Hi!
This is not finished completely yet, but roughly implements protection
of stack variables. As testcase I was using:
extern void *malloc (__SIZE_TYPE__);
int
main ()
{
char buf1[16];
char buf2[256];
char buf3[33];
char *p = malloc (16);
asm ("" : "+r" (p));
int i;
for (i = 0; i < 18; i++)
p[i] = 17;
asm ("" : "=r" (p) : "0" (buf1));
for (i = 0; i < 18; i++)
p[i] = 17;
asm ("" : "=r" (p) : "0" (buf2));
for (i = 0; i < 18; i++)
p[i] = 17;
asm ("" : "=r" (p) : "0" (buf3));
for (i = 0; i < 18; i++)
p[i] = 17;
return 0;
}
and looked at what LLVM generates. What isn't handled is that
expand_stack_vars returns an insn sequence that needs to be emitted
before epilogue, but isn't actually emitting it in the right spot(s)
yet. I wonder here if we we should disallow tail call optimization
for -fasan, or if (the possibly lengthy) sequence to clear the shadow
stack memory should be just emitted before every tail call and before
every return spot (noreturn calls don't need to be handled).
Comments?
2012-10-12 Jakub Jelinek <ja...@redhat.com>
* Makefile.in (asan.o): Depend on $(EXPR_H) $(OPTABS_H).
* asan.c: Include expr.h and optabs.h.
(asan_shadow_set): New variable.
(asan_shadow_cst, asan_emit_stack_protection): New functions.
(asan_init_shadow_ptr_types): Initialize also asan_shadow_set.
* cfgexpand.c: Include asan.h. Define HOST_WIDE_INT heap vector.
(expand_stack_vars): Add asan_vec and asan_decl_vec arguments,
fill it in and add needed padding in between variables if -fasan.
(defer_stack_allocation): Defer everything for flag_asan.
(expand_used_vars): Return var destruction sequence. Call
asan_emit_stack_protection if expand_stack_vars added anything
to the vectors.
* asan.h (asan_emit_stack_protection): New prototype.
(asan_shadow_set): New decl.
(ASAN_RED_ZONE_SIZE, ASAN_STACK_MAGIC_LEFT, ASAN_STACK_MAGIC_MIDDLE,
ASAN_STACK_MAGIC_RIGHT, ASAN_STACK_FRAME_MAGIC): Define.
* toplev.c (process_options): Also disable -fasan on
!FRAME_GROWS_DOWNWARDS targets.
--- gcc/Makefile.in.jj 2012-10-11 20:13:17.000000000 +0200
+++ gcc/Makefile.in 2012-10-12 18:11:10.491807366 +0200
@@ -2204,7 +2204,7 @@ stor-layout.o : stor-layout.c $(CONFIG_H
asan.o : asan.c asan.h $(CONFIG_H) pointer-set.h \
$(SYSTEM_H) $(TREE_H) $(GIMPLE_H) \
output.h $(DIAGNOSTIC_H) coretypes.h $(TREE_DUMP_H) $(FLAGS_H) \
- tree-pretty-print.h $(TARGET_H)
+ tree-pretty-print.h $(TARGET_H) $(EXPR_H) $(OPTABS_H)
tree-ssa-tail-merge.o: tree-ssa-tail-merge.c \
$(SYSTEM_H) $(CONFIG_H) coretypes.h $(TM_H) $(BITMAP_H) \
$(FLAGS_H) $(TM_P_H) $(BASIC_BLOCK_H) \
--- gcc/asan.c.jj 2012-10-12 10:02:10.000000000 +0200
+++ gcc/asan.c 2012-10-12 18:00:45.529248028 +0200
@@ -43,6 +43,8 @@ along with GCC; see the file COPYING3.
#include "asan.h"
#include "gimple-pretty-print.h"
#include "target.h"
+#include "expr.h"
+#include "optabs.h"
/*
AddressSanitizer finds out-of-bounds and use-after-free bugs
@@ -79,10 +81,180 @@ along with GCC; see the file COPYING3.
to create redzones for stack and global object and poison them.
*/
+alias_set_type asan_shadow_set = -1;
+
/* Pointer types to 1 resp. 2 byte integers in shadow memory. A separate
alias set is used for all shadow memory accesses. */
static GTY(()) tree shadow_ptr_types[2];
+static rtx
+asan_shadow_cst (unsigned char shadow_bytes[4])
+{
+ int i;
+ unsigned HOST_WIDE_INT val = 0;
+ gcc_assert (WORDS_BIG_ENDIAN == BYTES_BIG_ENDIAN);
+ for (i = 0; i < 4; i++)
+ val |= (unsigned HOST_WIDE_INT) shadow_bytes[BYTES_BIG_ENDIAN ? 3 - i : i]
+ << (BITS_PER_UNIT * i);
+ return GEN_INT (trunc_int_for_mode (val, SImode));
+}
+
+rtx
+asan_emit_stack_protection (rtx base, HOST_WIDE_INT *offsets, tree *decls,
+ int length)
+{
+ rtx shadow_base, shadow_mem, ret, mem;
+ unsigned char shadow_bytes[4];
+ HOST_WIDE_INT base_offset = offsets[length - 1], offset, prev_offset;
+ HOST_WIDE_INT last_offset, last_size;
+ int l;
+ unsigned char cur_shadow_byte = ASAN_STACK_MAGIC_LEFT;
+ static pretty_printer pp;
+ static bool pp_initialized;
+ const char *buf;
+ size_t len;
+ tree str_cst;
+
+ /* First of all, prepare the description string. */
+ if (!pp_initialized)
+ {
+ pp_construct (&pp, /* prefix */NULL, /* line-width */0);
+ pp_initialized = true;
+ }
+ pp_clear_output_area (&pp);
+ if (DECL_NAME (current_function_decl))
+ pp_base_tree_identifier (&pp, DECL_NAME (current_function_decl));
+ else
+ pp_string (&pp, "<unknown>");
+ pp_space (&pp);
+ pp_decimal_int (&pp, length / 2 - 1);
+ pp_space (&pp);
+ for (l = length - 2; l; l -= 2)
+ {
+ tree decl = decls[l / 2 - 1];
+ pp_wide_integer (&pp, offsets[l] - base_offset);
+ pp_space (&pp);
+ pp_wide_integer (&pp, offsets[l - 1] - offsets[l]);
+ pp_space (&pp);
+ if (DECL_P (decl) && DECL_NAME (decl))
+ {
+ pp_decimal_int (&pp, IDENTIFIER_LENGTH (DECL_NAME (decl)));
+ pp_space (&pp);
+ pp_base_tree_identifier (&pp, DECL_NAME (decl));
+ }
+ else
+ pp_string (&pp, "9 <unknown>");
+ pp_space (&pp);
+ }
+ buf = pp_base_formatted_text (&pp);
+ len = strlen (buf);
+ str_cst = build_string (len + 1, buf);
+ TREE_TYPE (str_cst)
+ = build_array_type (char_type_node, build_index_type (size_int (len)));
+ TREE_READONLY (str_cst) = 1;
+ TREE_STATIC (str_cst) = 1;
+ str_cst = build1 (ADDR_EXPR, build_pointer_type (char_type_node), str_cst);
+
+ /* Emit the prologue sequence. */
+ base = expand_binop (Pmode, add_optab, base, GEN_INT (base_offset),
+ NULL_RTX, 1, OPTAB_DIRECT);
+ mem = gen_rtx_MEM (ptr_mode, base);
+ emit_move_insn (mem, GEN_INT (ASAN_STACK_FRAME_MAGIC));
+ mem = adjust_address (mem, VOIDmode, GET_MODE_SIZE (ptr_mode));
+ emit_move_insn (mem, expand_normal (str_cst));
+ shadow_base = expand_binop (Pmode, lshr_optab, base,
+ GEN_INT (ASAN_SHADOW_SHIFT),
+ NULL_RTX, 1, OPTAB_DIRECT);
+ shadow_base = expand_binop (Pmode, add_optab, shadow_base,
+ GEN_INT (targetm.asan_shadow_offset ()),
+ NULL_RTX, 1, OPTAB_DIRECT);
+ gcc_assert (asan_shadow_set != -1
+ && (ASAN_RED_ZONE_SIZE >> ASAN_SHADOW_SHIFT) == 4);
+ shadow_mem = gen_rtx_MEM (SImode, shadow_base);
+ set_mem_alias_set (shadow_mem, asan_shadow_set);
+ prev_offset = base_offset;
+ for (l = length; l; l -= 2)
+ {
+ if (l == 2)
+ cur_shadow_byte = ASAN_STACK_MAGIC_RIGHT;
+ offset = offsets[l - 1];
+ if ((offset - base_offset) & (ASAN_RED_ZONE_SIZE - 1))
+ {
+ int i;
+ HOST_WIDE_INT aoff
+ = base_offset + ((offset - base_offset)
+ & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
+ shadow_mem = adjust_address (shadow_mem, VOIDmode,
+ (aoff - prev_offset)
+ >> ASAN_SHADOW_SHIFT);
+ prev_offset = aoff;
+ for (i = 0; i < 4; i++, aoff += (1 << ASAN_SHADOW_SHIFT))
+ if (aoff < offset)
+ {
+ if (aoff < offset - (1 << ASAN_SHADOW_SHIFT) + 1)
+ shadow_bytes[i] = 0;
+ else
+ shadow_bytes[i] = offset - aoff;
+ }
+ else
+ shadow_bytes[i] = ASAN_STACK_MAGIC_PARTIAL;
+ emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
+ offset = aoff;
+ }
+ while (offset <= offsets[l - 2] - ASAN_RED_ZONE_SIZE)
+ {
+ shadow_mem = adjust_address (shadow_mem, VOIDmode,
+ (offset - prev_offset)
+ >> ASAN_SHADOW_SHIFT);
+ prev_offset = offset;
+ memset (shadow_bytes, cur_shadow_byte, 4);
+ emit_move_insn (shadow_mem, asan_shadow_cst (shadow_bytes));
+ offset += ASAN_RED_ZONE_SIZE;
+ }
+ cur_shadow_byte = ASAN_STACK_MAGIC_MIDDLE;
+ }
+
+ /* Construct epilogue sequence. */
+ start_sequence ();
+
+ shadow_mem = gen_rtx_MEM (SImode, shadow_base);
+ set_mem_alias_set (shadow_mem, asan_shadow_set);
+ prev_offset = base_offset;
+ last_offset = base_offset;
+ last_size = 0;
+ for (l = length; l; l -= 2)
+ {
+ offset = base_offset + ((offsets[l - 1] - base_offset)
+ & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1));
+ if (last_offset + last_size != offset)
+ {
+ shadow_mem = adjust_address (shadow_mem, VOIDmode,
+ (last_offset - prev_offset)
+ >> ASAN_SHADOW_SHIFT);
+ prev_offset = last_offset;
+ clear_storage (shadow_mem, GEN_INT (last_size >> ASAN_SHADOW_SHIFT),
+ BLOCK_OP_NORMAL);
+ last_offset = offset;
+ last_size = 0;
+ }
+ last_size += base_offset + ((offsets[l - 2] - base_offset)
+ & ~(ASAN_RED_ZONE_SIZE - HOST_WIDE_INT_1))
+ - offset;
+ }
+ if (last_size)
+ {
+ shadow_mem = adjust_address (shadow_mem, VOIDmode,
+ (last_offset - prev_offset)
+ >> ASAN_SHADOW_SHIFT);
+ clear_storage (shadow_mem, GEN_INT (last_size >> ASAN_SHADOW_SHIFT),
+ BLOCK_OP_NORMAL);
+ }
+
+ ret = get_insns ();
+ end_sequence ();
+ return ret;
+}
+
/* Construct a function tree for __asan_report_{load,store}{1,2,4,8,16}.
IS_STORE is either 1 (for a store) or 0 (for a load).
SIZE_IN_BYTES is one of 1, 2, 4, 8, 16. */
@@ -401,12 +573,12 @@ asan_finish_file (void)
static void
asan_init_shadow_ptr_types (void)
{
- alias_set_type set = new_alias_set ();
+ asan_shadow_set = new_alias_set ();
shadow_ptr_types[0] = build_distinct_type_copy (unsigned_char_type_node);
- TYPE_ALIAS_SET (shadow_ptr_types[0]) = set;
+ TYPE_ALIAS_SET (shadow_ptr_types[0]) = asan_shadow_set;
shadow_ptr_types[0] = build_pointer_type (shadow_ptr_types[0]);
shadow_ptr_types[1] = build_distinct_type_copy (short_unsigned_type_node);
- TYPE_ALIAS_SET (shadow_ptr_types[1]) = set;
+ TYPE_ALIAS_SET (shadow_ptr_types[1]) = asan_shadow_set;
shadow_ptr_types[1] = build_pointer_type (shadow_ptr_types[1]);
}
--- gcc/cfgexpand.c.jj 2012-10-11 19:09:43.000000000 +0200
+++ gcc/cfgexpand.c 2012-10-12 18:08:32.823675395 +0200
@@ -47,6 +47,7 @@ along with GCC; see the file COPYING3.
#include "cfgloop.h"
#include "regs.h" /* For reg_renumber. */
#include "insn-attr.h" /* For INSN_SCHEDULING. */
+#include "asan.h"
/* This variable holds information helping the rewriting of SSA trees
into RTL. */
@@ -835,12 +836,16 @@ expand_one_stack_var_at (tree decl, rtx
set_rtl (decl, x);
}
+DEF_VEC_I(HOST_WIDE_INT);
+DEF_VEC_ALLOC_I(HOST_WIDE_INT,heap);
+
/* A subroutine of expand_used_vars. Give each partition representative
a unique location within the stack frame. Update each partition member
with that location. */
static void
-expand_stack_vars (bool (*pred) (tree))
+expand_stack_vars (bool (*pred) (tree), VEC(HOST_WIDE_INT, heap) **asan_vec,
+ VEC(tree, heap) **asan_decl_vec)
{
size_t si, i, j, n = stack_vars_num;
HOST_WIDE_INT large_size = 0, large_alloc = 0;
@@ -917,7 +922,21 @@ expand_stack_vars (bool (*pred) (tree))
alignb = stack_vars[i].alignb;
if (alignb * BITS_PER_UNIT <= MAX_SUPPORTED_STACK_ALIGNMENT)
{
- offset = alloc_stack_frame_space (stack_vars[i].size, alignb);
+ if (flag_asan)
+ {
+ HOST_WIDE_INT prev_offset = frame_offset;
+ offset
+ = alloc_stack_frame_space (stack_vars[i].size
+ + ASAN_RED_ZONE_SIZE,
+ MAX (alignb, ASAN_RED_ZONE_SIZE));
+ VEC_safe_push (HOST_WIDE_INT, heap, *asan_vec,
+ prev_offset);
+ VEC_safe_push (HOST_WIDE_INT, heap, *asan_vec,
+ offset + stack_vars[i].size);
+ VEC_safe_push (tree, heap, *asan_decl_vec, decl);
+ }
+ else
+ offset = alloc_stack_frame_space (stack_vars[i].size, alignb);
base = virtual_stack_vars_rtx;
base_align = crtl->max_used_stack_slot_alignment;
}
@@ -1055,8 +1074,9 @@ static bool
defer_stack_allocation (tree var, bool toplevel)
{
/* If stack protection is enabled, *all* stack variables must be deferred,
- so that we can re-order the strings to the top of the frame. */
- if (flag_stack_protect)
+ so that we can re-order the strings to the top of the frame.
+ Similarly for Address Sanitizer. */
+ if (flag_stack_protect || flag_asan)
return true;
/* We handle "large" alignment via dynamic allocation. We want to handle
@@ -1446,11 +1466,12 @@ estimated_stack_frame_size (struct cgrap
/* Expand all variables used in the function. */
-static void
+static rtx
expand_used_vars (void)
{
tree var, outer_block = DECL_INITIAL (current_function_decl);
VEC(tree,heap) *maybe_local_decls = NULL;
+ rtx var_end_seq = NULL_RTX;
struct pointer_map_t *ssa_name_decls;
unsigned i;
unsigned len;
@@ -1601,6 +1622,9 @@ expand_used_vars (void)
/* Assign rtl to each variable based on these partitions. */
if (stack_vars_num > 0)
{
+ VEC(HOST_WIDE_INT, heap) *asan_vec = NULL;
+ VEC(tree, heap) *asan_decl_vec = NULL;
+
/* Reorder decls to be protected by iterating over the variables
array multiple times, and allocating out of each phase in turn. */
/* ??? We could probably integrate this into the qsort we did
@@ -1609,14 +1633,37 @@ expand_used_vars (void)
if (has_protected_decls)
{
/* Phase 1 contains only character arrays. */
- expand_stack_vars (stack_protect_decl_phase_1);
+ expand_stack_vars (stack_protect_decl_phase_1,
+ &asan_vec, &asan_decl_vec);
/* Phase 2 contains other kinds of arrays. */
if (flag_stack_protect == 2)
- expand_stack_vars (stack_protect_decl_phase_2);
+ expand_stack_vars (stack_protect_decl_phase_2,
+ &asan_vec, &asan_decl_vec);
}
- expand_stack_vars (NULL);
+ expand_stack_vars (NULL, &asan_vec, &asan_decl_vec);
+
+ if (!VEC_empty (HOST_WIDE_INT, asan_vec))
+ {
+ HOST_WIDE_INT prev_offset = frame_offset;
+ HOST_WIDE_INT offset
+ = alloc_stack_frame_space (ASAN_RED_ZONE_SIZE,
+ ASAN_RED_ZONE_SIZE);
+ VEC_safe_push (HOST_WIDE_INT, heap, asan_vec, prev_offset);
+ VEC_safe_push (HOST_WIDE_INT, heap, asan_vec, offset);
+
+ var_end_seq
+ = asan_emit_stack_protection (virtual_stack_vars_rtx,
+ VEC_address (HOST_WIDE_INT,
+ asan_vec),
+ VEC_address (tree,
+ asan_decl_vec),
+ VEC_length (HOST_WIDE_INT,
+ asan_vec));
+ }
+ VEC_free (HOST_WIDE_INT, heap, asan_vec);
+ VEC_free (tree, heap, asan_decl_vec);
}
fini_vars_expansion ();
@@ -1643,6 +1690,8 @@ expand_used_vars (void)
frame_offset += align - 1;
frame_offset &= -align;
}
+
+ return var_end_seq;
}
--- gcc/asan.h.jj 2012-10-11 20:13:17.000000000 +0200
+++ gcc/asan.h 2012-10-12 17:05:21.903904415 +0200
@@ -21,10 +21,31 @@ along with GCC; see the file COPYING3.
#ifndef TREE_ASAN
#define TREE_ASAN
-extern void asan_finish_file(void);
+extern void asan_finish_file (void);
+extern rtx asan_emit_stack_protection (rtx, HOST_WIDE_INT *, tree *, int);
+
+/* Alias set for accessing the shadow memory. */
+extern alias_set_type asan_shadow_set;
/* Shadow memory is found at
(address >> ASAN_SHADOW_SHIFT) + targetm.asan_shadow_offset (). */
#define ASAN_SHADOW_SHIFT 3
+/* Red zone size, stack and global variables are padded by ASAN_RED_ZONE_SIZE
+ up to 2 * ASAN_RED_ZONE_SIZE - 1 bytes. */
+#define ASAN_RED_ZONE_SIZE 32
+
+/* Shadow memory values for stack protection. Left is below protected vars,
+ the first pointer in stack corresponding to that offset contains
+ ASAN_STACK_FRAME_MAGIC word, the second pointer to a string describing
+ the frame. Middle is for padding in between variables, right is
+ above the last protected variable and partial immediately after variables
+ up to ASAN_RED_ZONE_SIZE alignment. */
+#define ASAN_STACK_MAGIC_LEFT 0xf1
+#define ASAN_STACK_MAGIC_MIDDLE 0xf2
+#define ASAN_STACK_MAGIC_RIGHT 0xf3
+#define ASAN_STACK_MAGIC_PARTIAL 0xf4
+
+#define ASAN_STACK_FRAME_MAGIC 0x41b58ab3
+
#endif /* TREE_ASAN */
--- gcc/toplev.c.jj 2012-10-11 19:20:01.000000000 +0200
+++ gcc/toplev.c 2012-10-12 12:10:46.548879467 +0200
@@ -1544,7 +1544,9 @@ process_options (void)
}
/* Address Sanitizer needs porting to each target architecture. */
- if (flag_asan && targetm.asan_shadow_offset == NULL)
+ if (flag_asan
+ && (targetm.asan_shadow_offset == NULL
+ || !FRAME_GROWS_DOWNWARD))
{
warning (0, "-fasan not supported for this target");
flag_asan = 0;
Jakub
