doxygen/BoundsChecking_8cpp_source.html

//===- BoundsChecking.cpp - Instrumentation for run-time bounds checking --===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//


#include "llvm/Transforms/Instrumentation/BoundsChecking.h"

#include "llvm/ADT/Statistic.h"

#include "llvm/ADT/Twine.h"

#include "llvm/Analysis/MemoryBuiltins.h"

#include "llvm/Analysis/ScalarEvolution.h"

#include "llvm/Analysis/TargetFolder.h"

#include "llvm/Analysis/TargetLibraryInfo.h"

#include "llvm/IR/BasicBlock.h"

#include "llvm/IR/Constants.h"

#include "llvm/IR/DataLayout.h"

#include "llvm/IR/Function.h"

#include "llvm/IR/IRBuilder.h"

#include "llvm/IR/InstIterator.h"

#include "llvm/IR/Instruction.h"

#include "llvm/IR/Instructions.h"

#include "llvm/IR/Intrinsics.h"

#include "llvm/IR/Value.h"

#include "llvm/Support/Casting.h"

#include "llvm/Support/CommandLine.h"

#include "llvm/Support/Debug.h"

#include "llvm/Support/raw_ostream.h"

#include <cstdint>

#include <utility>


using namespace llvm;


#define DEBUG_TYPE "bounds-checking"


static cl::opt<bool> SingleTrapBB("bounds-checking-single-trap",

                                  cl::desc("Use one trap block per function"));


static cl::opt<bool> DebugTrapBB("bounds-checking-unique-traps",

                                 cl::desc("Always use one trap per check"));


STATISTIC(ChecksAdded, "Bounds checks added");

STATISTIC(ChecksSkipped, "Bounds checks skipped");

STATISTIC(ChecksUnable, "Bounds checks unable to add");


using BuilderTy = IRBuilder<TargetFolder>;


/// Gets the conditions under which memory accessing instructions will overflow.

///

/// \p Ptr is the pointer that will be read/written, and \p InstVal is either

/// the result from the load or the value being stored. It is used to determine

/// the size of memory block that is touched.

///

/// Returns the condition under which the access will overflow.

static Value *getBoundsCheckCond(Value *Ptr, Value *InstVal,

                                 const DataLayout &DL, TargetLibraryInfo &TLI,

                                 ObjectSizeOffsetEvaluator &ObjSizeEval,

                                 BuilderTy &IRB, ScalarEvolution &SE) {

  TypeSize NeededSize = DL.getTypeStoreSize(InstVal->getType());

  LLVM_DEBUG(dbgs() << "Instrument " << *Ptr << " for " << Twine(NeededSize)

                    << " bytes\n");


  SizeOffsetEvalType SizeOffset = ObjSizeEval.compute(Ptr);


  if (!ObjSizeEval.bothKnown(SizeOffset)) {

    ++ChecksUnable;

    return nullptr;

  }


  Value *Size   = SizeOffset.first;

  Value *Offset = SizeOffset.second;

  ConstantInt *SizeCI = dyn_cast<ConstantInt>(Size);


  Type *IndexTy = DL.getIndexType(Ptr->getType());

  Value *NeededSizeVal = IRB.CreateTypeSize(IndexTy, NeededSize);


  auto SizeRange = SE.getUnsignedRange(SE.getSCEV(Size));

  auto OffsetRange = SE.getUnsignedRange(SE.getSCEV(Offset));

  auto NeededSizeRange = SE.getUnsignedRange(SE.getSCEV(NeededSizeVal));


  // three checks are required to ensure safety:

  // . Offset >= 0  (since the offset is given from the base ptr)

  // . Size >= Offset  (unsigned)

  // . Size - Offset >= NeededSize  (unsigned)

  //

  // optimization: if Size >= 0 (signed), skip 1st check

  // FIXME: add NSW/NUW here?  -- we dont care if the subtraction overflows

  Value *ObjSize = IRB.CreateSub(Size, Offset);

  Value *Cmp2 = SizeRange.getUnsignedMin().uge(OffsetRange.getUnsignedMax())

                    ? ConstantInt::getFalse(Ptr->getContext())

                    : IRB.CreateICmpULT(Size, Offset);

  Value *Cmp3 = SizeRange.sub(OffsetRange)

                        .getUnsignedMin()

                        .uge(NeededSizeRange.getUnsignedMax())

                    ? ConstantInt::getFalse(Ptr->getContext())

                    : IRB.CreateICmpULT(ObjSize, NeededSizeVal);

  Value *Or = IRB.CreateOr(Cmp2, Cmp3);

  if ((!SizeCI || SizeCI->getValue().slt(0)) &&

      !SizeRange.getSignedMin().isNonNegative()) {

    Value *Cmp1 = IRB.CreateICmpSLT(Offset, ConstantInt::get(IndexTy, 0));

    Or = IRB.CreateOr(Cmp1, Or);

  }


  return Or;

}


/// Adds run-time bounds checks to memory accessing instructions.

///

/// \p Or is the condition that should guard the trap.

///

/// \p GetTrapBB is a callable that returns the trap BB to use on failure.

template <typename GetTrapBBT>

static void insertBoundsCheck(Value *Or, BuilderTy &IRB, GetTrapBBT GetTrapBB) {

  // check if the comparison is always false

  ConstantInt *C = dyn_cast_or_null<ConstantInt>(Or);

  if (C) {

    ++ChecksSkipped;

    // If non-zero, nothing to do.

    if (!C->getZExtValue())

      return;

  }

  ++ChecksAdded;


  BasicBlock::iterator SplitI = IRB.GetInsertPoint();

  BasicBlock *OldBB = SplitI->getParent();

  BasicBlock *Cont = OldBB->splitBasicBlock(SplitI);

  OldBB->getTerminator()->eraseFromParent();


  if (C) {

    // If we have a constant zero, unconditionally branch.

    // FIXME: We should really handle this differently to bypass the splitting

    // the block.

    BranchInst::Create(GetTrapBB(IRB), OldBB);

    return;

  }


  // Create the conditional branch.

  BranchInst::Create(GetTrapBB(IRB), Cont, Or, OldBB);

}


static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI,

                              ScalarEvolution &SE) {

  if (F.hasFnAttribute(Attribute::NoSanitizeBounds))

    return false;


  const DataLayout &DL = F.getParent()->getDataLayout();

  ObjectSizeOpts EvalOpts;

  EvalOpts.RoundToAlign = true;

  EvalOpts.EvalMode = ObjectSizeOpts::Mode::ExactUnderlyingSizeAndOffset;

  ObjectSizeOffsetEvaluator ObjSizeEval(DL, &TLI, F.getContext(), EvalOpts);


  // check HANDLE_MEMORY_INST in include/llvm/Instruction.def for memory

  // touching instructions

  SmallVector<std::pair<Instruction *, Value *>, 4> TrapInfo;

  for (Instruction &I : instructions(F)) {

    Value *Or = nullptr;

    BuilderTy IRB(I.getParent(), BasicBlock::iterator(&I), TargetFolder(DL));

    if (LoadInst *LI = dyn_cast<LoadInst>(&I)) {

      if (!LI->isVolatile())

        Or = getBoundsCheckCond(LI->getPointerOperand(), LI, DL, TLI,

                                ObjSizeEval, IRB, SE);

    } else if (StoreInst *SI = dyn_cast<StoreInst>(&I)) {

      if (!SI->isVolatile())

        Or = getBoundsCheckCond(SI->getPointerOperand(), SI->getValueOperand(),

                                DL, TLI, ObjSizeEval, IRB, SE);

    } else if (AtomicCmpXchgInst *AI = dyn_cast<AtomicCmpXchgInst>(&I)) {

      if (!AI->isVolatile())

        Or =

            getBoundsCheckCond(AI->getPointerOperand(), AI->getCompareOperand(),

                               DL, TLI, ObjSizeEval, IRB, SE);

    } else if (AtomicRMWInst *AI = dyn_cast<AtomicRMWInst>(&I)) {

      if (!AI->isVolatile())

        Or = getBoundsCheckCond(AI->getPointerOperand(), AI->getValOperand(),

                                DL, TLI, ObjSizeEval, IRB, SE);

    }

    if (Or)

      TrapInfo.push_back(std::make_pair(&I, Or));

  }


  // Create a trapping basic block on demand using a callback. Depending on

  // flags, this will either create a single block for the entire function or

  // will create a fresh block every time it is called.

  BasicBlock *TrapBB = nullptr;

  auto GetTrapBB = [&TrapBB](BuilderTy &IRB) {

    Function *Fn = IRB.GetInsertBlock()->getParent();

    auto DebugLoc = IRB.getCurrentDebugLocation();

    IRBuilder<>::InsertPointGuard Guard(IRB);


    if (TrapBB && SingleTrapBB && !DebugTrapBB)

      return TrapBB;


    TrapBB = BasicBlock::Create(Fn->getContext(), "trap", Fn);

    IRB.SetInsertPoint(TrapBB);


    Intrinsic::ID IntrID = DebugTrapBB ? Intrinsic::ubsantrap : Intrinsic::trap;

    auto *F = Intrinsic::getDeclaration(Fn->getParent(), IntrID);


    CallInst *TrapCall;

    if (DebugTrapBB) {

      TrapCall =

          IRB.CreateCall(F, ConstantInt::get(IRB.getInt8Ty(), Fn->size()));

    } else {

      TrapCall = IRB.CreateCall(F, {});

    }


    TrapCall->setDoesNotReturn();

    TrapCall->setDoesNotThrow();

    TrapCall->setDebugLoc(DebugLoc);

    IRB.CreateUnreachable();


    return TrapBB;

  };


  // Add the checks.

  for (const auto &Entry : TrapInfo) {

    Instruction *Inst = Entry.first;

    BuilderTy IRB(Inst->getParent(), BasicBlock::iterator(Inst), TargetFolder(DL));

    insertBoundsCheck(Entry.second, IRB, GetTrapBB);

  }


  return !TrapInfo.empty();

}


PreservedAnalyses BoundsCheckingPass::run(Function &F, FunctionAnalysisManager &AM) {

  auto &TLI = AM.getResult<TargetLibraryAnalysis>(F);

  auto &SE = AM.getResult<ScalarEvolutionAnalysis>(F);


  if (!addBoundsChecking(F, TLI, SE))

    return PreservedAnalyses::all();


  return PreservedAnalyses::none();

}

DL
MachineBasicBlock MachineBasicBlock::iterator DebugLoc DL
Definition: AArch64SLSHardening.cpp:76

BasicBlock.h

insertBoundsCheck
static void insertBoundsCheck(Value *Or, BuilderTy &IRB, GetTrapBBT GetTrapBB)
Adds run-time bounds checks to memory accessing instructions.
Definition: BoundsChecking.cpp:114

DebugTrapBB
static cl::opt< bool > DebugTrapBB("bounds-checking-unique-traps", cl::desc("Always use one trap per check"))

getBoundsCheckCond
static Value * getBoundsCheckCond(Value *Ptr, Value *InstVal, const DataLayout &DL, TargetLibraryInfo &TLI, ObjectSizeOffsetEvaluator &ObjSizeEval, BuilderTy &IRB, ScalarEvolution &SE)
Gets the conditions under which memory accessing instructions will overflow.
Definition: BoundsChecking.cpp:56

addBoundsChecking
static bool addBoundsChecking(Function &F, TargetLibraryInfo &TLI, ScalarEvolution &SE)
Definition: BoundsChecking.cpp:142

SingleTrapBB
static cl::opt< bool > SingleTrapBB("bounds-checking-single-trap", cl::desc("Use one trap block per function"))

BoundsChecking.h

Casting.h

CommandLine.h

Constants.h
This file contains the declarations for the subclasses of Constant, which represent the different fla...

DataLayout.h

Debug.h

LLVM_DEBUG
#define LLVM_DEBUG(X)
Definition: Debug.h:101

Size
uint64_t Size
Definition: ELFObjHandler.cpp:81

Function.h

IRBuilder.h

Instruction.h

InstIterator.h

instructions
Select target instructions out of generic instructions
Definition: InstructionSelect.cpp:58

Instructions.h

Intrinsics.h

F
#define F(x, y, z)
Definition: MD5.cpp:55

I
#define I(x, y, z)
Definition: MD5.cpp:58

MemoryBuiltins.h

ScalarEvolution.h

Statistic.h
This file defines the 'Statistic' class, which is designed to be an easy way to expose various metric...

STATISTIC
#define STATISTIC(VARNAME, DESC)
Definition: Statistic.h:167

TargetFolder.h

Ptr
@ Ptr
Definition: TargetLibraryInfo.cpp:65

TargetLibraryInfo.h

Twine.h

Value.h

llvm::APInt::slt
bool slt(const APInt &RHS) const
Signed less than comparison.
Definition: APInt.h:1102

llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: PassManager.h:620

llvm::AnalysisManager::getResult
PassT::Result & getResult(IRUnitT &IR, ExtraArgTs... ExtraArgs)
Get the result of an analysis pass for a given IR unit.
Definition: PassManager.h:774

llvm::AtomicCmpXchgInst
An instruction that atomically checks whether a specified value is in a memory location,...
Definition: Instructions.h:513

llvm::AtomicRMWInst
an instruction that atomically reads a memory location, combines it with another value,...
Definition: Instructions.h:718

llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:56

llvm::BasicBlock::Create
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:105

llvm::BasicBlock::splitBasicBlock
BasicBlock * splitBasicBlock(iterator I, const Twine &BBName="", bool Before=false)
Split the basic block into two basic blocks at the specified instruction.
Definition: BasicBlock.cpp:414

llvm::BasicBlock::getParent
const Function * getParent() const
Return the enclosing method, or null if none.
Definition: BasicBlock.h:112

llvm::BasicBlock::iterator
InstListType::iterator iterator
Instruction iterators...
Definition: BasicBlock.h:87

llvm::BasicBlock::getTerminator
const Instruction * getTerminator() const LLVM_READONLY
Returns the terminator instruction if the block is well formed or null if the block is not well forme...
Definition: BasicBlock.h:127

llvm::BranchInst::Create
static BranchInst * Create(BasicBlock *IfTrue, Instruction *InsertBefore=nullptr)
Definition: Instructions.h:3193

llvm::CallBase::setDoesNotReturn
void setDoesNotReturn()
Definition: InstrTypes.h:1920

llvm::CallBase::setDoesNotThrow
void setDoesNotThrow()
Definition: InstrTypes.h:1927

llvm::CallInst
This class represents a function call, abstracting a target machine's calling convention.
Definition: Instructions.h:1468

llvm::ConstantInt
This is the shared class of boolean and integer constants.
Definition: Constants.h:78

llvm::ConstantInt::get
static Constant * get(Type *Ty, uint64_t V, bool IsSigned=false)
If Ty is a vector type, return a Constant with a splat of the given value.
Definition: Constants.cpp:888

llvm::ConstantInt::getFalse
static ConstantInt * getFalse(LLVMContext &Context)
Definition: Constants.cpp:840

llvm::ConstantInt::getValue
const APInt & getValue() const
Return the constant as an APInt value reference.
Definition: Constants.h:136

llvm::DataLayout
A parsed version of the target data layout string in and methods for querying it.
Definition: DataLayout.h:110

llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33

llvm::Function
Definition: Function.h:60

llvm::Function::size
size_t size() const
Definition: Function.h:768

llvm::Function::getContext
LLVMContext & getContext() const
getContext - Return a reference to the LLVMContext associated with this function.
Definition: Function.cpp:320

llvm::GlobalValue::getParent
Module * getParent()
Get the module that this global value is contained inside of...
Definition: GlobalValue.h:652

llvm::IRBuilderBase::CreateICmpULT
Value * CreateICmpULT(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2216

llvm::IRBuilderBase::GetInsertPoint
BasicBlock::iterator GetInsertPoint() const
Definition: IRBuilder.h:175

llvm::IRBuilderBase::CreateTypeSize
Value * CreateTypeSize(Type *DstType, TypeSize Size)
Create an expression which evaluates to the number of units in Size at runtime.
Definition: IRBuilder.cpp:104

llvm::IRBuilderBase::CreateSub
Value * CreateSub(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1335

llvm::IRBuilderBase::CreateOr
Value * CreateOr(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1488

llvm::IRBuilderBase::CreateICmpSLT
Value * CreateICmpSLT(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2232

llvm::IRBuilder
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:2625

llvm::Instruction
Definition: Instruction.h:42

llvm::Instruction::getParent
const BasicBlock * getParent() const
Definition: Instruction.h:90

llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks 'this' from the containing basic block and deletes it.
Definition: Instruction.cpp:83

llvm::Instruction::setDebugLoc
void setDebugLoc(DebugLoc Loc)
Set the debug location information for this instruction.
Definition: Instruction.h:389

llvm::LoadInst
An instruction for reading from memory.
Definition: Instructions.h:177

llvm::ObjectSizeOffsetEvaluator
Evaluate the size and offset of an object pointed to by a Value*.
Definition: MemoryBuiltins.h:261

llvm::ObjectSizeOffsetEvaluator::compute
SizeOffsetEvalType compute(Value *V)
Definition: MemoryBuiltins.cpp:1050

llvm::ObjectSizeOffsetEvaluator::bothKnown
bool bothKnown(SizeOffsetEvalType SizeOffset)
Definition: MemoryBuiltins.h:302

llvm::PreservedAnalyses
A set of analyses that are preserved following a run of a transformation pass.
Definition: PassManager.h:152

llvm::PreservedAnalyses::none
static PreservedAnalyses none()
Convenience factory function for the empty preserved set.
Definition: PassManager.h:155

llvm::PreservedAnalyses::all
static PreservedAnalyses all()
Construct a special preserved set that preserves all passes.
Definition: PassManager.h:158

llvm::ScalarEvolutionAnalysis
Analysis pass that exposes the ScalarEvolution for a function.
Definition: ScalarEvolution.h:2227

llvm::ScalarEvolution
The main scalar evolution driver.
Definition: ScalarEvolution.h:452

llvm::ScalarEvolution::getSCEV
const SCEV * getSCEV(Value *V)
Return a SCEV expression for the full generality of the specified expression.
Definition: ScalarEvolution.cpp:4511

llvm::ScalarEvolution::getUnsignedRange
ConstantRange getUnsignedRange(const SCEV *S)
Determine the unsigned range for a particular SCEV.
Definition: ScalarEvolution.h:974

llvm::SmallVectorBase::empty
bool empty() const
Definition: SmallVector.h:94

llvm::SmallVectorTemplateBase::push_back
void push_back(const T &Elt)
Definition: SmallVector.h:416

llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition: SmallVector.h:1200

llvm::StoreInst
An instruction for storing to memory.
Definition: Instructions.h:301

llvm::TargetFolder
TargetFolder - Create constants with target dependent folding.
Definition: TargetFolder.h:34

llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:546

llvm::TargetLibraryInfo
Provides information about what library functions are available for the current target.
Definition: TargetLibraryInfo.h:238

llvm::Twine
Twine - A lightweight data structure for efficiently representing the concatenation of temporary valu...
Definition: Twine.h:81

llvm::TypeSize
Definition: TypeSize.h:314

llvm::Type
The instances of the Type class are immutable: once they are created, they are never changed.
Definition: Type.h:45

llvm::Value
LLVM Value Representation.
Definition: Value.h:74

llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:255

llvm::cl::opt
Definition: CommandLine.h:1414

unsigned

llvm::CallingConv::C
@ C
The default llvm calling convention, compatible with C.
Definition: CallingConv.h:34

llvm::Intrinsic::getDeclaration
Function * getDeclaration(Module *M, ID id, ArrayRef< Type * > Tys=std::nullopt)
Create or insert an LLVM Function declaration for an intrinsic, and return it.
Definition: Function.cpp:1422

llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18

llvm::Offset
@ Offset
Definition: DWP.cpp:440

llvm::SizeOffsetEvalType
std::pair< Value *, Value * > SizeOffsetEvalType
Definition: MemoryBuiltins.h:256

llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:163

llvm::RecurKind::Or
@ Or
Bitwise or logical OR of integers.

raw_ostream.h

llvm::BoundsCheckingPass::run
PreservedAnalyses run(Function &F, FunctionAnalysisManager &AM)
Definition: BoundsChecking.cpp:225

llvm::ObjectSizeOpts
Various options to control the behavior of getObjectSize.
Definition: MemoryBuiltins.h:139

llvm::ObjectSizeOpts::EvalMode
Mode EvalMode
How we want to evaluate this object's size.
Definition: MemoryBuiltins.h:156

llvm::ObjectSizeOpts::RoundToAlign
bool RoundToAlign
Whether to round the result up to the alignment of allocas, byval arguments, and global variables.
Definition: MemoryBuiltins.h:159

llvm::cl::desc
Definition: CommandLine.h:411