed to builtin functions. */
2265 instrument_builtin (gimple_stmt_iterator *gsi)
2267 gimple *stmt = gsi_stmt (*gsi);
2268 location_t loc = gimple_location (stmt);
2270 enum built_in_function fcode
2271 = DECL_FUNCTION_CODE (gimple_call_fndecl (stmt));
2275 CASE_INT_FN (BUILT_IN_CLZ):
2278 CASE_INT_FN (BUILT_IN_CTZ):
2279 arg = gimple_call_arg (stmt, 0);
2280 if (!integer_nonzerop (arg))
2283 if (!is_gimple_val (arg))
2285 g = gimple_build_assign (make_ssa_name (TREE_TYPE (arg)), arg);
2286 gimple_set_location (g, loc);
2287 gsi_insert_before (gsi, g, GSI_SAME_STMT);
2288 arg = gimple_assign_lhs (g);
2291 basic_block then_bb, fallthru_bb;
2292 *gsi = create_cond_insert_point (gsi, true, false, true,
2293 &then_bb, &fallthru_bb);
2294 g = gimple_build_cond (EQ_EXPR, arg,
2295 build_zero_cst (TREE_TYPE (arg)),
2296 NULL_TREE, NULL_TREE);
2297 gimple_set_location (g, loc);
2298 gsi_insert_after (gsi, g, GSI_NEW_STMT);
2300 *gsi = gsi_after_labels (then_bb);
2301 if (flag_sanitize_trap & SANITIZE_BUILTIN)
2302 g = gimple_build_call (builtin_decl_explicit (BUILT_IN_TRAP), 0);
2305 tree t = build_int_cst (unsigned_char_type_node, kind);
2306 tree data = ubsan_create_data ("__ubsan_builtin_data",
2307 1, &loc, NULL_TREE, t, NULL_TREE);
2308 data = build_fold_addr_expr_loc (loc, data);
2309 enum built_in_function bcode
2310 = (flag_sanitize_recover & SANITIZE_BUILTIN)
2311 ? BUILT_IN_UBSAN_HANDLE_INVALID_BUILTIN
2312 : BUILT_IN_UBSAN_HANDLE_INVALID_BUILTIN_ABORT;
2313 tree fn = builtin_decl_explicit (bcode);
2315 g = gimple_build_call (fn, 1, data);
2317 gimple_set_location (g, loc);
2318 gsi_insert_before (gsi, g, GSI_SAME_STMT);
2319 ubsan_create_edge (g);
2321 *gsi = gsi_for_stmt (stmt);
2330 const pass_data pass_data_ubsan =
2332 GIMPLE_PASS, /* type */
2334 OPTGROUP_NONE, /* optinfo_flags */
2335 TV_TREE_UBSAN, /* tv_id */
2336 ( PROP_cfg | PROP_ssa ), /* properties_required */
2337 0, /* properties_provided */
2338 0, /* properties_destroyed */
2339 0, /* todo_flags_start */
2340 TODO_update_ssa, /* todo_flags_finish */
2343 class pass_ubsan : public gimple_opt_pass
2346 pass_ubsan (gcc::context *ctxt)
2347 : gimple_opt_pass (pass_data_ubsan, ctxt)
2350 /* opt_pass methods: */
2351 bool gate (function *) final override
2353 return sanitize_flags_p ((SANITIZE_NULL | SANITIZE_SI_OVERFLOW
2354 | SANITIZE_BOOL | SANITIZE_ENUM
2355 | SANITIZE_ALIGNMENT
2356 | SANITIZE_NONNULL_ATTRIBUTE
2357 | SANITIZE_RETURNS_NONNULL_ATTRIBUTE
2358 | SANITIZE_OBJECT_SIZE
2359 | SANITIZE_POINTER_OVERFLOW
2360 | SANITIZE_BUILTIN));
2363 unsigned int execute (function *) final override;
2365 }; // class pass_ubsan
2368 pass_ubsan::execute (function *fun)
2371 gimple_stmt_iterator gsi;
2372 unsigned int ret = 0;
2374 initialize_sanitizer_builtins ();
2376 FOR_EACH_BB_FN (bb, fun)
2378 for (gsi = gsi_start_bb (bb); !gsi_end_p (gsi);)
2380 gimple *stmt = gsi_stmt (gsi);
2381 if (is_gimple_debug (stmt) || gimple_clobber_p (stmt))
2387 if ((sanitize_flags_p (SANITIZE_SI_OVERFLOW, fun->decl))
2388 && is_gimple_assign (stmt))
2389 instrument_si_overflow (gsi);
2391 if (sanitize_flags_p (SANITIZE_NULL | SANITIZE_ALIGNMENT, fun->decl))
2393 if (gimple_store_p (stmt))
2394 instrument_null (gsi, gimple_get_lhs (stmt), true);
2395 if (gimple_assign_single_p (stmt))
2396 instrument_null (gsi, gimple_assign_rhs1 (stmt), false);
2397 if (is_gimple_call (stmt))
2399 unsigned args_num = gimple_call_num_args (stmt);
2400 for (unsigned i = 0; i < args_num; ++i)
2402 tree arg = gimple_call_arg (stmt, i);
2403 if (is_gimple_reg (arg) || is_gimple_min_invariant (arg))
2405 instrument_null (gsi, arg, false);
2410 if (sanitize_flags_p (SANITIZE_BOOL | SANITIZE_ENUM, fun->decl)
2411 && gimple_assign_load_p (stmt))
2413 instrument_bool_enum_load (&gsi);
2414 bb = gimple_bb (stmt);
2417 if (sanitize_flags_p (SANITIZE_NONNULL_ATTRIBUTE, fun->decl)
2418 && is_gimple_call (stmt)
2419 && !gimple_call_internal_p (stmt))
2421 instrument_nonnull_arg (&gsi);
2422 bb = gimple_bb (stmt);
2425 if (sanitize_flags_p (SANITIZE_BUILTIN, fun->decl)
2426 && gimple_call_builtin_p (stmt, BUILT_IN_NORMAL))
2428 instrument_builtin (&gsi);
2429 bb = gimple_bb (stmt);
2432 if (sanitize_flags_p (SANITIZE_RETURNS_NONNULL_ATTRIBUTE, fun->decl)
2433 && gimple_code (stmt) == GIMPLE_RETURN)
2435 instrument_nonnull_return (&gsi);
2436 bb = gimple_bb (stmt);
2439 if (sanitize_flags_p (SANITIZE_OBJECT_SIZE, fun->decl))
2441 if (gimple_store_p (stmt))
2442 instrument_object_size (&gsi, gimple_get_lhs (stmt), true);
2443 if (gimple_assign_load_p (stmt))
2444 instrument_object_size (&gsi, gimple_assign_rhs1 (stmt),
2446 if (is_gimple_call (stmt))
2448 unsigned args_num = gimple_call_num_args (stmt);
2449 for (unsigned i = 0; i < args_num; ++i)
2451 tree arg = gimple_call_arg (stmt, i);
2452 if (is_gimple_reg (arg) || is_gimple_min_invariant (arg))
2454 instrument_object_size (&gsi, arg, false);
2459 if (sanitize_flags_p (SANITIZE_POINTER_OVERFLOW, fun->decl))
2461 if (is_gimple_assign (stmt)
2462 && gimple_assign_rhs_code (stmt) == POINTER_PLUS_EXPR)
2463 instrument_pointer_overflow (&gsi,
2464 gimple_assign_rhs1 (stmt),
2465 gimple_assign_rhs2 (stmt));
2466 if (gimple_store_p (stmt))
2467 maybe_instrument_pointer_overflow (&gsi,
2468 gimple_get_lhs (stmt));
2469 if (gimple_assign_single_p (stmt))
2470 maybe_instrument_pointer_overflow (&gsi,
2471 gimple_assign_rhs1 (stmt));
2472 if (is_gimple_call (stmt))
2474 unsigned args_num = gimple_call_num_args (stmt);
2475 for (unsigned i = 0; i < args_num; ++i)
2477 tree arg = gimple_call_arg (stmt, i);
2478 if (is_gimple_reg (arg))
2480 maybe_instrument_pointer_overflow (&gsi, arg);
2487 if (gimple_purge_dead_eh_edges (bb))
2488 ret = TODO_cleanup_cfg;
2496 make_pass_ubsan (gcc::context *ctxt)
2498 return new pass_ubsan (ctxt);
2501 #include "gt-ubsan.h"
projects / platform / upstream / gcc.git / blob