LLVM 20.0.0git
MemorySanitizer.cpp
Go to the documentation of this file.
1//===- MemorySanitizer.cpp - detector of uninitialized reads --------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9/// \file
10/// This file is a part of MemorySanitizer, a detector of uninitialized
11/// reads.
12///
13/// The algorithm of the tool is similar to Memcheck
14/// (https://static.usenix.org/event/usenix05/tech/general/full_papers/seward/seward_html/usenix2005.html)
15/// We associate a few shadow bits with every byte of the application memory,
16/// poison the shadow of the malloc-ed or alloca-ed memory, load the shadow,
17/// bits on every memory read, propagate the shadow bits through some of the
18/// arithmetic instruction (including MOV), store the shadow bits on every
19/// memory write, report a bug on some other instructions (e.g. JMP) if the
20/// associated shadow is poisoned.
21///
22/// But there are differences too. The first and the major one:
23/// compiler instrumentation instead of binary instrumentation. This
24/// gives us much better register allocation, possible compiler
25/// optimizations and a fast start-up. But this brings the major issue
26/// as well: msan needs to see all program events, including system
27/// calls and reads/writes in system libraries, so we either need to
28/// compile *everything* with msan or use a binary translation
29/// component (e.g. DynamoRIO) to instrument pre-built libraries.
30/// Another difference from Memcheck is that we use 8 shadow bits per
31/// byte of application memory and use a direct shadow mapping. This
32/// greatly simplifies the instrumentation code and avoids races on
33/// shadow updates (Memcheck is single-threaded so races are not a
34/// concern there. Memcheck uses 2 shadow bits per byte with a slow
35/// path storage that uses 8 bits per byte).
36///
37/// The default value of shadow is 0, which means "clean" (not poisoned).
38///
39/// Every module initializer should call __msan_init to ensure that the
40/// shadow memory is ready. On error, __msan_warning is called. Since
41/// parameters and return values may be passed via registers, we have a
42/// specialized thread-local shadow for return values
43/// (__msan_retval_tls) and parameters (__msan_param_tls).
44///
45/// Origin tracking.
46///
47/// MemorySanitizer can track origins (allocation points) of all uninitialized
48/// values. This behavior is controlled with a flag (msan-track-origins) and is
49/// disabled by default.
50///
51/// Origins are 4-byte values created and interpreted by the runtime library.
52/// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
53/// of application memory. Propagation of origins is basically a bunch of
54/// "select" instructions that pick the origin of a dirty argument, if an
55/// instruction has one.
56///
57/// Every 4 aligned, consecutive bytes of application memory have one origin
58/// value associated with them. If these bytes contain uninitialized data
59/// coming from 2 different allocations, the last store wins. Because of this,
60/// MemorySanitizer reports can show unrelated origins, but this is unlikely in
61/// practice.
62///
63/// Origins are meaningless for fully initialized values, so MemorySanitizer
64/// avoids storing origin to memory when a fully initialized value is stored.
65/// This way it avoids needless overwriting origin of the 4-byte region on
66/// a short (i.e. 1 byte) clean store, and it is also good for performance.
67///
68/// Atomic handling.
69///
70/// Ideally, every atomic store of application value should update the
71/// corresponding shadow location in an atomic way. Unfortunately, atomic store
72/// of two disjoint locations can not be done without severe slowdown.
73///
74/// Therefore, we implement an approximation that may err on the safe side.
75/// In this implementation, every atomically accessed location in the program
76/// may only change from (partially) uninitialized to fully initialized, but
77/// not the other way around. We load the shadow _after_ the application load,
78/// and we store the shadow _before_ the app store. Also, we always store clean
79/// shadow (if the application store is atomic). This way, if the store-load
80/// pair constitutes a happens-before arc, shadow store and load are correctly
81/// ordered such that the load will get either the value that was stored, or
82/// some later value (which is always clean).
83///
84/// This does not work very well with Compare-And-Swap (CAS) and
85/// Read-Modify-Write (RMW) operations. To follow the above logic, CAS and RMW
86/// must store the new shadow before the app operation, and load the shadow
87/// after the app operation. Computers don't work this way. Current
88/// implementation ignores the load aspect of CAS/RMW, always returning a clean
89/// value. It implements the store part as a simple atomic store by storing a
90/// clean shadow.
91///
92/// Instrumenting inline assembly.
93///
94/// For inline assembly code LLVM has little idea about which memory locations
95/// become initialized depending on the arguments. It can be possible to figure
96/// out which arguments are meant to point to inputs and outputs, but the
97/// actual semantics can be only visible at runtime. In the Linux kernel it's
98/// also possible that the arguments only indicate the offset for a base taken
99/// from a segment register, so it's dangerous to treat any asm() arguments as
100/// pointers. We take a conservative approach generating calls to
101/// __msan_instrument_asm_store(ptr, size)
102/// , which defer the memory unpoisoning to the runtime library.
103/// The latter can perform more complex address checks to figure out whether
104/// it's safe to touch the shadow memory.
105/// Like with atomic operations, we call __msan_instrument_asm_store() before
106/// the assembly call, so that changes to the shadow memory will be seen by
107/// other threads together with main memory initialization.
108///
109/// KernelMemorySanitizer (KMSAN) implementation.
110///
111/// The major differences between KMSAN and MSan instrumentation are:
112/// - KMSAN always tracks the origins and implies msan-keep-going=true;
113/// - KMSAN allocates shadow and origin memory for each page separately, so
114/// there are no explicit accesses to shadow and origin in the
115/// instrumentation.
116/// Shadow and origin values for a particular X-byte memory location
117/// (X=1,2,4,8) are accessed through pointers obtained via the
118/// __msan_metadata_ptr_for_load_X(ptr)
119/// __msan_metadata_ptr_for_store_X(ptr)
120/// functions. The corresponding functions check that the X-byte accesses
121/// are possible and returns the pointers to shadow and origin memory.
122/// Arbitrary sized accesses are handled with:
123/// __msan_metadata_ptr_for_load_n(ptr, size)
124/// __msan_metadata_ptr_for_store_n(ptr, size);
125/// Note that the sanitizer code has to deal with how shadow/origin pairs
126/// returned by the these functions are represented in different ABIs. In
127/// the X86_64 ABI they are returned in RDX:RAX, in PowerPC64 they are
128/// returned in r3 and r4, and in the SystemZ ABI they are written to memory
129/// pointed to by a hidden parameter.
130/// - TLS variables are stored in a single per-task struct. A call to a
131/// function __msan_get_context_state() returning a pointer to that struct
132/// is inserted into every instrumented function before the entry block;
133/// - __msan_warning() takes a 32-bit origin parameter;
134/// - local variables are poisoned with __msan_poison_alloca() upon function
135/// entry and unpoisoned with __msan_unpoison_alloca() before leaving the
136/// function;
137/// - the pass doesn't declare any global variables or add global constructors
138/// to the translation unit.
139///
140/// Also, KMSAN currently ignores uninitialized memory passed into inline asm
141/// calls, making sure we're on the safe side wrt. possible false positives.
142///
143/// KernelMemorySanitizer only supports X86_64, SystemZ and PowerPC64 at the
144/// moment.
145///
146//
147// FIXME: This sanitizer does not yet handle scalable vectors
148//
149//===----------------------------------------------------------------------===//
150
151#include "llvm/Transforms/Instrumentation/MemorySanitizer.h"
152#include "llvm/ADT/APInt.h"
153#include "llvm/ADT/ArrayRef.h"
154#include "llvm/ADT/DenseMap.h"
155#include "llvm/ADT/DepthFirstIterator.h"
156#include "llvm/ADT/SetVector.h"
157#include "llvm/ADT/SmallPtrSet.h"
158#include "llvm/ADT/SmallVector.h"
159#include "llvm/ADT/StringExtras.h"
160#include "llvm/ADT/StringRef.h"
161#include "llvm/Analysis/GlobalsModRef.h"
162#include "llvm/Analysis/TargetLibraryInfo.h"
163#include "llvm/Analysis/ValueTracking.h"
164#include "llvm/IR/Argument.h"
165#include "llvm/IR/AttributeMask.h"
166#include "llvm/IR/Attributes.h"
167#include "llvm/IR/BasicBlock.h"
168#include "llvm/IR/CallingConv.h"
169#include "llvm/IR/Constant.h"
170#include "llvm/IR/Constants.h"
171#include "llvm/IR/DataLayout.h"
172#include "llvm/IR/DerivedTypes.h"
173#include "llvm/IR/Function.h"
174#include "llvm/IR/GlobalValue.h"
175#include "llvm/IR/GlobalVariable.h"
176#include "llvm/IR/IRBuilder.h"
177#include "llvm/IR/InlineAsm.h"
178#include "llvm/IR/InstVisitor.h"
179#include "llvm/IR/InstrTypes.h"
180#include "llvm/IR/Instruction.h"
181#include "llvm/IR/Instructions.h"
182#include "llvm/IR/IntrinsicInst.h"
183#include "llvm/IR/Intrinsics.h"
184#include "llvm/IR/IntrinsicsAArch64.h"
185#include "llvm/IR/IntrinsicsX86.h"
186#include "llvm/IR/MDBuilder.h"
187#include "llvm/IR/Module.h"
188#include "llvm/IR/Type.h"
189#include "llvm/IR/Value.h"
190#include "llvm/IR/ValueMap.h"
191#include "llvm/Support/Alignment.h"
192#include "llvm/Support/AtomicOrdering.h"
193#include "llvm/Support/Casting.h"
194#include "llvm/Support/CommandLine.h"
195#include "llvm/Support/Debug.h"
196#include "llvm/Support/DebugCounter.h"
197#include "llvm/Support/ErrorHandling.h"
198#include "llvm/Support/MathExtras.h"
199#include "llvm/Support/raw_ostream.h"
200#include "llvm/TargetParser/Triple.h"
201#include "llvm/Transforms/Utils/BasicBlockUtils.h"
202#include "llvm/Transforms/Utils/Instrumentation.h"
203#include "llvm/Transforms/Utils/Local.h"
204#include "llvm/Transforms/Utils/ModuleUtils.h"
205#include <algorithm>
206#include <cassert>
207#include <cstddef>
208#include <cstdint>
209#include <memory>
210#include <string>
211#include <tuple>
212
213using namespace llvm;
214
215#define DEBUG_TYPE "msan"
216
217DEBUG_COUNTER(DebugInsertCheck, "msan-insert-check",
218 "Controls which checks to insert");
219
220DEBUG_COUNTER(DebugInstrumentInstruction, "msan-instrument-instruction",
221 "Controls which instruction to instrument");
222
223static const unsigned kOriginSize = 4;
224static const Align kMinOriginAlignment = Align(4);
225static const Align kShadowTLSAlignment = Align(8);
226
227// These constants must be kept in sync with the ones in msan.h.
228static const unsigned kParamTLSSize = 800;
229static const unsigned kRetvalTLSSize = 800;
230
231// Accesses sizes are powers of two: 1, 2, 4, 8.
232static const size_t kNumberOfAccessSizes = 4;
233
234/// Track origins of uninitialized values.
235///
236/// Adds a section to MemorySanitizer report that points to the allocation
237/// (stack or heap) the uninitialized bits came from originally.
238static cl::opt<int> ClTrackOrigins(
239 "msan-track-origins",
240 cl::desc("Track origins (allocation sites) of poisoned memory"), cl::Hidden,
241 cl::init(0));
242
243static cl::opt<bool> ClKeepGoing("msan-keep-going",
244 cl::desc("keep going after reporting a UMR"),
245 cl::Hidden, cl::init(false));
246
247static cl::opt<bool>
248 ClPoisonStack("msan-poison-stack",
249 cl::desc("poison uninitialized stack variables"), cl::Hidden,
250 cl::init(true));
251
252static cl::opt<bool> ClPoisonStackWithCall(
253 "msan-poison-stack-with-call",
254 cl::desc("poison uninitialized stack variables with a call"), cl::Hidden,
255 cl::init(false));
256
257static cl::opt<int> ClPoisonStackPattern(
258 "msan-poison-stack-pattern",
259 cl::desc("poison uninitialized stack variables with the given pattern"),
260 cl::Hidden, cl::init(0xff));
261
262static cl::opt<bool>
263 ClPrintStackNames("msan-print-stack-names",
264 cl::desc("Print name of local stack variable"),
265 cl::Hidden, cl::init(true));
266
267static cl::opt<bool> ClPoisonUndef("msan-poison-undef",
268 cl::desc("poison undef temps"), cl::Hidden,
269 cl::init(true));
270
271static cl::opt<bool>
272 ClHandleICmp("msan-handle-icmp",
273 cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
274 cl::Hidden, cl::init(true));
275
276static cl::opt<bool>
277 ClHandleICmpExact("msan-handle-icmp-exact",
278 cl::desc("exact handling of relational integer ICmp"),
279 cl::Hidden, cl::init(true));
280
281static cl::opt<bool> ClHandleLifetimeIntrinsics(
282 "msan-handle-lifetime-intrinsics",
283 cl::desc(
284 "when possible, poison scoped variables at the beginning of the scope "
285 "(slower, but more precise)"),
286 cl::Hidden, cl::init(true));
287
288// When compiling the Linux kernel, we sometimes see false positives related to
289// MSan being unable to understand that inline assembly calls may initialize
290// local variables.
291// This flag makes the compiler conservatively unpoison every memory location
292// passed into an assembly call. Note that this may cause false positives.
293// Because it's impossible to figure out the array sizes, we can only unpoison
294// the first sizeof(type) bytes for each type* pointer.
295static cl::opt<bool> ClHandleAsmConservative(
296 "msan-handle-asm-conservative",
297 cl::desc("conservative handling of inline assembly"), cl::Hidden,
298 cl::init(true));
299
300// This flag controls whether we check the shadow of the address
301// operand of load or store. Such bugs are very rare, since load from
302// a garbage address typically results in SEGV, but still happen
303// (e.g. only lower bits of address are garbage, or the access happens
304// early at program startup where malloc-ed memory is more likely to
305// be zeroed. As of 2012-08-28 this flag adds 20% slowdown.
306static cl::opt<bool> ClCheckAccessAddress(
307 "msan-check-access-address",
308 cl::desc("report accesses through a pointer which has poisoned shadow"),
309 cl::Hidden, cl::init(true));
310
311static cl::opt<bool> ClEagerChecks(
312 "msan-eager-checks",
313 cl::desc("check arguments and return values at function call boundaries"),
314 cl::Hidden, cl::init(false));
315
316static cl::opt<bool> ClDumpStrictInstructions(
317 "msan-dump-strict-instructions",
318 cl::desc("print out instructions with default strict semantics"),
319 cl::Hidden, cl::init(false));
320
321static cl::opt<bool> ClDumpStrictIntrinsics(
322 "msan-dump-strict-intrinsics",
323 cl::desc("Prints 'unknown' intrinsics that were handled heuristically. "
324 "Use -msan-dump-strict-instructions to print intrinsics that "
325 "could not be handled exactly nor heuristically."),
326 cl::Hidden, cl::init(false));
327
328static cl::opt<int> ClInstrumentationWithCallThreshold(
329 "msan-instrumentation-with-call-threshold",
330 cl::desc(
331 "If the function being instrumented requires more than "
332 "this number of checks and origin stores, use callbacks instead of "
333 "inline checks (-1 means never use callbacks)."),
334 cl::Hidden, cl::init(3500));
335
336static cl::opt<bool>
337 ClEnableKmsan("msan-kernel",
338 cl::desc("Enable KernelMemorySanitizer instrumentation"),
339 cl::Hidden, cl::init(false));
340
341static cl::opt<bool>
342 ClDisableChecks("msan-disable-checks",
343 cl::desc("Apply no_sanitize to the whole file"), cl::Hidden,
344 cl::init(false));
345
346static cl::opt<bool>
347 ClCheckConstantShadow("msan-check-constant-shadow",
348 cl::desc("Insert checks for constant shadow values"),
349 cl::Hidden, cl::init(true));
350
351// This is off by default because of a bug in gold:
352// https://sourceware.org/bugzilla/show_bug.cgi?id=19002
353static cl::opt<bool>
354 ClWithComdat("msan-with-comdat",
355 cl::desc("Place MSan constructors in comdat sections"),
356 cl::Hidden, cl::init(false));
357
358// These options allow to specify custom memory map parameters
359// See MemoryMapParams for details.
360static cl::opt<uint64_t> ClAndMask("msan-and-mask",
361 cl::desc("Define custom MSan AndMask"),
362 cl::Hidden, cl::init(0));
363
364static cl::opt<uint64_t> ClXorMask("msan-xor-mask",
365 cl::desc("Define custom MSan XorMask"),
366 cl::Hidden, cl::init(0));
367
368static cl::opt<uint64_t> ClShadowBase("msan-shadow-base",
369 cl::desc("Define custom MSan ShadowBase"),
370 cl::Hidden, cl::init(0));
371
372static cl::opt<uint64_t> ClOriginBase("msan-origin-base",
373 cl::desc("Define custom MSan OriginBase"),
374 cl::Hidden, cl::init(0));
375
376static cl::opt<int>
377 ClDisambiguateWarning("msan-disambiguate-warning-threshold",
378 cl::desc("Define threshold for number of checks per "
379 "debug location to force origin update."),
380 cl::Hidden, cl::init(3));
381
382const char kMsanModuleCtorName[] = "msan.module_ctor";
383const char kMsanInitName[] = "__msan_init";
384
385namespace {
386
387// Memory map parameters used in application-to-shadow address calculation.
388// Offset = (Addr & ~AndMask) ^ XorMask
389// Shadow = ShadowBase + Offset
390// Origin = OriginBase + Offset
391struct MemoryMapParams {
392 uint64_t AndMask;
393 uint64_t XorMask;
394 uint64_t ShadowBase;
395 uint64_t OriginBase;
396};
397
398struct PlatformMemoryMapParams {
399 const MemoryMapParams *bits32;
400 const MemoryMapParams *bits64;
401};
402
403} // end anonymous namespace
404
405// i386 Linux
406static const MemoryMapParams Linux_I386_MemoryMapParams = {
407 0x000080000000, // AndMask
408 0, // XorMask (not used)
409 0, // ShadowBase (not used)
410 0x000040000000, // OriginBase
411};
412
413// x86_64 Linux
414static const MemoryMapParams Linux_X86_64_MemoryMapParams = {
415 0, // AndMask (not used)
416 0x500000000000, // XorMask
417 0, // ShadowBase (not used)
418 0x100000000000, // OriginBase
419};
420
421// mips32 Linux
422// FIXME: Remove -msan-origin-base -msan-and-mask added by PR #109284 to tests
423// after picking good constants
424
425// mips64 Linux
426static const MemoryMapParams Linux_MIPS64_MemoryMapParams = {
427 0, // AndMask (not used)
428 0x008000000000, // XorMask
429 0, // ShadowBase (not used)
430 0x002000000000, // OriginBase
431};
432
433// ppc32 Linux
434// FIXME: Remove -msan-origin-base -msan-and-mask added by PR #109284 to tests
435// after picking good constants
436
437// ppc64 Linux
438static const MemoryMapParams Linux_PowerPC64_MemoryMapParams = {
439 0xE00000000000, // AndMask
440 0x100000000000, // XorMask
441 0x080000000000, // ShadowBase
442 0x1C0000000000, // OriginBase
443};
444
445// s390x Linux
446static const MemoryMapParams Linux_S390X_MemoryMapParams = {
447 0xC00000000000, // AndMask
448 0, // XorMask (not used)
449 0x080000000000, // ShadowBase
450 0x1C0000000000, // OriginBase
451};
452
453// arm32 Linux
454// FIXME: Remove -msan-origin-base -msan-and-mask added by PR #109284 to tests
455// after picking good constants
456
457// aarch64 Linux
458static const MemoryMapParams Linux_AArch64_MemoryMapParams = {
459 0, // AndMask (not used)
460 0x0B00000000000, // XorMask
461 0, // ShadowBase (not used)
462 0x0200000000000, // OriginBase
463};
464
465// loongarch64 Linux
466static const MemoryMapParams Linux_LoongArch64_MemoryMapParams = {
467 0, // AndMask (not used)
468 0x500000000000, // XorMask
469 0, // ShadowBase (not used)
470 0x100000000000, // OriginBase
471};
472
473// riscv32 Linux
474// FIXME: Remove -msan-origin-base -msan-and-mask added by PR #109284 to tests
475// after picking good constants
476
477// aarch64 FreeBSD
478static const MemoryMapParams FreeBSD_AArch64_MemoryMapParams = {
479 0x1800000000000, // AndMask
480 0x0400000000000, // XorMask
481 0x0200000000000, // ShadowBase
482 0x0700000000000, // OriginBase
483};
484
485// i386 FreeBSD
486static const MemoryMapParams FreeBSD_I386_MemoryMapParams = {
487 0x000180000000, // AndMask
488 0x000040000000, // XorMask
489 0x000020000000, // ShadowBase
490 0x000700000000, // OriginBase
491};
492
493// x86_64 FreeBSD
494static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams = {
495 0xc00000000000, // AndMask
496 0x200000000000, // XorMask
497 0x100000000000, // ShadowBase
498 0x380000000000, // OriginBase
499};
500
501// x86_64 NetBSD
502static const MemoryMapParams NetBSD_X86_64_MemoryMapParams = {
503 0, // AndMask
504 0x500000000000, // XorMask
505 0, // ShadowBase
506 0x100000000000, // OriginBase
507};
508
509static const PlatformMemoryMapParams Linux_X86_MemoryMapParams = {
510 &Linux_I386_MemoryMapParams,
511 &Linux_X86_64_MemoryMapParams,
512};
513
514static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams = {
515 nullptr,
516 &Linux_MIPS64_MemoryMapParams,
517};
518
519static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams = {
520 nullptr,
521 &Linux_PowerPC64_MemoryMapParams,
522};
523
524static const PlatformMemoryMapParams Linux_S390_MemoryMapParams = {
525 nullptr,
526 &Linux_S390X_MemoryMapParams,
527};
528
529static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams = {
530 nullptr,
531 &Linux_AArch64_MemoryMapParams,
532};
533
534static const PlatformMemoryMapParams Linux_LoongArch_MemoryMapParams = {
535 nullptr,
536 &Linux_LoongArch64_MemoryMapParams,
537};
538
539static const PlatformMemoryMapParams FreeBSD_ARM_MemoryMapParams = {
540 nullptr,
541 &FreeBSD_AArch64_MemoryMapParams,
542};
543
544static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams = {
545 &FreeBSD_I386_MemoryMapParams,
546 &FreeBSD_X86_64_MemoryMapParams,
547};
548
549static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams = {
550 nullptr,
551 &NetBSD_X86_64_MemoryMapParams,
552};
553
554namespace {
555
556/// Instrument functions of a module to detect uninitialized reads.
557///
558/// Instantiating MemorySanitizer inserts the msan runtime library API function
559/// declarations into the module if they don't exist already. Instantiating
560/// ensures the __msan_init function is in the list of global constructors for
561/// the module.
562class MemorySanitizer {
563public:
564 MemorySanitizer(Module &M, MemorySanitizerOptions Options)
565 : CompileKernel(Options.Kernel), TrackOrigins(Options.TrackOrigins),
566 Recover(Options.Recover), EagerChecks(Options.EagerChecks) {
567 initializeModule(M);
568 }
569
570 // MSan cannot be moved or copied because of MapParams.
571 MemorySanitizer(MemorySanitizer &&) = delete;
572 MemorySanitizer &operator=(MemorySanitizer &&) = delete;
573 MemorySanitizer(const MemorySanitizer &) = delete;
574 MemorySanitizer &operator=(const MemorySanitizer &) = delete;
575
576 bool sanitizeFunction(Function &F, TargetLibraryInfo &TLI);
577
578private:
579 friend struct MemorySanitizerVisitor;
580 friend struct VarArgHelperBase;
581 friend struct VarArgAMD64Helper;
582 friend struct VarArgAArch64Helper;
583 friend struct VarArgPowerPCHelper;
584 friend struct VarArgSystemZHelper;
585 friend struct VarArgI386Helper;
586 friend struct VarArgGenericHelper;
587
588 void initializeModule(Module &M);
589 void initializeCallbacks(Module &M, const TargetLibraryInfo &TLI);
590 void createKernelApi(Module &M, const TargetLibraryInfo &TLI);
591 void createUserspaceApi(Module &M, const TargetLibraryInfo &TLI);
592
593 template <typename... ArgsTy>
594 FunctionCallee getOrInsertMsanMetadataFunction(Module &M, StringRef Name,
595 ArgsTy... Args);
596
597 /// True if we're compiling the Linux kernel.
598 bool CompileKernel;
599 /// Track origins (allocation points) of uninitialized values.
600 int TrackOrigins;
601 bool Recover;
602 bool EagerChecks;
603
604 Triple TargetTriple;
605 LLVMContext *C;
606 Type *IntptrTy; ///< Integer type with the size of a ptr in default AS.
607 Type *OriginTy;
608 PointerType *PtrTy; ///< Integer type with the size of a ptr in default AS.
609
610 // XxxTLS variables represent the per-thread state in MSan and per-task state
611 // in KMSAN.
612 // For the userspace these point to thread-local globals. In the kernel land
613 // they point to the members of a per-task struct obtained via a call to
614 // __msan_get_context_state().
615
616 /// Thread-local shadow storage for function parameters.
617 Value *ParamTLS;
618
619 /// Thread-local origin storage for function parameters.
620 Value *ParamOriginTLS;
621
622 /// Thread-local shadow storage for function return value.
623 Value *RetvalTLS;
624
625 /// Thread-local origin storage for function return value.
626 Value *RetvalOriginTLS;
627
628 /// Thread-local shadow storage for in-register va_arg function.
629 Value *VAArgTLS;
630
631 /// Thread-local shadow storage for in-register va_arg function.
632 Value *VAArgOriginTLS;
633
634 /// Thread-local shadow storage for va_arg overflow area.
635 Value *VAArgOverflowSizeTLS;
636
637 /// Are the instrumentation callbacks set up?
638 bool CallbacksInitialized = false;
639
640 /// The run-time callback to print a warning.
641 FunctionCallee WarningFn;
642
643 // These arrays are indexed by log2(AccessSize).
644 FunctionCallee MaybeWarningFn[kNumberOfAccessSizes];
645 FunctionCallee MaybeStoreOriginFn[kNumberOfAccessSizes];
646
647 /// Run-time helper that generates a new origin value for a stack
648 /// allocation.
649 FunctionCallee MsanSetAllocaOriginWithDescriptionFn;
650 // No description version
651 FunctionCallee MsanSetAllocaOriginNoDescriptionFn;
652
653 /// Run-time helper that poisons stack on function entry.
654 FunctionCallee MsanPoisonStackFn;
655
656 /// Run-time helper that records a store (or any event) of an
657 /// uninitialized value and returns an updated origin id encoding this info.
658 FunctionCallee MsanChainOriginFn;
659
660 /// Run-time helper that paints an origin over a region.
661 FunctionCallee MsanSetOriginFn;
662
663 /// MSan runtime replacements for memmove, memcpy and memset.
664 FunctionCallee MemmoveFn, MemcpyFn, MemsetFn;
665
666 /// KMSAN callback for task-local function argument shadow.
667 StructType *MsanContextStateTy;
668 FunctionCallee MsanGetContextStateFn;
669
670 /// Functions for poisoning/unpoisoning local variables
671 FunctionCallee MsanPoisonAllocaFn, MsanUnpoisonAllocaFn;
672
673 /// Pair of shadow/origin pointers.
674 Type *MsanMetadata;
675
676 /// Each of the MsanMetadataPtrXxx functions returns a MsanMetadata.
677 FunctionCallee MsanMetadataPtrForLoadN, MsanMetadataPtrForStoreN;
678 FunctionCallee MsanMetadataPtrForLoad_1_8[4];
679 FunctionCallee MsanMetadataPtrForStore_1_8[4];
680 FunctionCallee MsanInstrumentAsmStoreFn;
681
682 /// Storage for return values of the MsanMetadataPtrXxx functions.
683 Value *MsanMetadataAlloca;
684
685 /// Helper to choose between different MsanMetadataPtrXxx().
686 FunctionCallee getKmsanShadowOriginAccessFn(bool isStore, int size);
687
688 /// Memory map parameters used in application-to-shadow calculation.
689 const MemoryMapParams *MapParams;
690
691 /// Custom memory map parameters used when -msan-shadow-base or
692 // -msan-origin-base is provided.
693 MemoryMapParams CustomMapParams;
694
695 MDNode *ColdCallWeights;
696
697 /// Branch weights for origin store.
698 MDNode *OriginStoreWeights;
699};
700
701void insertModuleCtor(Module &M) {
702 getOrCreateSanitizerCtorAndInitFunctions(
703 M, kMsanModuleCtorName, kMsanInitName,
704 /*InitArgTypes=*/{},
705 /*InitArgs=*/{},
706 // This callback is invoked when the functions are created the first
707 // time. Hook them into the global ctors list in that case:
708 [&](Function *Ctor, FunctionCallee) {
709 if (!ClWithComdat) {
710 appendToGlobalCtors(M, Ctor, 0);
711 return;
712 }
713 Comdat *MsanCtorComdat = M.getOrInsertComdat(kMsanModuleCtorName);
714 Ctor->setComdat(MsanCtorComdat);
715 appendToGlobalCtors(M, Ctor, 0, Ctor);
716 });
717}
718
719template <class T> T getOptOrDefault(const cl::opt<T> &Opt, T Default) {
720 return (Opt.getNumOccurrences() > 0) ? Opt : Default;
721}
722
723} // end anonymous namespace
724
725MemorySanitizerOptions::MemorySanitizerOptions(int TO, bool R, bool K,
726 bool EagerChecks)
727 : Kernel(getOptOrDefault(ClEnableKmsan, K)),
728 TrackOrigins(getOptOrDefault(ClTrackOrigins, Kernel ? 2 : TO)),
729 Recover(getOptOrDefault(ClKeepGoing, Kernel || R)),
730 EagerChecks(getOptOrDefault(ClEagerChecks, EagerChecks)) {}
731
732PreservedAnalyses MemorySanitizerPass::run(Module &M,
733 ModuleAnalysisManager &AM) {
734 // Return early if nosanitize_memory module flag is present for the module.
735 if (checkIfAlreadyInstrumented(M, "nosanitize_memory"))
736 return PreservedAnalyses::all();
737 bool Modified = false;
738 if (!Options.Kernel) {
739 insertModuleCtor(M);
740 Modified = true;
741 }
742
743 auto &FAM = AM.getResult<FunctionAnalysisManagerModuleProxy>(M).getManager();
744 for (Function &F : M) {
745 if (F.empty())
746 continue;
747 MemorySanitizer Msan(*F.getParent(), Options);
748 Modified |=
749 Msan.sanitizeFunction(F, FAM.getResult<TargetLibraryAnalysis>(F));
750 }
751
752 if (!Modified)
753 return PreservedAnalyses::all();
754
755 PreservedAnalyses PA = PreservedAnalyses::none();
756 // GlobalsAA is considered stateless and does not get invalidated unless
757 // explicitly invalidated; PreservedAnalyses::none() is not enough. Sanitizers
758 // make changes that require GlobalsAA to be invalidated.
759 PA.abandon<GlobalsAA>();
760 return PA;
761}
762
763void MemorySanitizerPass::printPipeline(
764 raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) {
765 static_cast<PassInfoMixin<MemorySanitizerPass> *>(this)->printPipeline(
766 OS, MapClassName2PassName);
767 OS << '<';
768 if (Options.Recover)
769 OS << "recover;";
770 if (Options.Kernel)
771 OS << "kernel;";
772 if (Options.EagerChecks)
773 OS << "eager-checks;";
774 OS << "track-origins=" << Options.TrackOrigins;
775 OS << '>';
776}
777
778/// Create a non-const global initialized with the given string.
779///
780/// Creates a writable global for Str so that we can pass it to the
781/// run-time lib. Runtime uses first 4 bytes of the string to store the
782/// frame ID, so the string needs to be mutable.
783static GlobalVariable *createPrivateConstGlobalForString(Module &M,
784 StringRef Str) {
785 Constant *StrConst = ConstantDataArray::getString(M.getContext(), Str);
786 return new GlobalVariable(M, StrConst->getType(), /*isConstant=*/true,
787 GlobalValue::PrivateLinkage, StrConst, "");
788}
789
790template <typename... ArgsTy>
791FunctionCallee
792MemorySanitizer::getOrInsertMsanMetadataFunction(Module &M, StringRef Name,
793 ArgsTy... Args) {
794 if (TargetTriple.getArch() == Triple::systemz) {
795 // SystemZ ABI: shadow/origin pair is returned via a hidden parameter.
796 return M.getOrInsertFunction(Name, Type::getVoidTy(*C), PtrTy,
797 std::forward<ArgsTy>(Args)...);
798 }
799
800 return M.getOrInsertFunction(Name, MsanMetadata,
801 std::forward<ArgsTy>(Args)...);
802}
803
804/// Create KMSAN API callbacks.
805void MemorySanitizer::createKernelApi(Module &M, const TargetLibraryInfo &TLI) {
806 IRBuilder<> IRB(*C);
807
808 // These will be initialized in insertKmsanPrologue().
809 RetvalTLS = nullptr;
810 RetvalOriginTLS = nullptr;
811 ParamTLS = nullptr;
812 ParamOriginTLS = nullptr;
813 VAArgTLS = nullptr;
814 VAArgOriginTLS = nullptr;
815 VAArgOverflowSizeTLS = nullptr;
816
817 WarningFn = M.getOrInsertFunction("__msan_warning",
818 TLI.getAttrList(C, {0}, /*Signed=*/false),
819 IRB.getVoidTy(), IRB.getInt32Ty());
820
821 // Requests the per-task context state (kmsan_context_state*) from the
822 // runtime library.
823 MsanContextStateTy = StructType::get(
824 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
825 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8),
826 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8),
827 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8), /* va_arg_origin */
828 IRB.getInt64Ty(), ArrayType::get(OriginTy, kParamTLSSize / 4), OriginTy,
829 OriginTy);
830 MsanGetContextStateFn =
831 M.getOrInsertFunction("__msan_get_context_state", PtrTy);
832
833 MsanMetadata = StructType::get(PtrTy, PtrTy);
834
835 for (int ind = 0, size = 1; ind < 4; ind++, size <<= 1) {
836 std::string name_load =
837 "__msan_metadata_ptr_for_load_" + std::to_string(size);
838 std::string name_store =
839 "__msan_metadata_ptr_for_store_" + std::to_string(size);
840 MsanMetadataPtrForLoad_1_8[ind] =
841 getOrInsertMsanMetadataFunction(M, name_load, PtrTy);
842 MsanMetadataPtrForStore_1_8[ind] =
843 getOrInsertMsanMetadataFunction(M, name_store, PtrTy);
844 }
845
846 MsanMetadataPtrForLoadN = getOrInsertMsanMetadataFunction(
847 M, "__msan_metadata_ptr_for_load_n", PtrTy, IRB.getInt64Ty());
848 MsanMetadataPtrForStoreN = getOrInsertMsanMetadataFunction(
849 M, "__msan_metadata_ptr_for_store_n", PtrTy, IRB.getInt64Ty());
850
851 // Functions for poisoning and unpoisoning memory.
852 MsanPoisonAllocaFn = M.getOrInsertFunction(
853 "__msan_poison_alloca", IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy);
854 MsanUnpoisonAllocaFn = M.getOrInsertFunction(
855 "__msan_unpoison_alloca", IRB.getVoidTy(), PtrTy, IntptrTy);
856}
857
858static Constant *getOrInsertGlobal(Module &M, StringRef Name, Type *Ty) {
859 return M.getOrInsertGlobal(Name, Ty, [&] {
860 return new GlobalVariable(M, Ty, false, GlobalVariable::ExternalLinkage,
861 nullptr, Name, nullptr,
862 GlobalVariable::InitialExecTLSModel);
863 });
864}
865
866/// Insert declarations for userspace-specific functions and globals.
867void MemorySanitizer::createUserspaceApi(Module &M,
868 const TargetLibraryInfo &TLI) {
869 IRBuilder<> IRB(*C);
870
871 // Create the callback.
872 // FIXME: this function should have "Cold" calling conv,
873 // which is not yet implemented.
874 if (TrackOrigins) {
875 StringRef WarningFnName = Recover ? "__msan_warning_with_origin"
876 : "__msan_warning_with_origin_noreturn";
877 WarningFn = M.getOrInsertFunction(WarningFnName,
878 TLI.getAttrList(C, {0}, /*Signed=*/false),
879 IRB.getVoidTy(), IRB.getInt32Ty());
880 } else {
881 StringRef WarningFnName =
882 Recover ? "__msan_warning" : "__msan_warning_noreturn";
883 WarningFn = M.getOrInsertFunction(WarningFnName, IRB.getVoidTy());
884 }
885
886 // Create the global TLS variables.
887 RetvalTLS =
888 getOrInsertGlobal(M, "__msan_retval_tls",
889 ArrayType::get(IRB.getInt64Ty(), kRetvalTLSSize / 8));
890
891 RetvalOriginTLS = getOrInsertGlobal(M, "__msan_retval_origin_tls", OriginTy);
892
893 ParamTLS =
894 getOrInsertGlobal(M, "__msan_param_tls",
895 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
896
897 ParamOriginTLS =
898 getOrInsertGlobal(M, "__msan_param_origin_tls",
899 ArrayType::get(OriginTy, kParamTLSSize / 4));
900
901 VAArgTLS =
902 getOrInsertGlobal(M, "__msan_va_arg_tls",
903 ArrayType::get(IRB.getInt64Ty(), kParamTLSSize / 8));
904
905 VAArgOriginTLS =
906 getOrInsertGlobal(M, "__msan_va_arg_origin_tls",
907 ArrayType::get(OriginTy, kParamTLSSize / 4));
908
909 VAArgOverflowSizeTLS =
910 getOrInsertGlobal(M, "__msan_va_arg_overflow_size_tls", IRB.getInt64Ty());
911
912 for (size_t AccessSizeIndex = 0; AccessSizeIndex < kNumberOfAccessSizes;
913 AccessSizeIndex++) {
914 unsigned AccessSize = 1 << AccessSizeIndex;
915 std::string FunctionName = "__msan_maybe_warning_" + itostr(AccessSize);
916 MaybeWarningFn[AccessSizeIndex] = M.getOrInsertFunction(
917 FunctionName, TLI.getAttrList(C, {0, 1}, /*Signed=*/false),
918 IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), IRB.getInt32Ty());
919
920 FunctionName = "__msan_maybe_store_origin_" + itostr(AccessSize);
921 MaybeStoreOriginFn[AccessSizeIndex] = M.getOrInsertFunction(
922 FunctionName, TLI.getAttrList(C, {0, 2}, /*Signed=*/false),
923 IRB.getVoidTy(), IRB.getIntNTy(AccessSize * 8), PtrTy,
924 IRB.getInt32Ty());
925 }
926
927 MsanSetAllocaOriginWithDescriptionFn =
928 M.getOrInsertFunction("__msan_set_alloca_origin_with_descr",
929 IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy, PtrTy);
930 MsanSetAllocaOriginNoDescriptionFn =
931 M.getOrInsertFunction("__msan_set_alloca_origin_no_descr",
932 IRB.getVoidTy(), PtrTy, IntptrTy, PtrTy);
933 MsanPoisonStackFn = M.getOrInsertFunction("__msan_poison_stack",
934 IRB.getVoidTy(), PtrTy, IntptrTy);
935}
936
937/// Insert extern declaration of runtime-provided functions and globals.
938void MemorySanitizer::initializeCallbacks(Module &M,
939 const TargetLibraryInfo &TLI) {
940 // Only do this once.
941 if (CallbacksInitialized)
942 return;
943
944 IRBuilder<> IRB(*C);
945 // Initialize callbacks that are common for kernel and userspace
946 // instrumentation.
947 MsanChainOriginFn = M.getOrInsertFunction(
948 "__msan_chain_origin",
949 TLI.getAttrList(C, {0}, /*Signed=*/false, /*Ret=*/true), IRB.getInt32Ty(),
950 IRB.getInt32Ty());
951 MsanSetOriginFn = M.getOrInsertFunction(
952 "__msan_set_origin", TLI.getAttrList(C, {2}, /*Signed=*/false),
953 IRB.getVoidTy(), PtrTy, IntptrTy, IRB.getInt32Ty());
954 MemmoveFn =
955 M.getOrInsertFunction("__msan_memmove", PtrTy, PtrTy, PtrTy, IntptrTy);
956 MemcpyFn =
957 M.getOrInsertFunction("__msan_memcpy", PtrTy, PtrTy, PtrTy, IntptrTy);
958 MemsetFn = M.getOrInsertFunction("__msan_memset",
959 TLI.getAttrList(C, {1}, /*Signed=*/true),
960 PtrTy, PtrTy, IRB.getInt32Ty(), IntptrTy);
961
962 MsanInstrumentAsmStoreFn = M.getOrInsertFunction(
963 "__msan_instrument_asm_store", IRB.getVoidTy(), PtrTy, IntptrTy);
964
965 if (CompileKernel) {
966 createKernelApi(M, TLI);
967 } else {
968 createUserspaceApi(M, TLI);
969 }
970 CallbacksInitialized = true;
971}
972
973FunctionCallee MemorySanitizer::getKmsanShadowOriginAccessFn(bool isStore,
974 int size) {
975 FunctionCallee *Fns =
976 isStore ? MsanMetadataPtrForStore_1_8 : MsanMetadataPtrForLoad_1_8;
977 switch (size) {
978 case 1:
979 return Fns[0];
980 case 2:
981 return Fns[1];
982 case 4:
983 return Fns[2];
984 case 8:
985 return Fns[3];
986 default:
987 return nullptr;
988 }
989}
990
991/// Module-level initialization.
992///
993/// inserts a call to __msan_init to the module's constructor list.
994void MemorySanitizer::initializeModule(Module &M) {
995 auto &DL = M.getDataLayout();
996
997 TargetTriple = Triple(M.getTargetTriple());
998
999 bool ShadowPassed = ClShadowBase.getNumOccurrences() > 0;
1000 bool OriginPassed = ClOriginBase.getNumOccurrences() > 0;
1001 // Check the overrides first
1002 if (ShadowPassed || OriginPassed) {
1003 CustomMapParams.AndMask = ClAndMask;
1004 CustomMapParams.XorMask = ClXorMask;
1005 CustomMapParams.ShadowBase = ClShadowBase;
1006 CustomMapParams.OriginBase = ClOriginBase;
1007 MapParams = &CustomMapParams;
1008 } else {
1009 switch (TargetTriple.getOS()) {
1010 case Triple::FreeBSD:
1011 switch (TargetTriple.getArch()) {
1012 case Triple::aarch64:
1013 MapParams = FreeBSD_ARM_MemoryMapParams.bits64;
1014 break;
1015 case Triple::x86_64:
1016 MapParams = FreeBSD_X86_MemoryMapParams.bits64;
1017 break;
1018 case Triple::x86:
1019 MapParams = FreeBSD_X86_MemoryMapParams.bits32;
1020 break;
1021 default:
1022 report_fatal_error("unsupported architecture");
1023 }
1024 break;
1025 case Triple::NetBSD:
1026 switch (TargetTriple.getArch()) {
1027 case Triple::x86_64:
1028 MapParams = NetBSD_X86_MemoryMapParams.bits64;
1029 break;
1030 default:
1031 report_fatal_error("unsupported architecture");
1032 }
1033 break;
1034 case Triple::Linux:
1035 switch (TargetTriple.getArch()) {
1036 case Triple::x86_64:
1037 MapParams = Linux_X86_MemoryMapParams.bits64;
1038 break;
1039 case Triple::x86:
1040 MapParams = Linux_X86_MemoryMapParams.bits32;
1041 break;
1042 case Triple::mips64:
1043 case Triple::mips64el:
1044 MapParams = Linux_MIPS_MemoryMapParams.bits64;
1045 break;
1046 case Triple::ppc64:
1047 case Triple::ppc64le:
1048 MapParams = Linux_PowerPC_MemoryMapParams.bits64;
1049 break;
1050 case Triple::systemz:
1051 MapParams = Linux_S390_MemoryMapParams.bits64;
1052 break;
1053 case Triple::aarch64:
1054 case Triple::aarch64_be:
1055 MapParams = Linux_ARM_MemoryMapParams.bits64;
1056 break;
1057 case Triple::loongarch64:
1058 MapParams = Linux_LoongArch_MemoryMapParams.bits64;
1059 break;
1060 default:
1061 report_fatal_error("unsupported architecture");
1062 }
1063 break;
1064 default:
1065 report_fatal_error("unsupported operating system");
1066 }
1067 }
1068
1069 C = &(M.getContext());
1070 IRBuilder<> IRB(*C);
1071 IntptrTy = IRB.getIntPtrTy(DL);
1072 OriginTy = IRB.getInt32Ty();
1073 PtrTy = IRB.getPtrTy();
1074
1075 ColdCallWeights = MDBuilder(*C).createUnlikelyBranchWeights();
1076 OriginStoreWeights = MDBuilder(*C).createUnlikelyBranchWeights();
1077
1078 if (!CompileKernel) {
1079 if (TrackOrigins)
1080 M.getOrInsertGlobal("__msan_track_origins", IRB.getInt32Ty(), [&] {
1081 return new GlobalVariable(
1082 M, IRB.getInt32Ty(), true, GlobalValue::WeakODRLinkage,
1083 IRB.getInt32(TrackOrigins), "__msan_track_origins");
1084 });
1085
1086 if (Recover)
1087 M.getOrInsertGlobal("__msan_keep_going", IRB.getInt32Ty(), [&] {
1088 return new GlobalVariable(M, IRB.getInt32Ty(), true,
1089 GlobalValue::WeakODRLinkage,
1090 IRB.getInt32(Recover), "__msan_keep_going");
1091 });
1092 }
1093}
1094
1095namespace {
1096
1097/// A helper class that handles instrumentation of VarArg
1098/// functions on a particular platform.
1099///
1100/// Implementations are expected to insert the instrumentation
1101/// necessary to propagate argument shadow through VarArg function
1102/// calls. Visit* methods are called during an InstVisitor pass over
1103/// the function, and should avoid creating new basic blocks. A new
1104/// instance of this class is created for each instrumented function.
1105struct VarArgHelper {
1106 virtual ~VarArgHelper() = default;
1107
1108 /// Visit a CallBase.
1109 virtual void visitCallBase(CallBase &CB, IRBuilder<> &IRB) = 0;
1110
1111 /// Visit a va_start call.
1112 virtual void visitVAStartInst(VAStartInst &I) = 0;
1113
1114 /// Visit a va_copy call.
1115 virtual void visitVACopyInst(VACopyInst &I) = 0;
1116
1117 /// Finalize function instrumentation.
1118 ///
1119 /// This method is called after visiting all interesting (see above)
1120 /// instructions in a function.
1121 virtual void finalizeInstrumentation() = 0;
1122};
1123
1124struct MemorySanitizerVisitor;
1125
1126} // end anonymous namespace
1127
1128static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
1129 MemorySanitizerVisitor &Visitor);
1130
1131static unsigned TypeSizeToSizeIndex(TypeSize TS) {
1132 if (TS.isScalable())
1133 // Scalable types unconditionally take slowpaths.
1134 return kNumberOfAccessSizes;
1135 unsigned TypeSizeFixed = TS.getFixedValue();
1136 if (TypeSizeFixed <= 8)
1137 return 0;
1138 return Log2_32_Ceil((TypeSizeFixed + 7) / 8);
1139}
1140
1141namespace {
1142
1143/// Helper class to attach debug information of the given instruction onto new
1144/// instructions inserted after.
1145class NextNodeIRBuilder : public IRBuilder<> {
1146public:
1147 explicit NextNodeIRBuilder(Instruction *IP) : IRBuilder<>(IP->getNextNode()) {
1148 SetCurrentDebugLocation(IP->getDebugLoc());
1149 }
1150};
1151
1152/// This class does all the work for a given function. Store and Load
1153/// instructions store and load corresponding shadow and origin
1154/// values. Most instructions propagate shadow from arguments to their
1155/// return values. Certain instructions (most importantly, BranchInst)
1156/// test their argument shadow and print reports (with a runtime call) if it's
1157/// non-zero.
1158struct MemorySanitizerVisitor : public InstVisitor<MemorySanitizerVisitor> {
1159 Function &F;
1160 MemorySanitizer &MS;
1161 SmallVector<PHINode *, 16> ShadowPHINodes, OriginPHINodes;
1162 ValueMap<Value *, Value *> ShadowMap, OriginMap;
1163 std::unique_ptr<VarArgHelper> VAHelper;
1164 const TargetLibraryInfo *TLI;
1165 Instruction *FnPrologueEnd;
1166 SmallVector<Instruction *, 16> Instructions;
1167
1168 // The following flags disable parts of MSan instrumentation based on
1169 // exclusion list contents and command-line options.
1170 bool InsertChecks;
1171 bool PropagateShadow;
1172 bool PoisonStack;
1173 bool PoisonUndef;
1174
1175 struct ShadowOriginAndInsertPoint {
1176 Value *Shadow;
1177 Value *Origin;
1178 Instruction *OrigIns;
1179
1180 ShadowOriginAndInsertPoint(Value *S, Value *O, Instruction *I)
1181 : Shadow(S), Origin(O), OrigIns(I) {}
1182 };
1183 SmallVector<ShadowOriginAndInsertPoint, 16> InstrumentationList;
1184 DenseMap<const DILocation *, int> LazyWarningDebugLocationCount;
1185 bool InstrumentLifetimeStart = ClHandleLifetimeIntrinsics;
1186 SmallSetVector<AllocaInst *, 16> AllocaSet;
1187 SmallVector<std::pair<IntrinsicInst *, AllocaInst *>, 16> LifetimeStartList;
1188 SmallVector<StoreInst *, 16> StoreList;
1189 int64_t SplittableBlocksCount = 0;
1190
1191 MemorySanitizerVisitor(Function &F, MemorySanitizer &MS,
1192 const TargetLibraryInfo &TLI)
1193 : F(F), MS(MS), VAHelper(CreateVarArgHelper(F, MS, *this)), TLI(&TLI) {
1194 bool SanitizeFunction =
1195 F.hasFnAttribute(Attribute::SanitizeMemory) && !ClDisableChecks;
1196 InsertChecks = SanitizeFunction;
1197 PropagateShadow = SanitizeFunction;
1198 PoisonStack = SanitizeFunction && ClPoisonStack;
1199 PoisonUndef = SanitizeFunction && ClPoisonUndef;
1200
1201 // In the presence of unreachable blocks, we may see Phi nodes with
1202 // incoming nodes from such blocks. Since InstVisitor skips unreachable
1203 // blocks, such nodes will not have any shadow value associated with them.
1204 // It's easier to remove unreachable blocks than deal with missing shadow.
1205 removeUnreachableBlocks(F);
1206
1207 MS.initializeCallbacks(*F.getParent(), TLI);
1208 FnPrologueEnd = IRBuilder<>(F.getEntryBlock().getFirstNonPHI())
1209 .CreateIntrinsic(Intrinsic::donothing, {}, {});
1210
1211 if (MS.CompileKernel) {
1212 IRBuilder<> IRB(FnPrologueEnd);
1213 insertKmsanPrologue(IRB);
1214 }
1215
1216 LLVM_DEBUG(if (!InsertChecks) dbgs()
1217 << "MemorySanitizer is not inserting checks into '"
1218 << F.getName() << "'\n");
1219 }
1220
1221 bool instrumentWithCalls(Value *V) {
1222 // Constants likely will be eliminated by follow-up passes.
1223 if (isa<Constant>(V))
1224 return false;
1225
1226 ++SplittableBlocksCount;
1227 return ClInstrumentationWithCallThreshold >= 0 &&
1228 SplittableBlocksCount > ClInstrumentationWithCallThreshold;
1229 }
1230
1231 bool isInPrologue(Instruction &I) {
1232 return I.getParent() == FnPrologueEnd->getParent() &&
1233 (&I == FnPrologueEnd || I.comesBefore(FnPrologueEnd));
1234 }
1235
1236 // Creates a new origin and records the stack trace. In general we can call
1237 // this function for any origin manipulation we like. However it will cost
1238 // runtime resources. So use this wisely only if it can provide additional
1239 // information helpful to a user.
1240 Value *updateOrigin(Value *V, IRBuilder<> &IRB) {
1241 if (MS.TrackOrigins <= 1)
1242 return V;
1243 return IRB.CreateCall(MS.MsanChainOriginFn, V);
1244 }
1245
1246 Value *originToIntptr(IRBuilder<> &IRB, Value *Origin) {
1247 const DataLayout &DL = F.getDataLayout();
1248 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1249 if (IntptrSize == kOriginSize)
1250 return Origin;
1251 assert(IntptrSize == kOriginSize * 2);
1252 Origin = IRB.CreateIntCast(Origin, MS.IntptrTy, /* isSigned */ false);
1253 return IRB.CreateOr(Origin, IRB.CreateShl(Origin, kOriginSize * 8));
1254 }
1255
1256 /// Fill memory range with the given origin value.
1257 void paintOrigin(IRBuilder<> &IRB, Value *Origin, Value *OriginPtr,
1258 TypeSize TS, Align Alignment) {
1259 const DataLayout &DL = F.getDataLayout();
1260 const Align IntptrAlignment = DL.getABITypeAlign(MS.IntptrTy);
1261 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
1262 assert(IntptrAlignment >= kMinOriginAlignment);
1263 assert(IntptrSize >= kOriginSize);
1264
1265 // Note: The loop based formation works for fixed length vectors too,
1266 // however we prefer to unroll and specialize alignment below.
1267 if (TS.isScalable()) {
1268 Value *Size = IRB.CreateTypeSize(MS.IntptrTy, TS);
1269 Value *RoundUp =
1270 IRB.CreateAdd(Size, ConstantInt::get(MS.IntptrTy, kOriginSize - 1));
1271 Value *End =
1272 IRB.CreateUDiv(RoundUp, ConstantInt::get(MS.IntptrTy, kOriginSize));
1273 auto [InsertPt, Index] =
1274 SplitBlockAndInsertSimpleForLoop(End, &*IRB.GetInsertPoint());
1275 IRB.SetInsertPoint(InsertPt);
1276
1277 Value *GEP = IRB.CreateGEP(MS.OriginTy, OriginPtr, Index);
1278 IRB.CreateAlignedStore(Origin, GEP, kMinOriginAlignment);
1279 return;
1280 }
1281
1282 unsigned Size = TS.getFixedValue();
1283
1284 unsigned Ofs = 0;
1285 Align CurrentAlignment = Alignment;
1286 if (Alignment >= IntptrAlignment && IntptrSize > kOriginSize) {
1287 Value *IntptrOrigin = originToIntptr(IRB, Origin);
1288 Value *IntptrOriginPtr = IRB.CreatePointerCast(OriginPtr, MS.PtrTy);
1289 for (unsigned i = 0; i < Size / IntptrSize; ++i) {
1290 Value *Ptr = i ? IRB.CreateConstGEP1_32(MS.IntptrTy, IntptrOriginPtr, i)
1291 : IntptrOriginPtr;
1292 IRB.CreateAlignedStore(IntptrOrigin, Ptr, CurrentAlignment);
1293 Ofs += IntptrSize / kOriginSize;
1294 CurrentAlignment = IntptrAlignment;
1295 }
1296 }
1297
1298 for (unsigned i = Ofs; i < (Size + kOriginSize - 1) / kOriginSize; ++i) {
1299 Value *GEP =
1300 i ? IRB.CreateConstGEP1_32(MS.OriginTy, OriginPtr, i) : OriginPtr;
1301 IRB.CreateAlignedStore(Origin, GEP, CurrentAlignment);
1302 CurrentAlignment = kMinOriginAlignment;
1303 }
1304 }
1305
1306 void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
1307 Value *OriginPtr, Align Alignment) {
1308 const DataLayout &DL = F.getDataLayout();
1309 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1310 TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
1311 // ZExt cannot convert between vector and scalar
1312 Value *ConvertedShadow = convertShadowToScalar(Shadow, IRB);
1313 if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1314 if (!ClCheckConstantShadow || ConstantShadow->isZeroValue()) {
1315 // Origin is not needed: value is initialized or const shadow is
1316 // ignored.
1317 return;
1318 }
1319 if (llvm::isKnownNonZero(ConvertedShadow, DL)) {
1320 // Copy origin as the value is definitely uninitialized.
1321 paintOrigin(IRB, updateOrigin(Origin, IRB), OriginPtr, StoreSize,
1322 OriginAlignment);
1323 return;
1324 }
1325 // Fallback to runtime check, which still can be optimized out later.
1326 }
1327
1328 TypeSize TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1329 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1330 if (instrumentWithCalls(ConvertedShadow) &&
1331 SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1332 FunctionCallee Fn = MS.MaybeStoreOriginFn[SizeIndex];
1333 Value *ConvertedShadow2 =
1334 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1335 CallBase *CB = IRB.CreateCall(Fn, {ConvertedShadow2, Addr, Origin});
1336 CB->addParamAttr(0, Attribute::ZExt);
1337 CB->addParamAttr(2, Attribute::ZExt);
1338 } else {
1339 Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1340 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1341 Cmp, &*IRB.GetInsertPoint(), false, MS.OriginStoreWeights);
1342 IRBuilder<> IRBNew(CheckTerm);
1343 paintOrigin(IRBNew, updateOrigin(Origin, IRBNew), OriginPtr, StoreSize,
1344 OriginAlignment);
1345 }
1346 }
1347
1348 void materializeStores() {
1349 for (StoreInst *SI : StoreList) {
1350 IRBuilder<> IRB(SI);
1351 Value *Val = SI->getValueOperand();
1352 Value *Addr = SI->getPointerOperand();
1353 Value *Shadow = SI->isAtomic() ? getCleanShadow(Val) : getShadow(Val);
1354 Value *ShadowPtr, *OriginPtr;
1355 Type *ShadowTy = Shadow->getType();
1356 const Align Alignment = SI->getAlign();
1357 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
1358 std::tie(ShadowPtr, OriginPtr) =
1359 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ true);
1360
1361 StoreInst *NewSI = IRB.CreateAlignedStore(Shadow, ShadowPtr, Alignment);
1362 LLVM_DEBUG(dbgs() << " STORE: " << *NewSI << "\n");
1363 (void)NewSI;
1364
1365 if (SI->isAtomic())
1366 SI->setOrdering(addReleaseOrdering(SI->getOrdering()));
1367
1368 if (MS.TrackOrigins && !SI->isAtomic())
1369 storeOrigin(IRB, Addr, Shadow, getOrigin(Val), OriginPtr,
1370 OriginAlignment);
1371 }
1372 }
1373
1374 // Returns true if Debug Location corresponds to multiple warnings.
1375 bool shouldDisambiguateWarningLocation(const DebugLoc &DebugLoc) {
1376 if (MS.TrackOrigins < 2)
1377 return false;
1378
1379 if (LazyWarningDebugLocationCount.empty())
1380 for (const auto &I : InstrumentationList)
1381 ++LazyWarningDebugLocationCount[I.OrigIns->getDebugLoc()];
1382
1383 return LazyWarningDebugLocationCount[DebugLoc] >= ClDisambiguateWarning;
1384 }
1385
1386 /// Helper function to insert a warning at IRB's current insert point.
1387 void insertWarningFn(IRBuilder<> &IRB, Value *Origin) {
1388 if (!Origin)
1389 Origin = (Value *)IRB.getInt32(0);
1390 assert(Origin->getType()->isIntegerTy());
1391
1392 if (shouldDisambiguateWarningLocation(IRB.getCurrentDebugLocation())) {
1393 // Try to create additional origin with debug info of the last origin
1394 // instruction. It may provide additional information to the user.
1395 if (Instruction *OI = dyn_cast_or_null<Instruction>(Origin)) {
1396 assert(MS.TrackOrigins);
1397 auto NewDebugLoc = OI->getDebugLoc();
1398 // Origin update with missing or the same debug location provides no
1399 // additional value.
1400 if (NewDebugLoc && NewDebugLoc != IRB.getCurrentDebugLocation()) {
1401 // Insert update just before the check, so we call runtime only just
1402 // before the report.
1403 IRBuilder<> IRBOrigin(&*IRB.GetInsertPoint());
1404 IRBOrigin.SetCurrentDebugLocation(NewDebugLoc);
1405 Origin = updateOrigin(Origin, IRBOrigin);
1406 }
1407 }
1408 }
1409
1410 if (MS.CompileKernel || MS.TrackOrigins)
1411 IRB.CreateCall(MS.WarningFn, Origin)->setCannotMerge();
1412 else
1413 IRB.CreateCall(MS.WarningFn)->setCannotMerge();
1414 // FIXME: Insert UnreachableInst if !MS.Recover?
1415 // This may invalidate some of the following checks and needs to be done
1416 // at the very end.
1417 }
1418
1419 void materializeOneCheck(IRBuilder<> &IRB, Value *ConvertedShadow,
1420 Value *Origin) {
1421 const DataLayout &DL = F.getDataLayout();
1422 TypeSize TypeSizeInBits = DL.getTypeSizeInBits(ConvertedShadow->getType());
1423 unsigned SizeIndex = TypeSizeToSizeIndex(TypeSizeInBits);
1424 if (instrumentWithCalls(ConvertedShadow) &&
1425 SizeIndex < kNumberOfAccessSizes && !MS.CompileKernel) {
1426 FunctionCallee Fn = MS.MaybeWarningFn[SizeIndex];
1427 // ZExt cannot convert between vector and scalar
1428 ConvertedShadow = convertShadowToScalar(ConvertedShadow, IRB);
1429 Value *ConvertedShadow2 =
1430 IRB.CreateZExt(ConvertedShadow, IRB.getIntNTy(8 * (1 << SizeIndex)));
1431 CallBase *CB = IRB.CreateCall(
1432 Fn, {ConvertedShadow2,
1433 MS.TrackOrigins && Origin ? Origin : (Value *)IRB.getInt32(0)});
1434 CB->addParamAttr(0, Attribute::ZExt);
1435 CB->addParamAttr(1, Attribute::ZExt);
1436 } else {
1437 Value *Cmp = convertToBool(ConvertedShadow, IRB, "_mscmp");
1438 Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1439 Cmp, &*IRB.GetInsertPoint(),
1440 /* Unreachable */ !MS.Recover, MS.ColdCallWeights);
1441
1442 IRB.SetInsertPoint(CheckTerm);
1443 insertWarningFn(IRB, Origin);
1444 LLVM_DEBUG(dbgs() << " CHECK: " << *Cmp << "\n");
1445 }
1446 }
1447
1448 void materializeInstructionChecks(
1449 ArrayRef<ShadowOriginAndInsertPoint> InstructionChecks) {
1450 const DataLayout &DL = F.getDataLayout();
1451 // Disable combining in some cases. TrackOrigins checks each shadow to pick
1452 // correct origin.
1453 bool Combine = !MS.TrackOrigins;
1454 Instruction *Instruction = InstructionChecks.front().OrigIns;
1455 Value *Shadow = nullptr;
1456 for (const auto &ShadowData : InstructionChecks) {
1457 assert(ShadowData.OrigIns == Instruction);
1458 IRBuilder<> IRB(Instruction);
1459
1460 Value *ConvertedShadow = ShadowData.Shadow;
1461
1462 if (auto *ConstantShadow = dyn_cast<Constant>(ConvertedShadow)) {
1463 if (!ClCheckConstantShadow || ConstantShadow->isZeroValue()) {
1464 // Skip, value is initialized or const shadow is ignored.
1465 continue;
1466 }
1467 if (llvm::isKnownNonZero(ConvertedShadow, DL)) {
1468 // Report as the value is definitely uninitialized.
1469 insertWarningFn(IRB, ShadowData.Origin);
1470 if (!MS.Recover)
1471 return; // Always fail and stop here, not need to check the rest.
1472 // Skip entire instruction,
1473 continue;
1474 }
1475 // Fallback to runtime check, which still can be optimized out later.
1476 }
1477
1478 if (!Combine) {
1479 materializeOneCheck(IRB, ConvertedShadow, ShadowData.Origin);
1480 continue;
1481 }
1482
1483 if (!Shadow) {
1484 Shadow = ConvertedShadow;
1485 continue;
1486 }
1487
1488 Shadow = convertToBool(Shadow, IRB, "_mscmp");
1489 ConvertedShadow = convertToBool(ConvertedShadow, IRB, "_mscmp");
1490 Shadow = IRB.CreateOr(Shadow, ConvertedShadow, "_msor");
1491 }
1492
1493 if (Shadow) {
1494 assert(Combine);
1495 IRBuilder<> IRB(Instruction);
1496 materializeOneCheck(IRB, Shadow, nullptr);
1497 }
1498 }
1499
1500 void materializeChecks() {
1501#ifndef NDEBUG
1502 // For assert below.
1503 SmallPtrSet<Instruction *, 16> Done;
1504#endif
1505
1506 for (auto I = InstrumentationList.begin();
1507 I != InstrumentationList.end();) {
1508 auto OrigIns = I->OrigIns;
1509 // Checks are grouped by the original instruction. We call all
1510 // `insertShadowCheck` for an instruction at once.
1511 assert(Done.insert(OrigIns).second);
1512 auto J = std::find_if(I + 1, InstrumentationList.end(),
1513 [OrigIns](const ShadowOriginAndInsertPoint &R) {
1514 return OrigIns != R.OrigIns;
1515 });
1516 // Process all checks of instruction at once.
1517 materializeInstructionChecks(ArrayRef<ShadowOriginAndInsertPoint>(I, J));
1518 I = J;
1519 }
1520
1521 LLVM_DEBUG(dbgs() << "DONE:\n" << F);
1522 }
1523
1524 // Returns the last instruction in the new prologue
1525 void insertKmsanPrologue(IRBuilder<> &IRB) {
1526 Value *ContextState = IRB.CreateCall(MS.MsanGetContextStateFn, {});
1527 Constant *Zero = IRB.getInt32(0);
1528 MS.ParamTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1529 {Zero, IRB.getInt32(0)}, "param_shadow");
1530 MS.RetvalTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1531 {Zero, IRB.getInt32(1)}, "retval_shadow");
1532 MS.VAArgTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1533 {Zero, IRB.getInt32(2)}, "va_arg_shadow");
1534 MS.VAArgOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1535 {Zero, IRB.getInt32(3)}, "va_arg_origin");
1536 MS.VAArgOverflowSizeTLS =
1537 IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1538 {Zero, IRB.getInt32(4)}, "va_arg_overflow_size");
1539 MS.ParamOriginTLS = IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1540 {Zero, IRB.getInt32(5)}, "param_origin");
1541 MS.RetvalOriginTLS =
1542 IRB.CreateGEP(MS.MsanContextStateTy, ContextState,
1543 {Zero, IRB.getInt32(6)}, "retval_origin");
1544 if (MS.TargetTriple.getArch() == Triple::systemz)
1545 MS.MsanMetadataAlloca = IRB.CreateAlloca(MS.MsanMetadata, 0u);
1546 }
1547
1548 /// Add MemorySanitizer instrumentation to a function.
1549 bool runOnFunction() {
1550 // Iterate all BBs in depth-first order and create shadow instructions
1551 // for all instructions (where applicable).
1552 // For PHI nodes we create dummy shadow PHIs which will be finalized later.
1553 for (BasicBlock *BB : depth_first(FnPrologueEnd->getParent()))
1554 visit(*BB);
1555
1556 // `visit` above only collects instructions. Process them after iterating
1557 // CFG to avoid requirement on CFG transformations.
1558 for (Instruction *I : Instructions)
1559 InstVisitor<MemorySanitizerVisitor>::visit(*I);
1560
1561 // Finalize PHI nodes.
1562 for (PHINode *PN : ShadowPHINodes) {
1563 PHINode *PNS = cast<PHINode>(getShadow(PN));
1564 PHINode *PNO = MS.TrackOrigins ? cast<PHINode>(getOrigin(PN)) : nullptr;
1565 size_t NumValues = PN->getNumIncomingValues();
1566 for (size_t v = 0; v < NumValues; v++) {
1567 PNS->addIncoming(getShadow(PN, v), PN->getIncomingBlock(v));
1568 if (PNO)
1569 PNO->addIncoming(getOrigin(PN, v), PN->getIncomingBlock(v));
1570 }
1571 }
1572
1573 VAHelper->finalizeInstrumentation();
1574
1575 // Poison llvm.lifetime.start intrinsics, if we haven't fallen back to
1576 // instrumenting only allocas.
1577 if (InstrumentLifetimeStart) {
1578 for (auto Item : LifetimeStartList) {
1579 instrumentAlloca(*Item.second, Item.first);
1580 AllocaSet.remove(Item.second);
1581 }
1582 }
1583 // Poison the allocas for which we didn't instrument the corresponding
1584 // lifetime intrinsics.
1585 for (AllocaInst *AI : AllocaSet)
1586 instrumentAlloca(*AI);
1587
1588 // Insert shadow value checks.
1589 materializeChecks();
1590
1591 // Delayed instrumentation of StoreInst.
1592 // This may not add new address checks.
1593 materializeStores();
1594
1595 return true;
1596 }
1597
1598 /// Compute the shadow type that corresponds to a given Value.
1599 Type *getShadowTy(Value *V) { return getShadowTy(V->getType()); }
1600
1601 /// Compute the shadow type that corresponds to a given Type.
1602 Type *getShadowTy(Type *OrigTy) {
1603 if (!OrigTy->isSized()) {
1604 return nullptr;
1605 }
1606 // For integer type, shadow is the same as the original type.
1607 // This may return weird-sized types like i1.
1608 if (IntegerType *IT = dyn_cast<IntegerType>(OrigTy))
1609 return IT;
1610 const DataLayout &DL = F.getDataLayout();
1611 if (VectorType *VT = dyn_cast<VectorType>(OrigTy)) {
1612 uint32_t EltSize = DL.getTypeSizeInBits(VT->getElementType());
1613 return VectorType::get(IntegerType::get(*MS.C, EltSize),
1614 VT->getElementCount());
1615 }
1616 if (ArrayType *AT = dyn_cast<ArrayType>(OrigTy)) {
1617 return ArrayType::get(getShadowTy(AT->getElementType()),
1618 AT->getNumElements());
1619 }
1620 if (StructType *ST = dyn_cast<StructType>(OrigTy)) {
1621 SmallVector<Type *, 4> Elements;
1622 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1623 Elements.push_back(getShadowTy(ST->getElementType(i)));
1624 StructType *Res = StructType::get(*MS.C, Elements, ST->isPacked());
1625 LLVM_DEBUG(dbgs() << "getShadowTy: " << *ST << " ===> " << *Res << "\n");
1626 return Res;
1627 }
1628 uint32_t TypeSize = DL.getTypeSizeInBits(OrigTy);
1629 return IntegerType::get(*MS.C, TypeSize);
1630 }
1631
1632 /// Extract combined shadow of struct elements as a bool
1633 Value *collapseStructShadow(StructType *Struct, Value *Shadow,
1634 IRBuilder<> &IRB) {
1635 Value *FalseVal = IRB.getIntN(/* width */ 1, /* value */ 0);
1636 Value *Aggregator = FalseVal;
1637
1638 for (unsigned Idx = 0; Idx < Struct->getNumElements(); Idx++) {
1639 // Combine by ORing together each element's bool shadow
1640 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1641 Value *ShadowBool = convertToBool(ShadowItem, IRB);
1642
1643 if (Aggregator != FalseVal)
1644 Aggregator = IRB.CreateOr(Aggregator, ShadowBool);
1645 else
1646 Aggregator = ShadowBool;
1647 }
1648
1649 return Aggregator;
1650 }
1651
1652 // Extract combined shadow of array elements
1653 Value *collapseArrayShadow(ArrayType *Array, Value *Shadow,
1654 IRBuilder<> &IRB) {
1655 if (!Array->getNumElements())
1656 return IRB.getIntN(/* width */ 1, /* value */ 0);
1657
1658 Value *FirstItem = IRB.CreateExtractValue(Shadow, 0);
1659 Value *Aggregator = convertShadowToScalar(FirstItem, IRB);
1660
1661 for (unsigned Idx = 1; Idx < Array->getNumElements(); Idx++) {
1662 Value *ShadowItem = IRB.CreateExtractValue(Shadow, Idx);
1663 Value *ShadowInner = convertShadowToScalar(ShadowItem, IRB);
1664 Aggregator = IRB.CreateOr(Aggregator, ShadowInner);
1665 }
1666 return Aggregator;
1667 }
1668
1669 /// Convert a shadow value to it's flattened variant. The resulting
1670 /// shadow may not necessarily have the same bit width as the input
1671 /// value, but it will always be comparable to zero.
1672 Value *convertShadowToScalar(Value *V, IRBuilder<> &IRB) {
1673 if (StructType *Struct = dyn_cast<StructType>(V->getType()))
1674 return collapseStructShadow(Struct, V, IRB);
1675 if (ArrayType *Array = dyn_cast<ArrayType>(V->getType()))
1676 return collapseArrayShadow(Array, V, IRB);
1677 if (isa<VectorType>(V->getType())) {
1678 if (isa<ScalableVectorType>(V->getType()))
1679 return convertShadowToScalar(IRB.CreateOrReduce(V), IRB);
1680 unsigned BitWidth =
1681 V->getType()->getPrimitiveSizeInBits().getFixedValue();
1682 return IRB.CreateBitCast(V, IntegerType::get(*MS.C, BitWidth));
1683 }
1684 return V;
1685 }
1686
1687 // Convert a scalar value to an i1 by comparing with 0
1688 Value *convertToBool(Value *V, IRBuilder<> &IRB, const Twine &name = "") {
1689 Type *VTy = V->getType();
1690 if (!VTy->isIntegerTy())
1691 return convertToBool(convertShadowToScalar(V, IRB), IRB, name);
1692 if (VTy->getIntegerBitWidth() == 1)
1693 // Just converting a bool to a bool, so do nothing.
1694 return V;
1695 return IRB.CreateICmpNE(V, ConstantInt::get(VTy, 0), name);
1696 }
1697
1698 Type *ptrToIntPtrType(Type *PtrTy) const {
1699 if (VectorType *VectTy = dyn_cast<VectorType>(PtrTy)) {
1700 return VectorType::get(ptrToIntPtrType(VectTy->getElementType()),
1701 VectTy->getElementCount());
1702 }
1703 assert(PtrTy->isIntOrPtrTy());
1704 return MS.IntptrTy;
1705 }
1706
1707 Type *getPtrToShadowPtrType(Type *IntPtrTy, Type *ShadowTy) const {
1708 if (VectorType *VectTy = dyn_cast<VectorType>(IntPtrTy)) {
1709 return VectorType::get(
1710 getPtrToShadowPtrType(VectTy->getElementType(), ShadowTy),
1711 VectTy->getElementCount());
1712 }
1713 assert(IntPtrTy == MS.IntptrTy);
1714 return MS.PtrTy;
1715 }
1716
1717 Constant *constToIntPtr(Type *IntPtrTy, uint64_t C) const {
1718 if (VectorType *VectTy = dyn_cast<VectorType>(IntPtrTy)) {
1719 return ConstantVector::getSplat(
1720 VectTy->getElementCount(),
1721 constToIntPtr(VectTy->getElementType(), C));
1722 }
1723 assert(IntPtrTy == MS.IntptrTy);
1724 return ConstantInt::get(MS.IntptrTy, C);
1725 }
1726
1727 /// Compute the integer shadow offset that corresponds to a given
1728 /// application address.
1729 ///
1730 /// Offset = (Addr & ~AndMask) ^ XorMask
1731 /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1732 /// a single pointee.
1733 /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
1734 Value *getShadowPtrOffset(Value *Addr, IRBuilder<> &IRB) {
1735 Type *IntptrTy = ptrToIntPtrType(Addr->getType());
1736 Value *OffsetLong = IRB.CreatePointerCast(Addr, IntptrTy);
1737
1738 if (uint64_t AndMask = MS.MapParams->AndMask)
1739 OffsetLong = IRB.CreateAnd(OffsetLong, constToIntPtr(IntptrTy, ~AndMask));
1740
1741 if (uint64_t XorMask = MS.MapParams->XorMask)
1742 OffsetLong = IRB.CreateXor(OffsetLong, constToIntPtr(IntptrTy, XorMask));
1743 return OffsetLong;
1744 }
1745
1746 /// Compute the shadow and origin addresses corresponding to a given
1747 /// application address.
1748 ///
1749 /// Shadow = ShadowBase + Offset
1750 /// Origin = (OriginBase + Offset) & ~3ULL
1751 /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1752 /// a single pointee.
1753 /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
1754 std::pair<Value *, Value *>
1755 getShadowOriginPtrUserspace(Value *Addr, IRBuilder<> &IRB, Type *ShadowTy,
1756 MaybeAlign Alignment) {
1757 VectorType *VectTy = dyn_cast<VectorType>(Addr->getType());
1758 if (!VectTy) {
1759 assert(Addr->getType()->isPointerTy());
1760 } else {
1761 assert(VectTy->getElementType()->isPointerTy());
1762 }
1763 Type *IntptrTy = ptrToIntPtrType(Addr->getType());
1764 Value *ShadowOffset = getShadowPtrOffset(Addr, IRB);
1765 Value *ShadowLong = ShadowOffset;
1766 if (uint64_t ShadowBase = MS.MapParams->ShadowBase) {
1767 ShadowLong =
1768 IRB.CreateAdd(ShadowLong, constToIntPtr(IntptrTy, ShadowBase));
1769 }
1770 Value *ShadowPtr = IRB.CreateIntToPtr(
1771 ShadowLong, getPtrToShadowPtrType(IntptrTy, ShadowTy));
1772
1773 Value *OriginPtr = nullptr;
1774 if (MS.TrackOrigins) {
1775 Value *OriginLong = ShadowOffset;
1776 uint64_t OriginBase = MS.MapParams->OriginBase;
1777 if (OriginBase != 0)
1778 OriginLong =
1779 IRB.CreateAdd(OriginLong, constToIntPtr(IntptrTy, OriginBase));
1780 if (!Alignment || *Alignment < kMinOriginAlignment) {
1781 uint64_t Mask = kMinOriginAlignment.value() - 1;
1782 OriginLong = IRB.CreateAnd(OriginLong, constToIntPtr(IntptrTy, ~Mask));
1783 }
1784 OriginPtr = IRB.CreateIntToPtr(
1785 OriginLong, getPtrToShadowPtrType(IntptrTy, MS.OriginTy));
1786 }
1787 return std::make_pair(ShadowPtr, OriginPtr);
1788 }
1789
1790 template <typename... ArgsTy>
1791 Value *createMetadataCall(IRBuilder<> &IRB, FunctionCallee Callee,
1792 ArgsTy... Args) {
1793 if (MS.TargetTriple.getArch() == Triple::systemz) {
1794 IRB.CreateCall(Callee,
1795 {MS.MsanMetadataAlloca, std::forward<ArgsTy>(Args)...});
1796 return IRB.CreateLoad(MS.MsanMetadata, MS.MsanMetadataAlloca);
1797 }
1798
1799 return IRB.CreateCall(Callee, {std::forward<ArgsTy>(Args)...});
1800 }
1801
1802 std::pair<Value *, Value *> getShadowOriginPtrKernelNoVec(Value *Addr,
1803 IRBuilder<> &IRB,
1804 Type *ShadowTy,
1805 bool isStore) {
1806 Value *ShadowOriginPtrs;
1807 const DataLayout &DL = F.getDataLayout();
1808 TypeSize Size = DL.getTypeStoreSize(ShadowTy);
1809
1810 FunctionCallee Getter = MS.getKmsanShadowOriginAccessFn(isStore, Size);
1811 Value *AddrCast = IRB.CreatePointerCast(Addr, MS.PtrTy);
1812 if (Getter) {
1813 ShadowOriginPtrs = createMetadataCall(IRB, Getter, AddrCast);
1814 } else {
1815 Value *SizeVal = ConstantInt::get(MS.IntptrTy, Size);
1816 ShadowOriginPtrs = createMetadataCall(
1817 IRB,
1818 isStore ? MS.MsanMetadataPtrForStoreN : MS.MsanMetadataPtrForLoadN,
1819 AddrCast, SizeVal);
1820 }
1821 Value *ShadowPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 0);
1822 ShadowPtr = IRB.CreatePointerCast(ShadowPtr, MS.PtrTy);
1823 Value *OriginPtr = IRB.CreateExtractValue(ShadowOriginPtrs, 1);
1824
1825 return std::make_pair(ShadowPtr, OriginPtr);
1826 }
1827
1828 /// Addr can be a ptr or <N x ptr>. In both cases ShadowTy the shadow type of
1829 /// a single pointee.
1830 /// Returns <shadow_ptr, origin_ptr> or <<N x shadow_ptr>, <N x origin_ptr>>.
1831 std::pair<Value *, Value *> getShadowOriginPtrKernel(Value *Addr,
1832 IRBuilder<> &IRB,
1833 Type *ShadowTy,
1834 bool isStore) {
1835 VectorType *VectTy = dyn_cast<VectorType>(Addr->getType());
1836 if (!VectTy) {
1837 assert(Addr->getType()->isPointerTy());
1838 return getShadowOriginPtrKernelNoVec(Addr, IRB, ShadowTy, isStore);
1839 }
1840
1841 // TODO: Support callbacs with vectors of addresses.
1842 unsigned NumElements = cast<FixedVectorType>(VectTy)->getNumElements();
1843 Value *ShadowPtrs = ConstantInt::getNullValue(
1844 FixedVectorType::get(IRB.getPtrTy(), NumElements));
1845 Value *OriginPtrs = nullptr;
1846 if (MS.TrackOrigins)
1847 OriginPtrs = ConstantInt::getNullValue(
1848 FixedVectorType::get(IRB.getPtrTy(), NumElements));
1849 for (unsigned i = 0; i < NumElements; ++i) {
1850 Value *OneAddr =
1851 IRB.CreateExtractElement(Addr, ConstantInt::get(IRB.getInt32Ty(), i));
1852 auto [ShadowPtr, OriginPtr] =
1853 getShadowOriginPtrKernelNoVec(OneAddr, IRB, ShadowTy, isStore);
1854
1855 ShadowPtrs = IRB.CreateInsertElement(
1856 ShadowPtrs, ShadowPtr, ConstantInt::get(IRB.getInt32Ty(), i));
1857 if (MS.TrackOrigins)
1858 OriginPtrs = IRB.CreateInsertElement(
1859 OriginPtrs, OriginPtr, ConstantInt::get(IRB.getInt32Ty(), i));
1860 }
1861 return {ShadowPtrs, OriginPtrs};
1862 }
1863
1864 std::pair<Value *, Value *> getShadowOriginPtr(Value *Addr, IRBuilder<> &IRB,
1865 Type *ShadowTy,
1866 MaybeAlign Alignment,
1867 bool isStore) {
1868 if (MS.CompileKernel)
1869 return getShadowOriginPtrKernel(Addr, IRB, ShadowTy, isStore);
1870 return getShadowOriginPtrUserspace(Addr, IRB, ShadowTy, Alignment);
1871 }
1872
1873 /// Compute the shadow address for a given function argument.
1874 ///
1875 /// Shadow = ParamTLS+ArgOffset.
1876 Value *getShadowPtrForArgument(IRBuilder<> &IRB, int ArgOffset) {
1877 Value *Base = IRB.CreatePointerCast(MS.ParamTLS, MS.IntptrTy);
1878 if (ArgOffset)
1879 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1880 return IRB.CreateIntToPtr(Base, IRB.getPtrTy(0), "_msarg");
1881 }
1882
1883 /// Compute the origin address for a given function argument.
1884 Value *getOriginPtrForArgument(IRBuilder<> &IRB, int ArgOffset) {
1885 if (!MS.TrackOrigins)
1886 return nullptr;
1887 Value *Base = IRB.CreatePointerCast(MS.ParamOriginTLS, MS.IntptrTy);
1888 if (ArgOffset)
1889 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
1890 return IRB.CreateIntToPtr(Base, IRB.getPtrTy(0), "_msarg_o");
1891 }
1892
1893 /// Compute the shadow address for a retval.
1894 Value *getShadowPtrForRetval(IRBuilder<> &IRB) {
1895 return IRB.CreatePointerCast(MS.RetvalTLS, IRB.getPtrTy(0), "_msret");
1896 }
1897
1898 /// Compute the origin address for a retval.
1899 Value *getOriginPtrForRetval() {
1900 // We keep a single origin for the entire retval. Might be too optimistic.
1901 return MS.RetvalOriginTLS;
1902 }
1903
1904 /// Set SV to be the shadow value for V.
1905 void setShadow(Value *V, Value *SV) {
1906 assert(!ShadowMap.count(V) && "Values may only have one shadow");
1907 ShadowMap[V] = PropagateShadow ? SV : getCleanShadow(V);
1908 }
1909
1910 /// Set Origin to be the origin value for V.
1911 void setOrigin(Value *V, Value *Origin) {
1912 if (!MS.TrackOrigins)
1913 return;
1914 assert(!OriginMap.count(V) && "Values may only have one origin");
1915 LLVM_DEBUG(dbgs() << "ORIGIN: " << *V << " ==> " << *Origin << "\n");
1916 OriginMap[V] = Origin;
1917 }
1918
1919 Constant *getCleanShadow(Type *OrigTy) {
1920 Type *ShadowTy = getShadowTy(OrigTy);
1921 if (!ShadowTy)
1922 return nullptr;
1923 return Constant::getNullValue(ShadowTy);
1924 }
1925
1926 /// Create a clean shadow value for a given value.
1927 ///
1928 /// Clean shadow (all zeroes) means all bits of the value are defined
1929 /// (initialized).
1930 Constant *getCleanShadow(Value *V) { return getCleanShadow(V->getType()); }
1931
1932 /// Create a dirty shadow of a given shadow type.
1933 Constant *getPoisonedShadow(Type *ShadowTy) {
1934 assert(ShadowTy);
1935 if (isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy))
1936 return Constant::getAllOnesValue(ShadowTy);
1937 if (ArrayType *AT = dyn_cast<ArrayType>(ShadowTy)) {
1938 SmallVector<Constant *, 4> Vals(AT->getNumElements(),
1939 getPoisonedShadow(AT->getElementType()));
1940 return ConstantArray::get(AT, Vals);
1941 }
1942 if (StructType *ST = dyn_cast<StructType>(ShadowTy)) {
1943 SmallVector<Constant *, 4> Vals;
1944 for (unsigned i = 0, n = ST->getNumElements(); i < n; i++)
1945 Vals.push_back(getPoisonedShadow(ST->getElementType(i)));
1946 return ConstantStruct::get(ST, Vals);
1947 }
1948 llvm_unreachable("Unexpected shadow type");
1949 }
1950
1951 /// Create a dirty shadow for a given value.
1952 Constant *getPoisonedShadow(Value *V) {
1953 Type *ShadowTy = getShadowTy(V);
1954 if (!ShadowTy)
1955 return nullptr;
1956 return getPoisonedShadow(ShadowTy);
1957 }
1958
1959 /// Create a clean (zero) origin.
1960 Value *getCleanOrigin() { return Constant::getNullValue(MS.OriginTy); }
1961
1962 /// Get the shadow value for a given Value.
1963 ///
1964 /// This function either returns the value set earlier with setShadow,
1965 /// or extracts if from ParamTLS (for function arguments).
1966 Value *getShadow(Value *V) {
1967 if (Instruction *I = dyn_cast<Instruction>(V)) {
1968 if (!PropagateShadow || I->getMetadata(LLVMContext::MD_nosanitize))
1969 return getCleanShadow(V);
1970 // For instructions the shadow is already stored in the map.
1971 Value *Shadow = ShadowMap[V];
1972 if (!Shadow) {
1973 LLVM_DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1974 (void)I;
1975 assert(Shadow && "No shadow for a value");
1976 }
1977 return Shadow;
1978 }
1979 if (UndefValue *U = dyn_cast<UndefValue>(V)) {
1980 Value *AllOnes = (PropagateShadow && PoisonUndef) ? getPoisonedShadow(V)
1981 : getCleanShadow(V);
1982 LLVM_DEBUG(dbgs() << "Undef: " << *U << " ==> " << *AllOnes << "\n");
1983 (void)U;
1984 return AllOnes;
1985 }
1986 if (Argument *A = dyn_cast<Argument>(V)) {
1987 // For arguments we compute the shadow on demand and store it in the map.
1988 Value *&ShadowPtr = ShadowMap[V];
1989 if (ShadowPtr)
1990 return ShadowPtr;
1991 Function *F = A->getParent();
1992 IRBuilder<> EntryIRB(FnPrologueEnd);
1993 unsigned ArgOffset = 0;
1994 const DataLayout &DL = F->getDataLayout();
1995 for (auto &FArg : F->args()) {
1996 if (!FArg.getType()->isSized() || FArg.getType()->isScalableTy()) {
1997 LLVM_DEBUG(dbgs() << (FArg.getType()->isScalableTy()
1998 ? "vscale not fully supported\n"
1999 : "Arg is not sized\n"));
2000 if (A == &FArg) {
2001 ShadowPtr = getCleanShadow(V);
2002 setOrigin(A, getCleanOrigin());
2003 break;
2004 }
2005 continue;
2006 }
2007
2008 unsigned Size = FArg.hasByValAttr()
2009 ? DL.getTypeAllocSize(FArg.getParamByValType())
2010 : DL.getTypeAllocSize(FArg.getType());
2011
2012 if (A == &FArg) {
2013 bool Overflow = ArgOffset + Size > kParamTLSSize;
2014 if (FArg.hasByValAttr()) {
2015 // ByVal pointer itself has clean shadow. We copy the actual
2016 // argument shadow to the underlying memory.
2017 // Figure out maximal valid memcpy alignment.
2018 const Align ArgAlign = DL.getValueOrABITypeAlignment(
2019 FArg.getParamAlign(), FArg.getParamByValType());
2020 Value *CpShadowPtr, *CpOriginPtr;
2021 std::tie(CpShadowPtr, CpOriginPtr) =
2022 getShadowOriginPtr(V, EntryIRB, EntryIRB.getInt8Ty(), ArgAlign,
2023 /*isStore*/ true);
2024 if (!PropagateShadow || Overflow) {
2025 // ParamTLS overflow.
2026 EntryIRB.CreateMemSet(
2027 CpShadowPtr, Constant::getNullValue(EntryIRB.getInt8Ty()),
2028 Size, ArgAlign);
2029 } else {
2030 Value *Base = getShadowPtrForArgument(EntryIRB, ArgOffset);
2031 const Align CopyAlign = std::min(ArgAlign, kShadowTLSAlignment);
2032 Value *Cpy = EntryIRB.CreateMemCpy(CpShadowPtr, CopyAlign, Base,
2033 CopyAlign, Size);
2034 LLVM_DEBUG(dbgs() << " ByValCpy: " << *Cpy << "\n");
2035 (void)Cpy;
2036
2037 if (MS.TrackOrigins) {
2038 Value *OriginPtr = getOriginPtrForArgument(EntryIRB, ArgOffset);
2039 // FIXME: OriginSize should be:
2040 // alignTo(V % kMinOriginAlignment + Size, kMinOriginAlignment)
2041 unsigned OriginSize = alignTo(Size, kMinOriginAlignment);
2042 EntryIRB.CreateMemCpy(
2043 CpOriginPtr,
2044 /* by getShadowOriginPtr */ kMinOriginAlignment, OriginPtr,
2045 /* by origin_tls[ArgOffset] */ kMinOriginAlignment,
2046 OriginSize);
2047 }
2048 }
2049 }
2050
2051 if (!PropagateShadow || Overflow || FArg.hasByValAttr() ||
2052 (MS.EagerChecks && FArg.hasAttribute(Attribute::NoUndef))) {
2053 ShadowPtr = getCleanShadow(V);
2054 setOrigin(A, getCleanOrigin());
2055 } else {
2056 // Shadow over TLS
2057 Value *Base = getShadowPtrForArgument(EntryIRB, ArgOffset);
2058 ShadowPtr = EntryIRB.CreateAlignedLoad(getShadowTy(&FArg), Base,
2059 kShadowTLSAlignment);
2060 if (MS.TrackOrigins) {
2061 Value *OriginPtr = getOriginPtrForArgument(EntryIRB, ArgOffset);
2062 setOrigin(A, EntryIRB.CreateLoad(MS.OriginTy, OriginPtr));
2063 }
2064 }
2065 LLVM_DEBUG(dbgs()
2066 << " ARG: " << FArg << " ==> " << *ShadowPtr << "\n");
2067 break;
2068 }
2069
2070 ArgOffset += alignTo(Size, kShadowTLSAlignment);
2071 }
2072 assert(ShadowPtr && "Could not find shadow for an argument");
2073 return ShadowPtr;
2074 }
2075 // For everything else the shadow is zero.
2076 return getCleanShadow(V);
2077 }
2078
2079 /// Get the shadow for i-th argument of the instruction I.
2080 Value *getShadow(Instruction *I, int i) {
2081 return getShadow(I->getOperand(i));
2082 }
2083
2084 /// Get the origin for a value.
2085 Value *getOrigin(Value *V) {
2086 if (!MS.TrackOrigins)
2087 return nullptr;
2088 if (!PropagateShadow || isa<Constant>(V) || isa<InlineAsm>(V))
2089 return getCleanOrigin();
2090 assert((isa<Instruction>(V) || isa<Argument>(V)) &&
2091 "Unexpected value type in getOrigin()");
2092 if (Instruction *I = dyn_cast<Instruction>(V)) {
2093 if (I->getMetadata(LLVMContext::MD_nosanitize))
2094 return getCleanOrigin();
2095 }
2096 Value *Origin = OriginMap[V];
2097 assert(Origin && "Missing origin");
2098 return Origin;
2099 }
2100
2101 /// Get the origin for i-th argument of the instruction I.
2102 Value *getOrigin(Instruction *I, int i) {
2103 return getOrigin(I->getOperand(i));
2104 }
2105
2106 /// Remember the place where a shadow check should be inserted.
2107 ///
2108 /// This location will be later instrumented with a check that will print a
2109 /// UMR warning in runtime if the shadow value is not 0.
2110 void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
2111 assert(Shadow);
2112 if (!InsertChecks)
2113 return;
2114
2115 if (!DebugCounter::shouldExecute(DebugInsertCheck)) {
2116 LLVM_DEBUG(dbgs() << "Skipping check of " << *Shadow << " before "
2117 << *OrigIns << "\n");
2118 return;
2119 }
2120#ifndef NDEBUG
2121 Type *ShadowTy = Shadow->getType();
2122 assert((isa<IntegerType>(ShadowTy) || isa<VectorType>(ShadowTy) ||
2123 isa<StructType>(ShadowTy) || isa<ArrayType>(ShadowTy)) &&
2124 "Can only insert checks for integer, vector, and aggregate shadow "
2125 "types");
2126#endif
2127 InstrumentationList.push_back(
2128 ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
2129 }
2130
2131 /// Remember the place where a shadow check should be inserted.
2132 ///
2133 /// This location will be later instrumented with a check that will print a
2134 /// UMR warning in runtime if the value is not fully defined.
2135 void insertShadowCheck(Value *Val, Instruction *OrigIns) {
2136 assert(Val);
2137 Value *Shadow, *Origin;
2138 if (ClCheckConstantShadow) {
2139 Shadow = getShadow(Val);
2140 if (!Shadow)
2141 return;
2142 Origin = getOrigin(Val);
2143 } else {
2144 Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
2145 if (!Shadow)
2146 return;
2147 Origin = dyn_cast_or_null<Instruction>(getOrigin(Val));
2148 }
2149 insertShadowCheck(Shadow, Origin, OrigIns);
2150 }
2151
2152 AtomicOrdering addReleaseOrdering(AtomicOrdering a) {
2153 switch (a) {
2154 case AtomicOrdering::NotAtomic:
2155 return AtomicOrdering::NotAtomic;
2156 case AtomicOrdering::Unordered:
2157 case AtomicOrdering::Monotonic:
2158 case AtomicOrdering::Release:
2159 return AtomicOrdering::Release;
2160 case AtomicOrdering::Acquire:
2161 case AtomicOrdering::AcquireRelease:
2162 return AtomicOrdering::AcquireRelease;
2163 case AtomicOrdering::SequentiallyConsistent:
2164 return AtomicOrdering::SequentiallyConsistent;
2165 }
2166 llvm_unreachable("Unknown ordering");
2167 }
2168
2169 Value *makeAddReleaseOrderingTable(IRBuilder<> &IRB) {
2170 constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
2171 uint32_t OrderingTable[NumOrderings] = {};
2172
2173 OrderingTable[(int)AtomicOrderingCABI::relaxed] =
2174 OrderingTable[(int)AtomicOrderingCABI::release] =
2175 (int)AtomicOrderingCABI::release;
2176 OrderingTable[(int)AtomicOrderingCABI::consume] =
2177 OrderingTable[(int)AtomicOrderingCABI::acquire] =
2178 OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
2179 (int)AtomicOrderingCABI::acq_rel;
2180 OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
2181 (int)AtomicOrderingCABI::seq_cst;
2182
2183 return ConstantDataVector::get(IRB.getContext(), OrderingTable);
2184 }
2185
2186 AtomicOrdering addAcquireOrdering(AtomicOrdering a) {
2187 switch (a) {
2188 case AtomicOrdering::NotAtomic:
2189 return AtomicOrdering::NotAtomic;
2190 case AtomicOrdering::Unordered:
2191 case AtomicOrdering::Monotonic:
2192 case AtomicOrdering::Acquire:
2193 return AtomicOrdering::Acquire;
2194 case AtomicOrdering::Release:
2195 case AtomicOrdering::AcquireRelease:
2196 return AtomicOrdering::AcquireRelease;
2197 case AtomicOrdering::SequentiallyConsistent:
2198 return AtomicOrdering::SequentiallyConsistent;
2199 }
2200 llvm_unreachable("Unknown ordering");
2201 }
2202
2203 Value *makeAddAcquireOrderingTable(IRBuilder<> &IRB) {
2204 constexpr int NumOrderings = (int)AtomicOrderingCABI::seq_cst + 1;
2205 uint32_t OrderingTable[NumOrderings] = {};
2206
2207 OrderingTable[(int)AtomicOrderingCABI::relaxed] =
2208 OrderingTable[(int)AtomicOrderingCABI::acquire] =
2209 OrderingTable[(int)AtomicOrderingCABI::consume] =
2210 (int)AtomicOrderingCABI::acquire;
2211 OrderingTable[(int)AtomicOrderingCABI::release] =
2212 OrderingTable[(int)AtomicOrderingCABI::acq_rel] =
2213 (int)AtomicOrderingCABI::acq_rel;
2214 OrderingTable[(int)AtomicOrderingCABI::seq_cst] =
2215 (int)AtomicOrderingCABI::seq_cst;
2216
2217 return ConstantDataVector::get(IRB.getContext(), OrderingTable);
2218 }
2219
2220 // ------------------- Visitors.
2221 using InstVisitor<MemorySanitizerVisitor>::visit;
2222 void visit(Instruction &I) {
2223 if (I.getMetadata(LLVMContext::MD_nosanitize))
2224 return;
2225 // Don't want to visit if we're in the prologue
2226 if (isInPrologue(I))
2227 return;
2228 if (!DebugCounter::shouldExecute(DebugInstrumentInstruction)) {
2229 LLVM_DEBUG(dbgs() << "Skipping instruction: " << I << "\n");
2230 // We still need to set the shadow and origin to clean values.
2231 setShadow(&I, getCleanShadow(&I));
2232 setOrigin(&I, getCleanOrigin());
2233 return;
2234 }
2235
2236 Instructions.push_back(&I);
2237 }
2238
2239 /// Instrument LoadInst
2240 ///
2241 /// Loads the corresponding shadow and (optionally) origin.
2242 /// Optionally, checks that the load address is fully defined.
2243 void visitLoadInst(LoadInst &I) {
2244 assert(I.getType()->isSized() && "Load type must have size");
2245 assert(!I.getMetadata(LLVMContext::MD_nosanitize));
2246 NextNodeIRBuilder IRB(&I);
2247 Type *ShadowTy = getShadowTy(&I);
2248 Value *Addr = I.getPointerOperand();
2249 Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
2250 const Align Alignment = I.getAlign();
2251 if (PropagateShadow) {
2252 std::tie(ShadowPtr, OriginPtr) =
2253 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2254 setShadow(&I,
2255 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
2256 } else {
2257 setShadow(&I, getCleanShadow(&I));
2258 }
2259
2260 if (ClCheckAccessAddress)
2261 insertShadowCheck(I.getPointerOperand(), &I);
2262
2263 if (I.isAtomic())
2264 I.setOrdering(addAcquireOrdering(I.getOrdering()));
2265
2266 if (MS.TrackOrigins) {
2267 if (PropagateShadow) {
2268 const Align OriginAlignment = std::max(kMinOriginAlignment, Alignment);
2269 setOrigin(
2270 &I, IRB.CreateAlignedLoad(MS.OriginTy, OriginPtr, OriginAlignment));
2271 } else {
2272 setOrigin(&I, getCleanOrigin());
2273 }
2274 }
2275 }
2276
2277 /// Instrument StoreInst
2278 ///
2279 /// Stores the corresponding shadow and (optionally) origin.
2280 /// Optionally, checks that the store address is fully defined.
2281 void visitStoreInst(StoreInst &I) {
2282 StoreList.push_back(&I);
2283 if (ClCheckAccessAddress)
2284 insertShadowCheck(I.getPointerOperand(), &I);
2285 }
2286
2287 void handleCASOrRMW(Instruction &I) {
2288 assert(isa<AtomicRMWInst>(I) || isa<AtomicCmpXchgInst>(I));
2289
2290 IRBuilder<> IRB(&I);
2291 Value *Addr = I.getOperand(0);
2292 Value *Val = I.getOperand(1);
2293 Value *ShadowPtr = getShadowOriginPtr(Addr, IRB, getShadowTy(Val), Align(1),
2294 /*isStore*/ true)
2295 .first;
2296
2297 if (ClCheckAccessAddress)
2298 insertShadowCheck(Addr, &I);
2299
2300 // Only test the conditional argument of cmpxchg instruction.
2301 // The other argument can potentially be uninitialized, but we can not
2302 // detect this situation reliably without possible false positives.
2303 if (isa<AtomicCmpXchgInst>(I))
2304 insertShadowCheck(Val, &I);
2305
2306 IRB.CreateStore(getCleanShadow(Val), ShadowPtr);
2307
2308 setShadow(&I, getCleanShadow(&I));
2309 setOrigin(&I, getCleanOrigin());
2310 }
2311
2312 void visitAtomicRMWInst(AtomicRMWInst &I) {
2313 handleCASOrRMW(I);
2314 I.setOrdering(addReleaseOrdering(I.getOrdering()));
2315 }
2316
2317 void visitAtomicCmpXchgInst(AtomicCmpXchgInst &I) {
2318 handleCASOrRMW(I);
2319 I.setSuccessOrdering(addReleaseOrdering(I.getSuccessOrdering()));
2320 }
2321
2322 // Vector manipulation.
2323 void visitExtractElementInst(ExtractElementInst &I) {
2324 insertShadowCheck(I.getOperand(1), &I);
2325 IRBuilder<> IRB(&I);
2326 setShadow(&I, IRB.CreateExtractElement(getShadow(&I, 0), I.getOperand(1),
2327 "_msprop"));
2328 setOrigin(&I, getOrigin(&I, 0));
2329 }
2330
2331 void visitInsertElementInst(InsertElementInst &I) {
2332 insertShadowCheck(I.getOperand(2), &I);
2333 IRBuilder<> IRB(&I);
2334 auto *Shadow0 = getShadow(&I, 0);
2335 auto *Shadow1 = getShadow(&I, 1);
2336 setShadow(&I, IRB.CreateInsertElement(Shadow0, Shadow1, I.getOperand(2),
2337 "_msprop"));
2338 setOriginForNaryOp(I);
2339 }
2340
2341 void visitShuffleVectorInst(ShuffleVectorInst &I) {
2342 IRBuilder<> IRB(&I);
2343 auto *Shadow0 = getShadow(&I, 0);
2344 auto *Shadow1 = getShadow(&I, 1);
2345 setShadow(&I, IRB.CreateShuffleVector(Shadow0, Shadow1, I.getShuffleMask(),
2346 "_msprop"));
2347 setOriginForNaryOp(I);
2348 }
2349
2350 // Casts.
2351 void visitSExtInst(SExtInst &I) {
2352 IRBuilder<> IRB(&I);
2353 setShadow(&I, IRB.CreateSExt(getShadow(&I, 0), I.getType(), "_msprop"));
2354 setOrigin(&I, getOrigin(&I, 0));
2355 }
2356
2357 void visitZExtInst(ZExtInst &I) {
2358 IRBuilder<> IRB(&I);
2359 setShadow(&I, IRB.CreateZExt(getShadow(&I, 0), I.getType(), "_msprop"));
2360 setOrigin(&I, getOrigin(&I, 0));
2361 }
2362
2363 void visitTruncInst(TruncInst &I) {
2364 IRBuilder<> IRB(&I);
2365 setShadow(&I, IRB.CreateTrunc(getShadow(&I, 0), I.getType(), "_msprop"));
2366 setOrigin(&I, getOrigin(&I, 0));
2367 }
2368
2369 void visitBitCastInst(BitCastInst &I) {
2370 // Special case: if this is the bitcast (there is exactly 1 allowed) between
2371 // a musttail call and a ret, don't instrument. New instructions are not
2372 // allowed after a musttail call.
2373 if (auto *CI = dyn_cast<CallInst>(I.getOperand(0)))
2374 if (CI->isMustTailCall())
2375 return;
2376 IRBuilder<> IRB(&I);
2377 setShadow(&I, IRB.CreateBitCast(getShadow(&I, 0), getShadowTy(&I)));
2378 setOrigin(&I, getOrigin(&I, 0));
2379 }
2380
2381 void visitPtrToIntInst(PtrToIntInst &I) {
2382 IRBuilder<> IRB(&I);
2383 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2384 "_msprop_ptrtoint"));
2385 setOrigin(&I, getOrigin(&I, 0));
2386 }
2387
2388 void visitIntToPtrInst(IntToPtrInst &I) {
2389 IRBuilder<> IRB(&I);
2390 setShadow(&I, IRB.CreateIntCast(getShadow(&I, 0), getShadowTy(&I), false,
2391 "_msprop_inttoptr"));
2392 setOrigin(&I, getOrigin(&I, 0));
2393 }
2394
2395 void visitFPToSIInst(CastInst &I) { handleShadowOr(I); }
2396 void visitFPToUIInst(CastInst &I) { handleShadowOr(I); }
2397 void visitSIToFPInst(CastInst &I) { handleShadowOr(I); }
2398 void visitUIToFPInst(CastInst &I) { handleShadowOr(I); }
2399 void visitFPExtInst(CastInst &I) { handleShadowOr(I); }
2400 void visitFPTruncInst(CastInst &I) { handleShadowOr(I); }
2401
2402 /// Propagate shadow for bitwise AND.
2403 ///
2404 /// This code is exact, i.e. if, for example, a bit in the left argument
2405 /// is defined and 0, then neither the value not definedness of the
2406 /// corresponding bit in B don't affect the resulting shadow.
2407 void visitAnd(BinaryOperator &I) {
2408 IRBuilder<> IRB(&I);
2409 // "And" of 0 and a poisoned value results in unpoisoned value.
2410 // 1&1 => 1; 0&1 => 0; p&1 => p;
2411 // 1&0 => 0; 0&0 => 0; p&0 => 0;
2412 // 1&p => p; 0&p => 0; p&p => p;
2413 // S = (S1 & S2) | (V1 & S2) | (S1 & V2)
2414 Value *S1 = getShadow(&I, 0);
2415 Value *S2 = getShadow(&I, 1);
2416 Value *V1 = I.getOperand(0);
2417 Value *V2 = I.getOperand(1);
2418 if (V1->getType() != S1->getType()) {
2419 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2420 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2421 }
2422 Value *S1S2 = IRB.CreateAnd(S1, S2);
2423 Value *V1S2 = IRB.CreateAnd(V1, S2);
2424 Value *S1V2 = IRB.CreateAnd(S1, V2);
2425 setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2426 setOriginForNaryOp(I);
2427 }
2428
2429 void visitOr(BinaryOperator &I) {
2430 IRBuilder<> IRB(&I);
2431 // "Or" of 1 and a poisoned value results in unpoisoned value.
2432 // 1|1 => 1; 0|1 => 1; p|1 => 1;
2433 // 1|0 => 1; 0|0 => 0; p|0 => p;
2434 // 1|p => 1; 0|p => p; p|p => p;
2435 // S = (S1 & S2) | (~V1 & S2) | (S1 & ~V2)
2436 Value *S1 = getShadow(&I, 0);
2437 Value *S2 = getShadow(&I, 1);
2438 Value *V1 = IRB.CreateNot(I.getOperand(0));
2439 Value *V2 = IRB.CreateNot(I.getOperand(1));
2440 if (V1->getType() != S1->getType()) {
2441 V1 = IRB.CreateIntCast(V1, S1->getType(), false);
2442 V2 = IRB.CreateIntCast(V2, S2->getType(), false);
2443 }
2444 Value *S1S2 = IRB.CreateAnd(S1, S2);
2445 Value *V1S2 = IRB.CreateAnd(V1, S2);
2446 Value *S1V2 = IRB.CreateAnd(S1, V2);
2447 setShadow(&I, IRB.CreateOr({S1S2, V1S2, S1V2}));
2448 setOriginForNaryOp(I);
2449 }
2450
2451 /// Default propagation of shadow and/or origin.
2452 ///
2453 /// This class implements the general case of shadow propagation, used in all
2454 /// cases where we don't know and/or don't care about what the operation
2455 /// actually does. It converts all input shadow values to a common type
2456 /// (extending or truncating as necessary), and bitwise OR's them.
2457 ///
2458 /// This is much cheaper than inserting checks (i.e. requiring inputs to be
2459 /// fully initialized), and less prone to false positives.
2460 ///
2461 /// This class also implements the general case of origin propagation. For a
2462 /// Nary operation, result origin is set to the origin of an argument that is
2463 /// not entirely initialized. If there is more than one such arguments, the
2464 /// rightmost of them is picked. It does not matter which one is picked if all
2465 /// arguments are initialized.
2466 template <bool CombineShadow> class Combiner {
2467 Value *Shadow = nullptr;
2468 Value *Origin = nullptr;
2469 IRBuilder<> &IRB;
2470 MemorySanitizerVisitor *MSV;
2471
2472 public:
2473 Combiner(MemorySanitizerVisitor *MSV, IRBuilder<> &IRB)
2474 : IRB(IRB), MSV(MSV) {}
2475
2476 /// Add a pair of shadow and origin values to the mix.
2477 Combiner &Add(Value *OpShadow, Value *OpOrigin) {
2478 if (CombineShadow) {
2479 assert(OpShadow);
2480 if (!Shadow)
2481 Shadow = OpShadow;
2482 else {
2483 OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
2484 Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
2485 }
2486 }
2487
2488 if (MSV->MS.TrackOrigins) {
2489 assert(OpOrigin);
2490 if (!Origin) {
2491 Origin = OpOrigin;
2492 } else {
2493 Constant *ConstOrigin = dyn_cast<Constant>(OpOrigin);
2494 // No point in adding something that might result in 0 origin value.
2495 if (!ConstOrigin || !ConstOrigin->isNullValue()) {
2496 Value *Cond = MSV->convertToBool(OpShadow, IRB);
2497 Origin = IRB.CreateSelect(Cond, OpOrigin, Origin);
2498 }
2499 }
2500 }
2501 return *this;
2502 }
2503
2504 /// Add an application value to the mix.
2505 Combiner &Add(Value *V) {
2506 Value *OpShadow = MSV->getShadow(V);
2507 Value *OpOrigin = MSV->MS.TrackOrigins ? MSV->getOrigin(V) : nullptr;
2508 return Add(OpShadow, OpOrigin);
2509 }
2510
2511 /// Set the current combined values as the given instruction's shadow
2512 /// and origin.
2513 void Done(Instruction *I) {
2514 if (CombineShadow) {
2515 assert(Shadow);
2516 Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
2517 MSV->setShadow(I, Shadow);
2518 }
2519 if (MSV->MS.TrackOrigins) {
2520 assert(Origin);
2521 MSV->setOrigin(I, Origin);
2522 }
2523 }
2524
2525 /// Store the current combined value at the specified origin
2526 /// location.
2527 void DoneAndStoreOrigin(TypeSize TS, Value *OriginPtr) {
2528 if (MSV->MS.TrackOrigins) {
2529 assert(Origin);
2530 MSV->paintOrigin(IRB, Origin, OriginPtr, TS, kMinOriginAlignment);
2531 }
2532 }
2533 };
2534
2535 using ShadowAndOriginCombiner = Combiner<true>;
2536 using OriginCombiner = Combiner<false>;
2537
2538 /// Propagate origin for arbitrary operation.
2539 void setOriginForNaryOp(Instruction &I) {
2540 if (!MS.TrackOrigins)
2541 return;
2542 IRBuilder<> IRB(&I);
2543 OriginCombiner OC(this, IRB);
2544 for (Use &Op : I.operands())
2545 OC.Add(Op.get());
2546 OC.Done(&I);
2547 }
2548
2549 size_t VectorOrPrimitiveTypeSizeInBits(Type *Ty) {
2550 assert(!(Ty->isVectorTy() && Ty->getScalarType()->isPointerTy()) &&
2551 "Vector of pointers is not a valid shadow type");
2552 return Ty->isVectorTy() ? cast<FixedVectorType>(Ty)->getNumElements() *
2553 Ty->getScalarSizeInBits()
2554 : Ty->getPrimitiveSizeInBits();
2555 }
2556
2557 /// Cast between two shadow types, extending or truncating as
2558 /// necessary.
2559 Value *CreateShadowCast(IRBuilder<> &IRB, Value *V, Type *dstTy,
2560 bool Signed = false) {
2561 Type *srcTy = V->getType();
2562 if (srcTy == dstTy)
2563 return V;
2564 size_t srcSizeInBits = VectorOrPrimitiveTypeSizeInBits(srcTy);
2565 size_t dstSizeInBits = VectorOrPrimitiveTypeSizeInBits(dstTy);
2566 if (srcSizeInBits > 1 && dstSizeInBits == 1)
2567 return IRB.CreateICmpNE(V, getCleanShadow(V));
2568
2569 if (dstTy->isIntegerTy() && srcTy->isIntegerTy())
2570 return IRB.CreateIntCast(V, dstTy, Signed);
2571 if (dstTy->isVectorTy() && srcTy->isVectorTy() &&
2572 cast<VectorType>(dstTy)->getElementCount() ==
2573 cast<VectorType>(srcTy)->getElementCount())
2574 return IRB.CreateIntCast(V, dstTy, Signed);
2575 Value *V1 = IRB.CreateBitCast(V, Type::getIntNTy(*MS.C, srcSizeInBits));
2576 Value *V2 =
2577 IRB.CreateIntCast(V1, Type::getIntNTy(*MS.C, dstSizeInBits), Signed);
2578 return IRB.CreateBitCast(V2, dstTy);
2579 // TODO: handle struct types.
2580 }
2581
2582 /// Cast an application value to the type of its own shadow.
2583 Value *CreateAppToShadowCast(IRBuilder<> &IRB, Value *V) {
2584 Type *ShadowTy = getShadowTy(V);
2585 if (V->getType() == ShadowTy)
2586 return V;
2587 if (V->getType()->isPtrOrPtrVectorTy())
2588 return IRB.CreatePtrToInt(V, ShadowTy);
2589 else
2590 return IRB.CreateBitCast(V, ShadowTy);
2591 }
2592
2593 /// Propagate shadow for arbitrary operation.
2594 void handleShadowOr(Instruction &I) {
2595 IRBuilder<> IRB(&I);
2596 ShadowAndOriginCombiner SC(this, IRB);
2597 for (Use &Op : I.operands())
2598 SC.Add(Op.get());
2599 SC.Done(&I);
2600 }
2601
2602 void visitFNeg(UnaryOperator &I) { handleShadowOr(I); }
2603
2604 // Handle multiplication by constant.
2605 //
2606 // Handle a special case of multiplication by constant that may have one or
2607 // more zeros in the lower bits. This makes corresponding number of lower bits
2608 // of the result zero as well. We model it by shifting the other operand
2609 // shadow left by the required number of bits. Effectively, we transform
2610 // (X * (A * 2**B)) to ((X << B) * A) and instrument (X << B) as (Sx << B).
2611 // We use multiplication by 2**N instead of shift to cover the case of
2612 // multiplication by 0, which may occur in some elements of a vector operand.
2613 void handleMulByConstant(BinaryOperator &I, Constant *ConstArg,
2614 Value *OtherArg) {
2615 Constant *ShadowMul;
2616 Type *Ty = ConstArg->getType();
2617 if (auto *VTy = dyn_cast<VectorType>(Ty)) {
2618 unsigned NumElements = cast<FixedVectorType>(VTy)->getNumElements();
2619 Type *EltTy = VTy->getElementType();
2620 SmallVector<Constant *, 16> Elements;
2621 for (unsigned Idx = 0; Idx < NumElements; ++Idx) {
2622 if (ConstantInt *Elt =
2623 dyn_cast<ConstantInt>(ConstArg->getAggregateElement(Idx))) {
2624 const APInt &V = Elt->getValue();
2625 APInt V2 = APInt(V.getBitWidth(), 1) << V.countr_zero();
2626 Elements.push_back(ConstantInt::get(EltTy, V2));
2627 } else {
2628 Elements.push_back(ConstantInt::get(EltTy, 1));
2629 }
2630 }
2631 ShadowMul = ConstantVector::get(Elements);
2632 } else {
2633 if (ConstantInt *Elt = dyn_cast<ConstantInt>(ConstArg)) {
2634 const APInt &V = Elt->getValue();
2635 APInt V2 = APInt(V.getBitWidth(), 1) << V.countr_zero();
2636 ShadowMul = ConstantInt::get(Ty, V2);
2637 } else {
2638 ShadowMul = ConstantInt::get(Ty, 1);
2639 }
2640 }
2641
2642 IRBuilder<> IRB(&I);
2643 setShadow(&I,
2644 IRB.CreateMul(getShadow(OtherArg), ShadowMul, "msprop_mul_cst"));
2645 setOrigin(&I, getOrigin(OtherArg));
2646 }
2647
2648 void visitMul(BinaryOperator &I) {
2649 Constant *constOp0 = dyn_cast<Constant>(I.getOperand(0));
2650 Constant *constOp1 = dyn_cast<Constant>(I.getOperand(1));
2651 if (constOp0 && !constOp1)
2652 handleMulByConstant(I, constOp0, I.getOperand(1));
2653 else if (constOp1 && !constOp0)
2654 handleMulByConstant(I, constOp1, I.getOperand(0));
2655 else
2656 handleShadowOr(I);
2657 }
2658
2659 void visitFAdd(BinaryOperator &I) { handleShadowOr(I); }
2660 void visitFSub(BinaryOperator &I) { handleShadowOr(I); }
2661 void visitFMul(BinaryOperator &I) { handleShadowOr(I); }
2662 void visitAdd(BinaryOperator &I) { handleShadowOr(I); }
2663 void visitSub(BinaryOperator &I) { handleShadowOr(I); }
2664 void visitXor(BinaryOperator &I) { handleShadowOr(I); }
2665
2666 void handleIntegerDiv(Instruction &I) {
2667 IRBuilder<> IRB(&I);
2668 // Strict on the second argument.
2669 insertShadowCheck(I.getOperand(1), &I);
2670 setShadow(&I, getShadow(&I, 0));
2671 setOrigin(&I, getOrigin(&I, 0));
2672 }
2673
2674 void visitUDiv(BinaryOperator &I) { handleIntegerDiv(I); }
2675 void visitSDiv(BinaryOperator &I) { handleIntegerDiv(I); }
2676 void visitURem(BinaryOperator &I) { handleIntegerDiv(I); }
2677 void visitSRem(BinaryOperator &I) { handleIntegerDiv(I); }
2678
2679 // Floating point division is side-effect free. We can not require that the
2680 // divisor is fully initialized and must propagate shadow. See PR37523.
2681 void visitFDiv(BinaryOperator &I) { handleShadowOr(I); }
2682 void visitFRem(BinaryOperator &I) { handleShadowOr(I); }
2683
2684 /// Instrument == and != comparisons.
2685 ///
2686 /// Sometimes the comparison result is known even if some of the bits of the
2687 /// arguments are not.
2688 void handleEqualityComparison(ICmpInst &I) {
2689 IRBuilder<> IRB(&I);
2690 Value *A = I.getOperand(0);
2691 Value *B = I.getOperand(1);
2692 Value *Sa = getShadow(A);
2693 Value *Sb = getShadow(B);
2694
2695 // Get rid of pointers and vectors of pointers.
2696 // For ints (and vectors of ints), types of A and Sa match,
2697 // and this is a no-op.
2698 A = IRB.CreatePointerCast(A, Sa->getType());
2699 B = IRB.CreatePointerCast(B, Sb->getType());
2700
2701 // A == B <==> (C = A^B) == 0
2702 // A != B <==> (C = A^B) != 0
2703 // Sc = Sa | Sb
2704 Value *C = IRB.CreateXor(A, B);
2705 Value *Sc = IRB.CreateOr(Sa, Sb);
2706 // Now dealing with i = (C == 0) comparison (or C != 0, does not matter now)
2707 // Result is defined if one of the following is true
2708 // * there is a defined 1 bit in C
2709 // * C is fully defined
2710 // Si = !(C & ~Sc) && Sc
2711 Value *Zero = Constant::getNullValue(Sc->getType());
2712 Value *MinusOne = Constant::getAllOnesValue(Sc->getType());
2713 Value *LHS = IRB.CreateICmpNE(Sc, Zero);
2714 Value *RHS =
2715 IRB.CreateICmpEQ(IRB.CreateAnd(IRB.CreateXor(Sc, MinusOne), C), Zero);
2716 Value *Si = IRB.CreateAnd(LHS, RHS);
2717 Si->setName("_msprop_icmp");
2718 setShadow(&I, Si);
2719 setOriginForNaryOp(I);
2720 }
2721
2722 /// Instrument relational comparisons.
2723 ///
2724 /// This function does exact shadow propagation for all relational
2725 /// comparisons of integers, pointers and vectors of those.
2726 /// FIXME: output seems suboptimal when one of the operands is a constant
2727 void handleRelationalComparisonExact(ICmpInst &I) {
2728 IRBuilder<> IRB(&I);
2729 Value *A = I.getOperand(0);
2730 Value *B = I.getOperand(1);
2731 Value *Sa = getShadow(A);
2732 Value *Sb = getShadow(B);
2733
2734 // Get rid of pointers and vectors of pointers.
2735 // For ints (and vectors of ints), types of A and Sa match,
2736 // and this is a no-op.
2737 A = IRB.CreatePointerCast(A, Sa->getType());
2738 B = IRB.CreatePointerCast(B, Sb->getType());
2739
2740 // Let [a0, a1] be the interval of possible values of A, taking into account
2741 // its undefined bits. Let [b0, b1] be the interval of possible values of B.
2742 // Then (A cmp B) is defined iff (a0 cmp b1) == (a1 cmp b0).
2743 bool IsSigned = I.isSigned();
2744
2745 auto GetMinMaxUnsigned = [&](Value *V, Value *S) {
2746 if (IsSigned) {
2747 // Sign-flip to map from signed range to unsigned range. Relation A vs B
2748 // should be preserved, if checked with `getUnsignedPredicate()`.
2749 // Relationship between Amin, Amax, Bmin, Bmax also will not be
2750 // affected, as they are created by effectively adding/substructing from
2751 // A (or B) a value, derived from shadow, with no overflow, either
2752 // before or after sign flip.
2753 APInt MinVal =
2754 APInt::getSignedMinValue(V->getType()->getScalarSizeInBits());
2755 V = IRB.CreateXor(V, ConstantInt::get(V->getType(), MinVal));
2756 }
2757 // Minimize undefined bits.
2758 Value *Min = IRB.CreateAnd(V, IRB.CreateNot(S));
2759 Value *Max = IRB.CreateOr(V, S);
2760 return std::make_pair(Min, Max);
2761 };
2762
2763 auto [Amin, Amax] = GetMinMaxUnsigned(A, Sa);
2764 auto [Bmin, Bmax] = GetMinMaxUnsigned(B, Sb);
2765 Value *S1 = IRB.CreateICmp(I.getUnsignedPredicate(), Amin, Bmax);
2766 Value *S2 = IRB.CreateICmp(I.getUnsignedPredicate(), Amax, Bmin);
2767
2768 Value *Si = IRB.CreateXor(S1, S2);
2769 setShadow(&I, Si);
2770 setOriginForNaryOp(I);
2771 }
2772
2773 /// Instrument signed relational comparisons.
2774 ///
2775 /// Handle sign bit tests: x<0, x>=0, x<=-1, x>-1 by propagating the highest
2776 /// bit of the shadow. Everything else is delegated to handleShadowOr().
2777 void handleSignedRelationalComparison(ICmpInst &I) {
2778 Constant *constOp;
2779 Value *op = nullptr;
2780 CmpInst::Predicate pre;
2781 if ((constOp = dyn_cast<Constant>(I.getOperand(1)))) {
2782 op = I.getOperand(0);
2783 pre = I.getPredicate();
2784 } else if ((constOp = dyn_cast<Constant>(I.getOperand(0)))) {
2785 op = I.getOperand(1);
2786 pre = I.getSwappedPredicate();
2787 } else {
2788 handleShadowOr(I);
2789 return;
2790 }
2791
2792 if ((constOp->isNullValue() &&
2793 (pre == CmpInst::ICMP_SLT || pre == CmpInst::ICMP_SGE)) ||
2794 (constOp->isAllOnesValue() &&
2795 (pre == CmpInst::ICMP_SGT || pre == CmpInst::ICMP_SLE))) {
2796 IRBuilder<> IRB(&I);
2797 Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
2798 "_msprop_icmp_s");
2799 setShadow(&I, Shadow);
2800 setOrigin(&I, getOrigin(op));
2801 } else {
2802 handleShadowOr(I);
2803 }
2804 }
2805
2806 void visitICmpInst(ICmpInst &I) {
2807 if (!ClHandleICmp) {
2808 handleShadowOr(I);
2809 return;
2810 }
2811 if (I.isEquality()) {
2812 handleEqualityComparison(I);
2813 return;
2814 }
2815
2816 assert(I.isRelational());
2817 if (ClHandleICmpExact) {
2818 handleRelationalComparisonExact(I);
2819 return;
2820 }
2821 if (I.isSigned()) {
2822 handleSignedRelationalComparison(I);
2823 return;
2824 }
2825
2826 assert(I.isUnsigned());
2827 if ((isa<Constant>(I.getOperand(0)) || isa<Constant>(I.getOperand(1)))) {
2828 handleRelationalComparisonExact(I);
2829 return;
2830 }
2831
2832 handleShadowOr(I);
2833 }
2834
2835 void visitFCmpInst(FCmpInst &I) { handleShadowOr(I); }
2836
2837 void handleShift(BinaryOperator &I) {
2838 IRBuilder<> IRB(&I);
2839 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2840 // Otherwise perform the same shift on S1.
2841 Value *S1 = getShadow(&I, 0);
2842 Value *S2 = getShadow(&I, 1);
2843 Value *S2Conv =
2844 IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), S2->getType());
2845 Value *V2 = I.getOperand(1);
2846 Value *Shift = IRB.CreateBinOp(I.getOpcode(), S1, V2);
2847 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2848 setOriginForNaryOp(I);
2849 }
2850
2851 void visitShl(BinaryOperator &I) { handleShift(I); }
2852 void visitAShr(BinaryOperator &I) { handleShift(I); }
2853 void visitLShr(BinaryOperator &I) { handleShift(I); }
2854
2855 void handleFunnelShift(IntrinsicInst &I) {
2856 IRBuilder<> IRB(&I);
2857 // If any of the S2 bits are poisoned, the whole thing is poisoned.
2858 // Otherwise perform the same shift on S0 and S1.
2859 Value *S0 = getShadow(&I, 0);
2860 Value *S1 = getShadow(&I, 1);
2861 Value *S2 = getShadow(&I, 2);
2862 Value *S2Conv =
2863 IRB.CreateSExt(IRB.CreateICmpNE(S2, getCleanShadow(S2)), S2->getType());
2864 Value *V2 = I.getOperand(2);
2865 Value *Shift = IRB.CreateIntrinsic(I.getIntrinsicID(), S2Conv->getType(),
2866 {S0, S1, V2});
2867 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
2868 setOriginForNaryOp(I);
2869 }
2870
2871 /// Instrument llvm.memmove
2872 ///
2873 /// At this point we don't know if llvm.memmove will be inlined or not.
2874 /// If we don't instrument it and it gets inlined,
2875 /// our interceptor will not kick in and we will lose the memmove.
2876 /// If we instrument the call here, but it does not get inlined,
2877 /// we will memove the shadow twice: which is bad in case
2878 /// of overlapping regions. So, we simply lower the intrinsic to a call.
2879 ///
2880 /// Similar situation exists for memcpy and memset.
2881 void visitMemMoveInst(MemMoveInst &I) {
2882 getShadow(I.getArgOperand(1)); // Ensure shadow initialized
2883 IRBuilder<> IRB(&I);
2884 IRB.CreateCall(MS.MemmoveFn,
2885 {I.getArgOperand(0), I.getArgOperand(1),
2886 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2887 I.eraseFromParent();
2888 }
2889
2890 /// Instrument memcpy
2891 ///
2892 /// Similar to memmove: avoid copying shadow twice. This is somewhat
2893 /// unfortunate as it may slowdown small constant memcpys.
2894 /// FIXME: consider doing manual inline for small constant sizes and proper
2895 /// alignment.
2896 ///
2897 /// Note: This also handles memcpy.inline, which promises no calls to external
2898 /// functions as an optimization. However, with instrumentation enabled this
2899 /// is difficult to promise; additionally, we know that the MSan runtime
2900 /// exists and provides __msan_memcpy(). Therefore, we assume that with
2901 /// instrumentation it's safe to turn memcpy.inline into a call to
2902 /// __msan_memcpy(). Should this be wrong, such as when implementing memcpy()
2903 /// itself, instrumentation should be disabled with the no_sanitize attribute.
2904 void visitMemCpyInst(MemCpyInst &I) {
2905 getShadow(I.getArgOperand(1)); // Ensure shadow initialized
2906 IRBuilder<> IRB(&I);
2907 IRB.CreateCall(MS.MemcpyFn,
2908 {I.getArgOperand(0), I.getArgOperand(1),
2909 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2910 I.eraseFromParent();
2911 }
2912
2913 // Same as memcpy.
2914 void visitMemSetInst(MemSetInst &I) {
2915 IRBuilder<> IRB(&I);
2916 IRB.CreateCall(
2917 MS.MemsetFn,
2918 {I.getArgOperand(0),
2919 IRB.CreateIntCast(I.getArgOperand(1), IRB.getInt32Ty(), false),
2920 IRB.CreateIntCast(I.getArgOperand(2), MS.IntptrTy, false)});
2921 I.eraseFromParent();
2922 }
2923
2924 void visitVAStartInst(VAStartInst &I) { VAHelper->visitVAStartInst(I); }
2925
2926 void visitVACopyInst(VACopyInst &I) { VAHelper->visitVACopyInst(I); }
2927
2928 /// Handle vector store-like intrinsics.
2929 ///
2930 /// Instrument intrinsics that look like a simple SIMD store: writes memory,
2931 /// has 1 pointer argument and 1 vector argument, returns void.
2932 bool handleVectorStoreIntrinsic(IntrinsicInst &I) {
2933 IRBuilder<> IRB(&I);
2934 Value *Addr = I.getArgOperand(0);
2935 Value *Shadow = getShadow(&I, 1);
2936 Value *ShadowPtr, *OriginPtr;
2937
2938 // We don't know the pointer alignment (could be unaligned SSE store!).
2939 // Have to assume to worst case.
2940 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
2941 Addr, IRB, Shadow->getType(), Align(1), /*isStore*/ true);
2942 IRB.CreateAlignedStore(Shadow, ShadowPtr, Align(1));
2943
2944 if (ClCheckAccessAddress)
2945 insertShadowCheck(Addr, &I);
2946
2947 // FIXME: factor out common code from materializeStores
2948 if (MS.TrackOrigins)
2949 IRB.CreateStore(getOrigin(&I, 1), OriginPtr);
2950 return true;
2951 }
2952
2953 /// Handle vector load-like intrinsics.
2954 ///
2955 /// Instrument intrinsics that look like a simple SIMD load: reads memory,
2956 /// has 1 pointer argument, returns a vector.
2957 bool handleVectorLoadIntrinsic(IntrinsicInst &I) {
2958 IRBuilder<> IRB(&I);
2959 Value *Addr = I.getArgOperand(0);
2960
2961 Type *ShadowTy = getShadowTy(&I);
2962 Value *ShadowPtr = nullptr, *OriginPtr = nullptr;
2963 if (PropagateShadow) {
2964 // We don't know the pointer alignment (could be unaligned SSE load!).
2965 // Have to assume to worst case.
2966 const Align Alignment = Align(1);
2967 std::tie(ShadowPtr, OriginPtr) =
2968 getShadowOriginPtr(Addr, IRB, ShadowTy, Alignment, /*isStore*/ false);
2969 setShadow(&I,
2970 IRB.CreateAlignedLoad(ShadowTy, ShadowPtr, Alignment, "_msld"));
2971 } else {
2972 setShadow(&I, getCleanShadow(&I));
2973 }
2974
2975 if (ClCheckAccessAddress)
2976 insertShadowCheck(Addr, &I);
2977
2978 if (MS.TrackOrigins) {
2979 if (PropagateShadow)
2980 setOrigin(&I, IRB.CreateLoad(MS.OriginTy, OriginPtr));
2981 else
2982 setOrigin(&I, getCleanOrigin());
2983 }
2984 return true;
2985 }
2986
2987 /// Handle (SIMD arithmetic)-like intrinsics.
2988 ///
2989 /// Instrument intrinsics with any number of arguments of the same type,
2990 /// equal to the return type. The type should be simple (no aggregates or
2991 /// pointers; vectors are fine).
2992 /// Caller guarantees that this intrinsic does not access memory.
2993 bool maybeHandleSimpleNomemIntrinsic(IntrinsicInst &I) {
2994 Type *RetTy = I.getType();
2995 if (!(RetTy->isIntOrIntVectorTy() || RetTy->isFPOrFPVectorTy()))
2996 return false;
2997
2998 unsigned NumArgOperands = I.arg_size();
2999 for (unsigned i = 0; i < NumArgOperands; ++i) {
3000 Type *Ty = I.getArgOperand(i)->getType();
3001 if (Ty != RetTy)
3002 return false;
3003 }
3004
3005 IRBuilder<> IRB(&I);
3006 ShadowAndOriginCombiner SC(this, IRB);
3007 for (unsigned i = 0; i < NumArgOperands; ++i)
3008 SC.Add(I.getArgOperand(i));
3009 SC.Done(&I);
3010
3011 return true;
3012 }
3013
3014 /// Heuristically instrument unknown intrinsics.
3015 ///
3016 /// The main purpose of this code is to do something reasonable with all
3017 /// random intrinsics we might encounter, most importantly - SIMD intrinsics.
3018 /// We recognize several classes of intrinsics by their argument types and
3019 /// ModRefBehaviour and apply special instrumentation when we are reasonably
3020 /// sure that we know what the intrinsic does.
3021 ///
3022 /// We special-case intrinsics where this approach fails. See llvm.bswap
3023 /// handling as an example of that.
3024 bool handleUnknownIntrinsicUnlogged(IntrinsicInst &I) {
3025 unsigned NumArgOperands = I.arg_size();
3026 if (NumArgOperands == 0)
3027 return false;
3028
3029 if (NumArgOperands == 2 && I.getArgOperand(0)->getType()->isPointerTy() &&
3030 I.getArgOperand(1)->getType()->isVectorTy() &&
3031 I.getType()->isVoidTy() && !I.onlyReadsMemory()) {
3032 // This looks like a vector store.
3033 return handleVectorStoreIntrinsic(I);
3034 }
3035
3036 if (NumArgOperands == 1 && I.getArgOperand(0)->getType()->isPointerTy() &&
3037 I.getType()->isVectorTy() && I.onlyReadsMemory()) {
3038 // This looks like a vector load.
3039 return handleVectorLoadIntrinsic(I);
3040 }
3041
3042 if (I.doesNotAccessMemory())
3043 if (maybeHandleSimpleNomemIntrinsic(I))
3044 return true;
3045
3046 // FIXME: detect and handle SSE maskstore/maskload
3047 return false;
3048 }
3049
3050 bool handleUnknownIntrinsic(IntrinsicInst &I) {
3051 if (handleUnknownIntrinsicUnlogged(I)) {
3052 if (ClDumpStrictIntrinsics)
3053 dumpInst(I);
3054
3055 LLVM_DEBUG(dbgs() << "UNKNOWN INTRINSIC HANDLED HEURISTICALLY: " << I
3056 << "\n");
3057 return true;
3058 } else
3059 return false;
3060 }
3061
3062 void handleInvariantGroup(IntrinsicInst &I) {
3063 setShadow(&I, getShadow(&I, 0));
3064 setOrigin(&I, getOrigin(&I, 0));
3065 }
3066
3067 void handleLifetimeStart(IntrinsicInst &I) {
3068 if (!PoisonStack)
3069 return;
3070 AllocaInst *AI = llvm::findAllocaForValue(I.getArgOperand(1));
3071 if (!AI)
3072 InstrumentLifetimeStart = false;
3073 LifetimeStartList.push_back(std::make_pair(&I, AI));
3074 }
3075
3076 void handleBswap(IntrinsicInst &I) {
3077 IRBuilder<> IRB(&I);
3078 Value *Op = I.getArgOperand(0);
3079 Type *OpType = Op->getType();
3080 setShadow(&I, IRB.CreateIntrinsic(Intrinsic::bswap, ArrayRef(&OpType, 1),
3081 getShadow(Op)));
3082 setOrigin(&I, getOrigin(Op));
3083 }
3084
3085 void handleCountZeroes(IntrinsicInst &I) {
3086 IRBuilder<> IRB(&I);
3087 Value *Src = I.getArgOperand(0);
3088
3089 // Set the Output shadow based on input Shadow
3090 Value *BoolShadow = IRB.CreateIsNotNull(getShadow(Src), "_mscz_bs");
3091
3092 // If zero poison is requested, mix in with the shadow
3093 Constant *IsZeroPoison = cast<Constant>(I.getOperand(1));
3094 if (!IsZeroPoison->isZeroValue()) {
3095 Value *BoolZeroPoison = IRB.CreateIsNull(Src, "_mscz_bzp");
3096 BoolShadow = IRB.CreateOr(BoolShadow, BoolZeroPoison, "_mscz_bs");
3097 }
3098
3099 Value *OutputShadow =
3100 IRB.CreateSExt(BoolShadow, getShadowTy(Src), "_mscz_os");
3101
3102 setShadow(&I, OutputShadow);
3103 setOriginForNaryOp(I);
3104 }
3105
3106 // Instrument vector convert intrinsic.
3107 //
3108 // This function instruments intrinsics like cvtsi2ss:
3109 // %Out = int_xxx_cvtyyy(%ConvertOp)
3110 // or
3111 // %Out = int_xxx_cvtyyy(%CopyOp, %ConvertOp)
3112 // Intrinsic converts \p NumUsedElements elements of \p ConvertOp to the same
3113 // number \p Out elements, and (if has 2 arguments) copies the rest of the
3114 // elements from \p CopyOp.
3115 // In most cases conversion involves floating-point value which may trigger a
3116 // hardware exception when not fully initialized. For this reason we require
3117 // \p ConvertOp[0:NumUsedElements] to be fully initialized and trap otherwise.
3118 // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
3119 // Out[NumUsedElements:]. This means that intrinsics without \p CopyOp always
3120 // return a fully initialized value.
3121 void handleVectorConvertIntrinsic(IntrinsicInst &I, int NumUsedElements,
3122 bool HasRoundingMode = false) {
3123 IRBuilder<> IRB(&I);
3124 Value *CopyOp, *ConvertOp;
3125
3126 assert((!HasRoundingMode ||
3127 isa<ConstantInt>(I.getArgOperand(I.arg_size() - 1))) &&
3128 "Invalid rounding mode");
3129
3130 switch (I.arg_size() - HasRoundingMode) {
3131 case 2:
3132 CopyOp = I.getArgOperand(0);
3133 ConvertOp = I.getArgOperand(1);
3134 break;
3135 case 1:
3136 ConvertOp = I.getArgOperand(0);
3137 CopyOp = nullptr;
3138 break;
3139 default:
3140 llvm_unreachable("Cvt intrinsic with unsupported number of arguments.");
3141 }
3142
3143 // The first *NumUsedElements* elements of ConvertOp are converted to the
3144 // same number of output elements. The rest of the output is copied from
3145 // CopyOp, or (if not available) filled with zeroes.
3146 // Combine shadow for elements of ConvertOp that are used in this operation,
3147 // and insert a check.
3148 // FIXME: consider propagating shadow of ConvertOp, at least in the case of
3149 // int->any conversion.
3150 Value *ConvertShadow = getShadow(ConvertOp);
3151 Value *AggShadow = nullptr;
3152 if (ConvertOp->getType()->isVectorTy()) {
3153 AggShadow = IRB.CreateExtractElement(
3154 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), 0));
3155 for (int i = 1; i < NumUsedElements; ++i) {
3156 Value *MoreShadow = IRB.CreateExtractElement(
3157 ConvertShadow, ConstantInt::get(IRB.getInt32Ty(), i));
3158 AggShadow = IRB.CreateOr(AggShadow, MoreShadow);
3159 }
3160 } else {
3161 AggShadow = ConvertShadow;
3162 }
3163 assert(AggShadow->getType()->isIntegerTy());
3164 insertShadowCheck(AggShadow, getOrigin(ConvertOp), &I);
3165
3166 // Build result shadow by zero-filling parts of CopyOp shadow that come from
3167 // ConvertOp.
3168 if (CopyOp) {
3169 assert(CopyOp->getType() == I.getType());
3170 assert(CopyOp->getType()->isVectorTy());
3171 Value *ResultShadow = getShadow(CopyOp);
3172 Type *EltTy = cast<VectorType>(ResultShadow->getType())->getElementType();
3173 for (int i = 0; i < NumUsedElements; ++i) {
3174 ResultShadow = IRB.CreateInsertElement(
3175 ResultShadow, ConstantInt::getNullValue(EltTy),
3176 ConstantInt::get(IRB.getInt32Ty(), i));
3177 }
3178 setShadow(&I, ResultShadow);
3179 setOrigin(&I, getOrigin(CopyOp));
3180 } else {
3181 setShadow(&I, getCleanShadow(&I));
3182 setOrigin(&I, getCleanOrigin());
3183 }
3184 }
3185
3186 // Given a scalar or vector, extract lower 64 bits (or less), and return all
3187 // zeroes if it is zero, and all ones otherwise.
3188 Value *Lower64ShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
3189 if (S->getType()->isVectorTy())
3190 S = CreateShadowCast(IRB, S, IRB.getInt64Ty(), /* Signed */ true);
3191 assert(S->getType()->getPrimitiveSizeInBits() <= 64);
3192 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
3193 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
3194 }
3195
3196 // Given a vector, extract its first element, and return all
3197 // zeroes if it is zero, and all ones otherwise.
3198 Value *LowerElementShadowExtend(IRBuilder<> &IRB, Value *S, Type *T) {
3199 Value *S1 = IRB.CreateExtractElement(S, (uint64_t)0);
3200 Value *S2 = IRB.CreateICmpNE(S1, getCleanShadow(S1));
3201 return CreateShadowCast(IRB, S2, T, /* Signed */ true);
3202 }
3203
3204 Value *VariableShadowExtend(IRBuilder<> &IRB, Value *S) {
3205 Type *T = S->getType();
3206 assert(T->isVectorTy());
3207 Value *S2 = IRB.CreateICmpNE(S, getCleanShadow(S));
3208 return IRB.CreateSExt(S2, T);
3209 }
3210
3211 // Instrument vector shift intrinsic.
3212 //
3213 // This function instruments intrinsics like int_x86_avx2_psll_w.
3214 // Intrinsic shifts %In by %ShiftSize bits.
3215 // %ShiftSize may be a vector. In that case the lower 64 bits determine shift
3216 // size, and the rest is ignored. Behavior is defined even if shift size is
3217 // greater than register (or field) width.
3218 void handleVectorShiftIntrinsic(IntrinsicInst &I, bool Variable) {
3219 assert(I.arg_size() == 2);
3220 IRBuilder<> IRB(&I);
3221 // If any of the S2 bits are poisoned, the whole thing is poisoned.
3222 // Otherwise perform the same shift on S1.
3223 Value *S1 = getShadow(&I, 0);
3224 Value *S2 = getShadow(&I, 1);
3225 Value *S2Conv = Variable ? VariableShadowExtend(IRB, S2)
3226 : Lower64ShadowExtend(IRB, S2, getShadowTy(&I));
3227 Value *V1 = I.getOperand(0);
3228 Value *V2 = I.getOperand(1);
3229 Value *Shift = IRB.CreateCall(I.getFunctionType(), I.getCalledOperand(),
3230 {IRB.CreateBitCast(S1, V1->getType()), V2});
3231 Shift = IRB.CreateBitCast(Shift, getShadowTy(&I));
3232 setShadow(&I, IRB.CreateOr(Shift, S2Conv));
3233 setOriginForNaryOp(I);
3234 }
3235
3236 // Get an MMX-sized vector type.
3237 Type *getMMXVectorTy(unsigned EltSizeInBits) {
3238 const unsigned X86_MMXSizeInBits = 64;
3239 assert(EltSizeInBits != 0 && (X86_MMXSizeInBits % EltSizeInBits) == 0 &&
3240 "Illegal MMX vector element size");
3241 return FixedVectorType::get(IntegerType::get(*MS.C, EltSizeInBits),
3242 X86_MMXSizeInBits / EltSizeInBits);
3243 }
3244
3245 // Returns a signed counterpart for an (un)signed-saturate-and-pack
3246 // intrinsic.
3247 Intrinsic::ID getSignedPackIntrinsic(Intrinsic::ID id) {
3248 switch (id) {
3249 case Intrinsic::x86_sse2_packsswb_128:
3250 case Intrinsic::x86_sse2_packuswb_128:
3251 return Intrinsic::x86_sse2_packsswb_128;
3252
3253 case Intrinsic::x86_sse2_packssdw_128:
3254 case Intrinsic::x86_sse41_packusdw:
3255 return Intrinsic::x86_sse2_packssdw_128;
3256
3257 case Intrinsic::x86_avx2_packsswb:
3258 case Intrinsic::x86_avx2_packuswb:
3259 return Intrinsic::x86_avx2_packsswb;
3260
3261 case Intrinsic::x86_avx2_packssdw:
3262 case Intrinsic::x86_avx2_packusdw:
3263 return Intrinsic::x86_avx2_packssdw;
3264
3265 case Intrinsic::x86_mmx_packsswb:
3266 case Intrinsic::x86_mmx_packuswb:
3267 return Intrinsic::x86_mmx_packsswb;
3268
3269 case Intrinsic::x86_mmx_packssdw:
3270 return Intrinsic::x86_mmx_packssdw;
3271 default:
3272 llvm_unreachable("unexpected intrinsic id");
3273 }
3274 }
3275
3276 // Instrument vector pack intrinsic.
3277 //
3278 // This function instruments intrinsics like x86_mmx_packsswb, that
3279 // packs elements of 2 input vectors into half as many bits with saturation.
3280 // Shadow is propagated with the signed variant of the same intrinsic applied
3281 // to sext(Sa != zeroinitializer), sext(Sb != zeroinitializer).
3282 // MMXEltSizeInBits is used only for x86mmx arguments.
3283 void handleVectorPackIntrinsic(IntrinsicInst &I,
3284 unsigned MMXEltSizeInBits = 0) {
3285 assert(I.arg_size() == 2);
3286 IRBuilder<> IRB(&I);
3287 Value *S1 = getShadow(&I, 0);
3288 Value *S2 = getShadow(&I, 1);
3289 assert(S1->getType()->isVectorTy());
3290
3291 // SExt and ICmpNE below must apply to individual elements of input vectors.
3292 // In case of x86mmx arguments, cast them to appropriate vector types and
3293 // back.
3294 Type *T =
3295 MMXEltSizeInBits ? getMMXVectorTy(MMXEltSizeInBits) : S1->getType();
3296 if (MMXEltSizeInBits) {
3297 S1 = IRB.CreateBitCast(S1, T);
3298 S2 = IRB.CreateBitCast(S2, T);
3299 }
3300 Value *S1_ext =
3301 IRB.CreateSExt(IRB.CreateICmpNE(S1, Constant::getNullValue(T)), T);
3302 Value *S2_ext =
3303 IRB.CreateSExt(IRB.CreateICmpNE(S2, Constant::getNullValue(T)), T);
3304 if (MMXEltSizeInBits) {
3305 S1_ext = IRB.CreateBitCast(S1_ext, getMMXVectorTy(64));
3306 S2_ext = IRB.CreateBitCast(S2_ext, getMMXVectorTy(64));
3307 }
3308
3309 Value *S = IRB.CreateIntrinsic(getSignedPackIntrinsic(I.getIntrinsicID()),
3310 {}, {S1_ext, S2_ext}, /*FMFSource=*/nullptr,
3311 "_msprop_vector_pack");
3312 if (MMXEltSizeInBits)
3313 S = IRB.CreateBitCast(S, getShadowTy(&I));
3314 setShadow(&I, S);
3315 setOriginForNaryOp(I);
3316 }
3317
3318 // Convert `Mask` into `<n x i1>`.
3319 Constant *createDppMask(unsigned Width, unsigned Mask) {
3320 SmallVector<Constant *, 4> R(Width);
3321 for (auto &M : R) {
3322 M = ConstantInt::getBool(F.getContext(), Mask & 1);
3323 Mask >>= 1;
3324 }
3325 return ConstantVector::get(R);
3326 }
3327
3328 // Calculate output shadow as array of booleans `<n x i1>`, assuming if any
3329 // arg is poisoned, entire dot product is poisoned.
3330 Value *findDppPoisonedOutput(IRBuilder<> &IRB, Value *S, unsigned SrcMask,
3331 unsigned DstMask) {
3332 const unsigned Width =
3333 cast<FixedVectorType>(S->getType())->getNumElements();
3334
3335 S = IRB.CreateSelect(createDppMask(Width, SrcMask), S,
3336 Constant::getNullValue(S->getType()));
3337 Value *SElem = IRB.CreateOrReduce(S);
3338 Value *IsClean = IRB.CreateIsNull(SElem, "_msdpp");
3339 Value *DstMaskV = createDppMask(Width, DstMask);
3340
3341 return IRB.CreateSelect(
3342 IsClean, Constant::getNullValue(DstMaskV->getType()), DstMaskV);
3343 }
3344
3345 // See `Intel Intrinsics Guide` for `_dp_p*` instructions.
3346 //
3347 // 2 and 4 element versions produce single scalar of dot product, and then
3348 // puts it into elements of output vector, selected by 4 lowest bits of the
3349 // mask. Top 4 bits of the mask control which elements of input to use for dot
3350 // product.
3351 //
3352 // 8 element version mask still has only 4 bit for input, and 4 bit for output
3353 // mask. According to the spec it just operates as 4 element version on first
3354 // 4 elements of inputs and output, and then on last 4 elements of inputs and
3355 // output.
3356 void handleDppIntrinsic(IntrinsicInst &I) {
3357 IRBuilder<> IRB(&I);
3358
3359 Value *S0 = getShadow(&I, 0);
3360 Value *S1 = getShadow(&I, 1);
3361 Value *S = IRB.CreateOr(S0, S1);
3362
3363 const unsigned Width =
3364 cast<FixedVectorType>(S->getType())->getNumElements();
3365 assert(Width == 2 || Width == 4 || Width == 8);
3366
3367 const unsigned Mask = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
3368 const unsigned SrcMask = Mask >> 4;
3369 const unsigned DstMask = Mask & 0xf;
3370
3371 // Calculate shadow as `<n x i1>`.
3372 Value *SI1 = findDppPoisonedOutput(IRB, S, SrcMask, DstMask);
3373 if (Width == 8) {
3374 // First 4 elements of shadow are already calculated. `makeDppShadow`
3375 // operats on 32 bit masks, so we can just shift masks, and repeat.
3376 SI1 = IRB.CreateOr(
3377 SI1, findDppPoisonedOutput(IRB, S, SrcMask << 4, DstMask << 4));
3378 }
3379 // Extend to real size of shadow, poisoning either all or none bits of an
3380 // element.
3381 S = IRB.CreateSExt(SI1, S->getType(), "_msdpp");
3382
3383 setShadow(&I, S);
3384 setOriginForNaryOp(I);
3385 }
3386
3387 Value *convertBlendvToSelectMask(IRBuilder<> &IRB, Value *C) {
3388 C = CreateAppToShadowCast(IRB, C);
3389 FixedVectorType *FVT = cast<FixedVectorType>(C->getType());
3390 unsigned ElSize = FVT->getElementType()->getPrimitiveSizeInBits();
3391 C = IRB.CreateAShr(C, ElSize - 1);
3392 FVT = FixedVectorType::get(IRB.getInt1Ty(), FVT->getNumElements());
3393 return IRB.CreateTrunc(C, FVT);
3394 }
3395
3396 // `blendv(f, t, c)` is effectively `select(c[top_bit], t, f)`.
3397 void handleBlendvIntrinsic(IntrinsicInst &I) {
3398 Value *C = I.getOperand(2);
3399 Value *T = I.getOperand(1);
3400 Value *F = I.getOperand(0);
3401
3402 Value *Sc = getShadow(&I, 2);
3403 Value *Oc = MS.TrackOrigins ? getOrigin(C) : nullptr;
3404
3405 {
3406 IRBuilder<> IRB(&I);
3407 // Extract top bit from condition and its shadow.
3408 C = convertBlendvToSelectMask(IRB, C);
3409 Sc = convertBlendvToSelectMask(IRB, Sc);
3410
3411 setShadow(C, Sc);
3412 setOrigin(C, Oc);
3413 }
3414
3415 handleSelectLikeInst(I, C, T, F);
3416 }
3417
3418 // Instrument sum-of-absolute-differences intrinsic.
3419 void handleVectorSadIntrinsic(IntrinsicInst &I, bool IsMMX = false) {
3420 const unsigned SignificantBitsPerResultElement = 16;
3421 Type *ResTy = IsMMX ? IntegerType::get(*MS.C, 64) : I.getType();
3422 unsigned ZeroBitsPerResultElement =
3423 ResTy->getScalarSizeInBits() - SignificantBitsPerResultElement;
3424
3425 IRBuilder<> IRB(&I);
3426 auto *Shadow0 = getShadow(&I, 0);
3427 auto *Shadow1 = getShadow(&I, 1);
3428 Value *S = IRB.CreateOr(Shadow0, Shadow1);
3429 S = IRB.CreateBitCast(S, ResTy);
3430 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
3431 ResTy);
3432 S = IRB.CreateLShr(S, ZeroBitsPerResultElement);
3433 S = IRB.CreateBitCast(S, getShadowTy(&I));
3434 setShadow(&I, S);
3435 setOriginForNaryOp(I);
3436 }
3437
3438 // Instrument multiply-add intrinsic.
3439 void handleVectorPmaddIntrinsic(IntrinsicInst &I,
3440 unsigned MMXEltSizeInBits = 0) {
3441 Type *ResTy =
3442 MMXEltSizeInBits ? getMMXVectorTy(MMXEltSizeInBits * 2) : I.getType();
3443 IRBuilder<> IRB(&I);
3444 auto *Shadow0 = getShadow(&I, 0);
3445 auto *Shadow1 = getShadow(&I, 1);
3446 Value *S = IRB.CreateOr(Shadow0, Shadow1);
3447 S = IRB.CreateBitCast(S, ResTy);
3448 S = IRB.CreateSExt(IRB.CreateICmpNE(S, Constant::getNullValue(ResTy)),
3449 ResTy);
3450 S = IRB.CreateBitCast(S, getShadowTy(&I));
3451 setShadow(&I, S);
3452 setOriginForNaryOp(I);
3453 }
3454
3455 // Instrument compare-packed intrinsic.
3456 // Basically, an or followed by sext(icmp ne 0) to end up with all-zeros or
3457 // all-ones shadow.
3458 void handleVectorComparePackedIntrinsic(IntrinsicInst &I) {
3459 IRBuilder<> IRB(&I);
3460 Type *ResTy = getShadowTy(&I);
3461 auto *Shadow0 = getShadow(&I, 0);
3462 auto *Shadow1 = getShadow(&I, 1);
3463 Value *S0 = IRB.CreateOr(Shadow0, Shadow1);
3464 Value *S = IRB.CreateSExt(
3465 IRB.CreateICmpNE(S0, Constant::getNullValue(ResTy)), ResTy);
3466 setShadow(&I, S);
3467 setOriginForNaryOp(I);
3468 }
3469
3470 // Instrument compare-scalar intrinsic.
3471 // This handles both cmp* intrinsics which return the result in the first
3472 // element of a vector, and comi* which return the result as i32.
3473 void handleVectorCompareScalarIntrinsic(IntrinsicInst &I) {
3474 IRBuilder<> IRB(&I);
3475 auto *Shadow0 = getShadow(&I, 0);
3476 auto *Shadow1 = getShadow(&I, 1);
3477 Value *S0 = IRB.CreateOr(Shadow0, Shadow1);
3478 Value *S = LowerElementShadowExtend(IRB, S0, getShadowTy(&I));
3479 setShadow(&I, S);
3480 setOriginForNaryOp(I);
3481 }
3482
3483 // Instrument generic vector reduction intrinsics
3484 // by ORing together all their fields.
3485 void handleVectorReduceIntrinsic(IntrinsicInst &I) {
3486 IRBuilder<> IRB(&I);
3487 Value *S = IRB.CreateOrReduce(getShadow(&I, 0));
3488 setShadow(&I, S);
3489 setOrigin(&I, getOrigin(&I, 0));
3490 }
3491
3492 // Instrument vector.reduce.or intrinsic.
3493 // Valid (non-poisoned) set bits in the operand pull low the
3494 // corresponding shadow bits.
3495 void handleVectorReduceOrIntrinsic(IntrinsicInst &I) {
3496 IRBuilder<> IRB(&I);
3497 Value *OperandShadow = getShadow(&I, 0);
3498 Value *OperandUnsetBits = IRB.CreateNot(I.getOperand(0));
3499 Value *OperandUnsetOrPoison = IRB.CreateOr(OperandUnsetBits, OperandShadow);
3500 // Bit N is clean if any field's bit N is 1 and unpoison
3501 Value *OutShadowMask = IRB.CreateAndReduce(OperandUnsetOrPoison);
3502 // Otherwise, it is clean if every field's bit N is unpoison
3503 Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3504 Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3505
3506 setShadow(&I, S);
3507 setOrigin(&I, getOrigin(&I, 0));
3508 }
3509
3510 // Instrument vector.reduce.and intrinsic.
3511 // Valid (non-poisoned) unset bits in the operand pull down the
3512 // corresponding shadow bits.
3513 void handleVectorReduceAndIntrinsic(IntrinsicInst &I) {
3514 IRBuilder<> IRB(&I);
3515 Value *OperandShadow = getShadow(&I, 0);
3516 Value *OperandSetOrPoison = IRB.CreateOr(I.getOperand(0), OperandShadow);
3517 // Bit N is clean if any field's bit N is 0 and unpoison
3518 Value *OutShadowMask = IRB.CreateAndReduce(OperandSetOrPoison);
3519 // Otherwise, it is clean if every field's bit N is unpoison
3520 Value *OrShadow = IRB.CreateOrReduce(OperandShadow);
3521 Value *S = IRB.CreateAnd(OutShadowMask, OrShadow);
3522
3523 setShadow(&I, S);
3524 setOrigin(&I, getOrigin(&I, 0));
3525 }
3526
3527 void handleStmxcsr(IntrinsicInst &I) {
3528 IRBuilder<> IRB(&I);
3529 Value *Addr = I.getArgOperand(0);
3530 Type *Ty = IRB.getInt32Ty();
3531 Value *ShadowPtr =
3532 getShadowOriginPtr(Addr, IRB, Ty, Align(1), /*isStore*/ true).first;
3533
3534 IRB.CreateStore(getCleanShadow(Ty), ShadowPtr);
3535
3536 if (ClCheckAccessAddress)
3537 insertShadowCheck(Addr, &I);
3538 }
3539
3540 void handleLdmxcsr(IntrinsicInst &I) {
3541 if (!InsertChecks)
3542 return;
3543
3544 IRBuilder<> IRB(&I);
3545 Value *Addr = I.getArgOperand(0);
3546 Type *Ty = IRB.getInt32Ty();
3547 const Align Alignment = Align(1);
3548 Value *ShadowPtr, *OriginPtr;
3549 std::tie(ShadowPtr, OriginPtr) =
3550 getShadowOriginPtr(Addr, IRB, Ty, Alignment, /*isStore*/ false);
3551
3552 if (ClCheckAccessAddress)
3553 insertShadowCheck(Addr, &I);
3554
3555 Value *Shadow = IRB.CreateAlignedLoad(Ty, ShadowPtr, Alignment, "_ldmxcsr");
3556 Value *Origin = MS.TrackOrigins ? IRB.CreateLoad(MS.OriginTy, OriginPtr)
3557 : getCleanOrigin();
3558 insertShadowCheck(Shadow, Origin, &I);
3559 }
3560
3561 void handleMaskedExpandLoad(IntrinsicInst &I) {
3562 IRBuilder<> IRB(&I);
3563 Value *Ptr = I.getArgOperand(0);
3564 MaybeAlign Align = I.getParamAlign(0);
3565 Value *Mask = I.getArgOperand(1);
3566 Value *PassThru = I.getArgOperand(2);
3567
3568 if (ClCheckAccessAddress) {
3569 insertShadowCheck(Ptr, &I);
3570 insertShadowCheck(Mask, &I);
3571 }
3572
3573 if (!PropagateShadow) {
3574 setShadow(&I, getCleanShadow(&I));
3575 setOrigin(&I, getCleanOrigin());
3576 return;
3577 }
3578
3579 Type *ShadowTy = getShadowTy(&I);
3580 Type *ElementShadowTy = cast<VectorType>(ShadowTy)->getElementType();
3581 auto [ShadowPtr, OriginPtr] =
3582 getShadowOriginPtr(Ptr, IRB, ElementShadowTy, Align, /*isStore*/ false);
3583
3584 Value *Shadow =
3585 IRB.CreateMaskedExpandLoad(ShadowTy, ShadowPtr, Align, Mask,
3586 getShadow(PassThru), "_msmaskedexpload");
3587
3588 setShadow(&I, Shadow);
3589
3590 // TODO: Store origins.
3591 setOrigin(&I, getCleanOrigin());
3592 }
3593
3594 void handleMaskedCompressStore(IntrinsicInst &I) {
3595 IRBuilder<> IRB(&I);
3596 Value *Values = I.getArgOperand(0);
3597 Value *Ptr = I.getArgOperand(1);
3598 MaybeAlign Align = I.getParamAlign(1);
3599 Value *Mask = I.getArgOperand(2);
3600
3601 if (ClCheckAccessAddress) {
3602 insertShadowCheck(Ptr, &I);
3603 insertShadowCheck(Mask, &I);
3604 }
3605
3606 Value *Shadow = getShadow(Values);
3607 Type *ElementShadowTy =
3608 getShadowTy(cast<VectorType>(Values->getType())->getElementType());
3609 auto [ShadowPtr, OriginPtrs] =
3610 getShadowOriginPtr(Ptr, IRB, ElementShadowTy, Align, /*isStore*/ true);
3611
3612 IRB.CreateMaskedCompressStore(Shadow, ShadowPtr, Align, Mask);
3613
3614 // TODO: Store origins.
3615 }
3616
3617 void handleMaskedGather(IntrinsicInst &I) {
3618 IRBuilder<> IRB(&I);
3619 Value *Ptrs = I.getArgOperand(0);
3620 const Align Alignment(
3621 cast<ConstantInt>(I.getArgOperand(1))->getZExtValue());
3622 Value *Mask = I.getArgOperand(2);
3623 Value *PassThru = I.getArgOperand(3);
3624
3625 Type *PtrsShadowTy = getShadowTy(Ptrs);
3626 if (ClCheckAccessAddress) {
3627 insertShadowCheck(Mask, &I);
3628 Value *MaskedPtrShadow = IRB.CreateSelect(
3629 Mask, getShadow(Ptrs), Constant::getNullValue((PtrsShadowTy)),
3630 "_msmaskedptrs");
3631 insertShadowCheck(MaskedPtrShadow, getOrigin(Ptrs), &I);
3632 }
3633
3634 if (!PropagateShadow) {
3635 setShadow(&I, getCleanShadow(&I));
3636 setOrigin(&I, getCleanOrigin());
3637 return;
3638 }
3639
3640 Type *ShadowTy = getShadowTy(&I);
3641 Type *ElementShadowTy = cast<VectorType>(ShadowTy)->getElementType();
3642 auto [ShadowPtrs, OriginPtrs] = getShadowOriginPtr(
3643 Ptrs, IRB, ElementShadowTy, Alignment, /*isStore*/ false);
3644
3645 Value *Shadow =
3646 IRB.CreateMaskedGather(ShadowTy, ShadowPtrs, Alignment, Mask,
3647 getShadow(PassThru), "_msmaskedgather");
3648
3649 setShadow(&I, Shadow);
3650
3651 // TODO: Store origins.
3652 setOrigin(&I, getCleanOrigin());
3653 }
3654
3655 void handleMaskedScatter(IntrinsicInst &I) {
3656 IRBuilder<> IRB(&I);
3657 Value *Values = I.getArgOperand(0);
3658 Value *Ptrs = I.getArgOperand(1);
3659 const Align Alignment(
3660 cast<ConstantInt>(I.getArgOperand(2))->getZExtValue());
3661 Value *Mask = I.getArgOperand(3);
3662
3663 Type *PtrsShadowTy = getShadowTy(Ptrs);
3664 if (ClCheckAccessAddress) {
3665 insertShadowCheck(Mask, &I);
3666 Value *MaskedPtrShadow = IRB.CreateSelect(
3667 Mask, getShadow(Ptrs), Constant::getNullValue((PtrsShadowTy)),
3668 "_msmaskedptrs");
3669 insertShadowCheck(MaskedPtrShadow, getOrigin(Ptrs), &I);
3670 }
3671
3672 Value *Shadow = getShadow(Values);
3673 Type *ElementShadowTy =
3674 getShadowTy(cast<VectorType>(Values->getType())->getElementType());
3675 auto [ShadowPtrs, OriginPtrs] = getShadowOriginPtr(
3676 Ptrs, IRB, ElementShadowTy, Alignment, /*isStore*/ true);
3677
3678 IRB.CreateMaskedScatter(Shadow, ShadowPtrs, Alignment, Mask);
3679
3680 // TODO: Store origin.
3681 }
3682
3683 void handleMaskedStore(IntrinsicInst &I) {
3684 IRBuilder<> IRB(&I);
3685 Value *V = I.getArgOperand(0);
3686 Value *Ptr = I.getArgOperand(1);
3687 const Align Alignment(
3688 cast<ConstantInt>(I.getArgOperand(2))->getZExtValue());
3689 Value *Mask = I.getArgOperand(3);
3690 Value *Shadow = getShadow(V);
3691
3692 if (ClCheckAccessAddress) {
3693 insertShadowCheck(Ptr, &I);
3694 insertShadowCheck(Mask, &I);
3695 }
3696
3697 Value *ShadowPtr;
3698 Value *OriginPtr;
3699 std::tie(ShadowPtr, OriginPtr) = getShadowOriginPtr(
3700 Ptr, IRB, Shadow->getType(), Alignment, /*isStore*/ true);
3701
3702 IRB.CreateMaskedStore(Shadow, ShadowPtr, Alignment, Mask);
3703
3704 if (!MS.TrackOrigins)
3705 return;
3706
3707 auto &DL = F.getDataLayout();
3708 paintOrigin(IRB, getOrigin(V), OriginPtr,
3709 DL.getTypeStoreSize(Shadow->getType()),
3710 std::max(Alignment, kMinOriginAlignment));
3711 }
3712
3713 void handleMaskedLoad(IntrinsicInst &I) {
3714 IRBuilder<> IRB(&I);
3715 Value *Ptr = I.getArgOperand(0);
3716 const Align Alignment(
3717 cast<ConstantInt>(I.getArgOperand(1))->getZExtValue());
3718 Value *Mask = I.getArgOperand(2);
3719 Value *PassThru = I.getArgOperand(3);
3720
3721 if (ClCheckAccessAddress) {
3722 insertShadowCheck(Ptr, &I);
3723 insertShadowCheck(Mask, &I);
3724 }
3725
3726 if (!PropagateShadow) {
3727 setShadow(&I, getCleanShadow(&I));
3728 setOrigin(&I, getCleanOrigin());
3729 return;
3730 }
3731
3732 Type *ShadowTy = getShadowTy(&I);
3733 Value *ShadowPtr, *OriginPtr;
3734 std::tie(ShadowPtr, OriginPtr) =
3735 getShadowOriginPtr(Ptr, IRB, ShadowTy, Alignment, /*isStore*/ false);
3736 setShadow(&I, IRB.CreateMaskedLoad(ShadowTy, ShadowPtr, Alignment, Mask,
3737 getShadow(PassThru), "_msmaskedld"));
3738
3739 if (!MS.TrackOrigins)
3740 return;
3741
3742 // Choose between PassThru's and the loaded value's origins.
3743 Value *MaskedPassThruShadow = IRB.CreateAnd(
3744 getShadow(PassThru), IRB.CreateSExt(IRB.CreateNeg(Mask), ShadowTy));
3745
3746 Value *NotNull = convertToBool(MaskedPassThruShadow, IRB, "_mscmp");
3747
3748 Value *PtrOrigin = IRB.CreateLoad(MS.OriginTy, OriginPtr);
3749 Value *Origin = IRB.CreateSelect(NotNull, getOrigin(PassThru), PtrOrigin);
3750
3751 setOrigin(&I, Origin);
3752 }
3753
3754 // Instrument BMI / BMI2 intrinsics.
3755 // All of these intrinsics are Z = I(X, Y)
3756 // where the types of all operands and the result match, and are either i32 or
3757 // i64. The following instrumentation happens to work for all of them:
3758 // Sz = I(Sx, Y) | (sext (Sy != 0))
3759 void handleBmiIntrinsic(IntrinsicInst &I) {
3760 IRBuilder<> IRB(&I);
3761 Type *ShadowTy = getShadowTy(&I);
3762
3763 // If any bit of the mask operand is poisoned, then the whole thing is.
3764 Value *SMask = getShadow(&I, 1);
3765 SMask = IRB.CreateSExt(IRB.CreateICmpNE(SMask, getCleanShadow(ShadowTy)),
3766 ShadowTy);
3767 // Apply the same intrinsic to the shadow of the first operand.
3768 Value *S = IRB.CreateCall(I.getCalledFunction(),
3769 {getShadow(&I, 0), I.getOperand(1)});
3770 S = IRB.CreateOr(SMask, S);
3771 setShadow(&I, S);
3772 setOriginForNaryOp(I);
3773 }
3774
3775 static SmallVector<int, 8> getPclmulMask(unsigned Width, bool OddElements) {
3776 SmallVector<int, 8> Mask;
3777 for (unsigned X = OddElements ? 1 : 0; X < Width; X += 2) {
3778 Mask.append(2, X);
3779 }
3780 return Mask;
3781 }
3782
3783 // Instrument pclmul intrinsics.
3784 // These intrinsics operate either on odd or on even elements of the input
3785 // vectors, depending on the constant in the 3rd argument, ignoring the rest.
3786 // Replace the unused elements with copies of the used ones, ex:
3787 // (0, 1, 2, 3) -> (0, 0, 2, 2) (even case)
3788 // or
3789 // (0, 1, 2, 3) -> (1, 1, 3, 3) (odd case)
3790 // and then apply the usual shadow combining logic.
3791 void handlePclmulIntrinsic(IntrinsicInst &I) {
3792 IRBuilder<> IRB(&I);
3793 unsigned Width =
3794 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3795 assert(isa<ConstantInt>(I.getArgOperand(2)) &&
3796 "pclmul 3rd operand must be a constant");
3797 unsigned Imm = cast<ConstantInt>(I.getArgOperand(2))->getZExtValue();
3798 Value *Shuf0 = IRB.CreateShuffleVector(getShadow(&I, 0),
3799 getPclmulMask(Width, Imm & 0x01));
3800 Value *Shuf1 = IRB.CreateShuffleVector(getShadow(&I, 1),
3801 getPclmulMask(Width, Imm & 0x10));
3802 ShadowAndOriginCombiner SOC(this, IRB);
3803 SOC.Add(Shuf0, getOrigin(&I, 0));
3804 SOC.Add(Shuf1, getOrigin(&I, 1));
3805 SOC.Done(&I);
3806 }
3807
3808 // Instrument _mm_*_sd|ss intrinsics
3809 void handleUnarySdSsIntrinsic(IntrinsicInst &I) {
3810 IRBuilder<> IRB(&I);
3811 unsigned Width =
3812 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3813 Value *First = getShadow(&I, 0);
3814 Value *Second = getShadow(&I, 1);
3815 // First element of second operand, remaining elements of first operand
3816 SmallVector<int, 16> Mask;
3817 Mask.push_back(Width);
3818 for (unsigned i = 1; i < Width; i++)
3819 Mask.push_back(i);
3820 Value *Shadow = IRB.CreateShuffleVector(First, Second, Mask);
3821
3822 setShadow(&I, Shadow);
3823 setOriginForNaryOp(I);
3824 }
3825
3826 void handleVtestIntrinsic(IntrinsicInst &I) {
3827 IRBuilder<> IRB(&I);
3828 Value *Shadow0 = getShadow(&I, 0);
3829 Value *Shadow1 = getShadow(&I, 1);
3830 Value *Or = IRB.CreateOr(Shadow0, Shadow1);
3831 Value *NZ = IRB.CreateICmpNE(Or, Constant::getNullValue(Or->getType()));
3832 Value *Scalar = convertShadowToScalar(NZ, IRB);
3833 Value *Shadow = IRB.CreateZExt(Scalar, getShadowTy(&I));
3834
3835 setShadow(&I, Shadow);
3836 setOriginForNaryOp(I);
3837 }
3838
3839 void handleBinarySdSsIntrinsic(IntrinsicInst &I) {
3840 IRBuilder<> IRB(&I);
3841 unsigned Width =
3842 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements();
3843 Value *First = getShadow(&I, 0);
3844 Value *Second = getShadow(&I, 1);
3845 Value *OrShadow = IRB.CreateOr(First, Second);
3846 // First element of both OR'd together, remaining elements of first operand
3847 SmallVector<int, 16> Mask;
3848 Mask.push_back(Width);
3849 for (unsigned i = 1; i < Width; i++)
3850 Mask.push_back(i);
3851 Value *Shadow = IRB.CreateShuffleVector(First, OrShadow, Mask);
3852
3853 setShadow(&I, Shadow);
3854 setOriginForNaryOp(I);
3855 }
3856
3857 // _mm_round_ps / _mm_round_ps.
3858 // Similar to maybeHandleSimpleNomemIntrinsic except
3859 // the second argument is guranteed to be a constant integer.
3860 void handleRoundPdPsIntrinsic(IntrinsicInst &I) {
3861 assert(I.getArgOperand(0)->getType() == I.getType());
3862 assert(I.arg_size() == 2);
3863 assert(isa<ConstantInt>(I.getArgOperand(1)));
3864
3865 IRBuilder<> IRB(&I);
3866 ShadowAndOriginCombiner SC(this, IRB);
3867 SC.Add(I.getArgOperand(0));
3868 SC.Done(&I);
3869 }
3870
3871 // Instrument abs intrinsic.
3872 // handleUnknownIntrinsic can't handle it because of the last
3873 // is_int_min_poison argument which does not match the result type.
3874 void handleAbsIntrinsic(IntrinsicInst &I) {
3875 assert(I.getType()->isIntOrIntVectorTy());
3876 assert(I.getArgOperand(0)->getType() == I.getType());
3877
3878 // FIXME: Handle is_int_min_poison.
3879 IRBuilder<> IRB(&I);
3880 setShadow(&I, getShadow(&I, 0));
3881 setOrigin(&I, getOrigin(&I, 0));
3882 }
3883
3884 void handleIsFpClass(IntrinsicInst &I) {
3885 IRBuilder<> IRB(&I);
3886 Value *Shadow = getShadow(&I, 0);
3887 setShadow(&I, IRB.CreateICmpNE(Shadow, getCleanShadow(Shadow)));
3888 setOrigin(&I, getOrigin(&I, 0));
3889 }
3890
3891 void handleArithmeticWithOverflow(IntrinsicInst &I) {
3892 IRBuilder<> IRB(&I);
3893 Value *Shadow0 = getShadow(&I, 0);
3894 Value *Shadow1 = getShadow(&I, 1);
3895 Value *ShadowElt0 = IRB.CreateOr(Shadow0, Shadow1);
3896 Value *ShadowElt1 =
3897 IRB.CreateICmpNE(ShadowElt0, getCleanShadow(ShadowElt0));
3898
3899 Value *Shadow = PoisonValue::get(getShadowTy(&I));
3900 Shadow = IRB.CreateInsertValue(Shadow, ShadowElt0, 0);
3901 Shadow = IRB.CreateInsertValue(Shadow, ShadowElt1, 1);
3902
3903 setShadow(&I, Shadow);
3904 setOriginForNaryOp(I);
3905 }
3906
3907 /// Handle Arm NEON vector store intrinsics (vst{2,3,4}, vst1x_{2,3,4},
3908 /// and vst{2,3,4}lane).
3909 ///
3910 /// Arm NEON vector store intrinsics have the output address (pointer) as the
3911 /// last argument, with the initial arguments being the inputs (and lane
3912 /// number for vst{2,3,4}lane). They return void.
3913 ///
3914 /// - st4 interleaves the output e.g., st4 (inA, inB, inC, inD, outP) writes
3915 /// abcdabcdabcdabcd... into *outP
3916 /// - st1_x4 is non-interleaved e.g., st1_x4 (inA, inB, inC, inD, outP)
3917 /// writes aaaa...bbbb...cccc...dddd... into *outP
3918 /// - st4lane has arguments of (inA, inB, inC, inD, lane, outP)
3919 /// These instructions can all be instrumented with essentially the same
3920 /// MSan logic, simply by applying the corresponding intrinsic to the shadow.
3921 void handleNEONVectorStoreIntrinsic(IntrinsicInst &I, bool useLane) {
3922 IRBuilder<> IRB(&I);
3923
3924 // Don't use getNumOperands() because it includes the callee
3925 int numArgOperands = I.arg_size();
3926
3927 // The last arg operand is the output (pointer)
3928 assert(numArgOperands >= 1);
3929 Value *Addr = I.getArgOperand(numArgOperands - 1);
3930 assert(Addr->getType()->isPointerTy());
3931 int skipTrailingOperands = 1;
3932
3933 if (ClCheckAccessAddress)
3934 insertShadowCheck(Addr, &I);
3935
3936 // Second-last operand is the lane number (for vst{2,3,4}lane)
3937 if (useLane) {
3938 skipTrailingOperands++;
3939 assert(numArgOperands >= static_cast<int>(skipTrailingOperands));
3940 assert(isa<IntegerType>(
3941 I.getArgOperand(numArgOperands - skipTrailingOperands)->getType()));
3942 }
3943
3944 SmallVector<Value *, 8> ShadowArgs;
3945 // All the initial operands are the inputs
3946 for (int i = 0; i < numArgOperands - skipTrailingOperands; i++) {
3947 assert(isa<FixedVectorType>(I.getArgOperand(i)->getType()));
3948 Value *Shadow = getShadow(&I, i);
3949 ShadowArgs.append(1, Shadow);
3950 }
3951
3952 // MSan's GetShadowTy assumes the LHS is the type we want the shadow for
3953 // e.g., for:
3954 // [[TMP5:%.*]] = bitcast <16 x i8> [[TMP2]] to i128
3955 // we know the type of the output (and its shadow) is <16 x i8>.
3956 //
3957 // Arm NEON VST is unusual because the last argument is the output address:
3958 // define void @st2_16b(<16 x i8> %A, <16 x i8> %B, ptr %P) {
3959 // call void @llvm.aarch64.neon.st2.v16i8.p0
3960 // (<16 x i8> [[A]], <16 x i8> [[B]], ptr [[P]])
3961 // and we have no type information about P's operand. We must manually
3962 // compute the type (<16 x i8> x 2).
3963 FixedVectorType *OutputVectorTy = FixedVectorType::get(
3964 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getElementType(),
3965 cast<FixedVectorType>(I.getArgOperand(0)->getType())->getNumElements() *
3966 (numArgOperands - skipTrailingOperands));
3967 Type *OutputShadowTy = getShadowTy(OutputVectorTy);
3968
3969 if (useLane)
3970 ShadowArgs.append(1,
3971 I.getArgOperand(numArgOperands - skipTrailingOperands));
3972
3973 Value *OutputShadowPtr, *OutputOriginPtr;
3974 // AArch64 NEON does not need alignment (unless OS requires it)
3975 std::tie(OutputShadowPtr, OutputOriginPtr) = getShadowOriginPtr(
3976 Addr, IRB, OutputShadowTy, Align(1), /*isStore*/ true);
3977 ShadowArgs.append(1, OutputShadowPtr);
3978
3979 CallInst *CI =
3980 IRB.CreateIntrinsic(IRB.getVoidTy(), I.getIntrinsicID(), ShadowArgs);
3981 setShadow(&I, CI);
3982
3983 if (MS.TrackOrigins) {
3984 // TODO: if we modelled the vst* instruction more precisely, we could
3985 // more accurately track the origins (e.g., if both inputs are
3986 // uninitialized for vst2, we currently blame the second input, even
3987 // though part of the output depends only on the first input).
3988 //
3989 // This is particularly imprecise for vst{2,3,4}lane, since only one
3990 // lane of each input is actually copied to the output.
3991 OriginCombiner OC(this, IRB);
3992 for (int i = 0; i < numArgOperands - skipTrailingOperands; i++)
3993 OC.Add(I.getArgOperand(i));
3994
3995 const DataLayout &DL = F.getDataLayout();
3996 OC.DoneAndStoreOrigin(DL.getTypeStoreSize(OutputVectorTy),
3997 OutputOriginPtr);
3998 }
3999 }
4000
4001 /// Handle intrinsics by applying the intrinsic to the shadows.
4002 ///
4003 /// The trailing arguments are passed verbatim to the intrinsic, though any
4004 /// uninitialized trailing arguments can also taint the shadow e.g., for an
4005 /// intrinsic with one trailing verbatim argument:
4006 /// out = intrinsic(var1, var2, opType)
4007 /// we compute:
4008 /// shadow[out] =
4009 /// intrinsic(shadow[var1], shadow[var2], opType) | shadow[opType]
4010 ///
4011 /// CAUTION: this assumes that the intrinsic will handle arbitrary
4012 /// bit-patterns (for example, if the intrinsic accepts floats for
4013 /// var1, we require that it doesn't care if inputs are NaNs).
4014 ///
4015 /// For example, this can be applied to the Arm NEON vector table intrinsics
4016 /// (tbl{1,2,3,4}).
4017 ///
4018 /// The origin is approximated using setOriginForNaryOp.
4019 void handleIntrinsicByApplyingToShadow(IntrinsicInst &I,
4020 unsigned int trailingVerbatimArgs) {
4021 IRBuilder<> IRB(&I);
4022
4023 assert(trailingVerbatimArgs < I.arg_size());
4024
4025 SmallVector<Value *, 8> ShadowArgs;
4026 // Don't use getNumOperands() because it includes the callee
4027 for (unsigned int i = 0; i < I.arg_size() - trailingVerbatimArgs; i++) {
4028 Value *Shadow = getShadow(&I, i);
4029
4030 // Shadows are integer-ish types but some intrinsics require a
4031 // different (e.g., floating-point) type.
4032 ShadowArgs.push_back(
4033 IRB.CreateBitCast(Shadow, I.getArgOperand(i)->getType()));
4034 }
4035
4036 for (unsigned int i = I.arg_size() - trailingVerbatimArgs; i < I.arg_size();
4037 i++) {
4038 Value *Arg = I.getArgOperand(i);
4039 ShadowArgs.push_back(Arg);
4040 }
4041
4042 CallInst *CI =
4043 IRB.CreateIntrinsic(I.getType(), I.getIntrinsicID(), ShadowArgs);
4044 Value *CombinedShadow = CI;
4045
4046 // Combine the computed shadow with the shadow of trailing args
4047 for (unsigned int i = I.arg_size() - trailingVerbatimArgs; i < I.arg_size();
4048 i++) {
4049 Value *Shadow =
4050 CreateShadowCast(IRB, getShadow(&I, i), CombinedShadow->getType());
4051 CombinedShadow = IRB.CreateOr(Shadow, CombinedShadow, "_msprop");
4052 }
4053
4054 setShadow(&I, IRB.CreateBitCast(CombinedShadow, getShadowTy(&I)));
4055
4056 setOriginForNaryOp(I);
4057 }
4058
4059 // Approximation only
4060 void handleNEONVectorMultiplyIntrinsic(IntrinsicInst &I) {
4061 handleShadowOr(I);
4062 }
4063
4064 void visitIntrinsicInst(IntrinsicInst &I) {
4065 switch (I.getIntrinsicID()) {
4066 case Intrinsic::uadd_with_overflow:
4067 case Intrinsic::sadd_with_overflow:
4068 case Intrinsic::usub_with_overflow:
4069 case Intrinsic::ssub_with_overflow:
4070 case Intrinsic::umul_with_overflow:
4071 case Intrinsic::smul_with_overflow:
4072 handleArithmeticWithOverflow(I);
4073 break;
4074 case Intrinsic::abs:
4075 handleAbsIntrinsic(I);
4076 break;
4077 case Intrinsic::is_fpclass:
4078 handleIsFpClass(I);
4079 break;
4080 case Intrinsic::lifetime_start:
4081 handleLifetimeStart(I);
4082 break;
4083 case Intrinsic::launder_invariant_group:
4084 case Intrinsic::strip_invariant_group:
4085 handleInvariantGroup(I);
4086 break;
4087 case Intrinsic::bswap:
4088 handleBswap(I);
4089 break;
4090 case Intrinsic::ctlz:
4091 case Intrinsic::cttz:
4092 handleCountZeroes(I);
4093 break;
4094 case Intrinsic::masked_compressstore:
4095 handleMaskedCompressStore(I);
4096 break;
4097 case Intrinsic::masked_expandload:
4098 handleMaskedExpandLoad(I);
4099 break;
4100 case Intrinsic::masked_gather:
4101 handleMaskedGather(I);
4102 break;
4103 case Intrinsic::masked_scatter:
4104 handleMaskedScatter(I);
4105 break;
4106 case Intrinsic::masked_store:
4107 handleMaskedStore(I);
4108 break;
4109 case Intrinsic::masked_load:
4110 handleMaskedLoad(I);
4111 break;
4112 case Intrinsic::vector_reduce_and:
4113 handleVectorReduceAndIntrinsic(I);
4114 break;
4115 case Intrinsic::vector_reduce_or:
4116 handleVectorReduceOrIntrinsic(I);
4117 break;
4118 case Intrinsic::vector_reduce_add:
4119 case Intrinsic::vector_reduce_xor:
4120 case Intrinsic::vector_reduce_mul:
4121 handleVectorReduceIntrinsic(I);
4122 break;
4123 case Intrinsic::x86_sse_stmxcsr:
4124 handleStmxcsr(I);
4125 break;
4126 case Intrinsic::x86_sse_ldmxcsr:
4127 handleLdmxcsr(I);
4128 break;
4129 case Intrinsic::x86_avx512_vcvtsd2usi64:
4130 case Intrinsic::x86_avx512_vcvtsd2usi32:
4131 case Intrinsic::x86_avx512_vcvtss2usi64:
4132 case Intrinsic::x86_avx512_vcvtss2usi32:
4133 case Intrinsic::x86_avx512_cvttss2usi64:
4134 case Intrinsic::x86_avx512_cvttss2usi:
4135 case Intrinsic::x86_avx512_cvttsd2usi64:
4136 case Intrinsic::x86_avx512_cvttsd2usi:
4137 case Intrinsic::x86_avx512_cvtusi2ss:
4138 case Intrinsic::x86_avx512_cvtusi642sd:
4139 case Intrinsic::x86_avx512_cvtusi642ss:
4140 handleVectorConvertIntrinsic(I, 1, true);
4141 break;
4142 case Intrinsic::x86_sse2_cvtsd2si64:
4143 case Intrinsic::x86_sse2_cvtsd2si:
4144 case Intrinsic::x86_sse2_cvtsd2ss:
4145 case Intrinsic::x86_sse2_cvttsd2si64:
4146 case Intrinsic::x86_sse2_cvttsd2si:
4147 case Intrinsic::x86_sse_cvtss2si64:
4148 case Intrinsic::x86_sse_cvtss2si:
4149 case Intrinsic::x86_sse_cvttss2si64:
4150 case Intrinsic::x86_sse_cvttss2si:
4151 handleVectorConvertIntrinsic(I, 1);
4152 break;
4153 case Intrinsic::x86_sse_cvtps2pi:
4154 case Intrinsic::x86_sse_cvttps2pi:
4155 handleVectorConvertIntrinsic(I, 2);
4156 break;
4157
4158 case Intrinsic::x86_avx512_psll_w_512:
4159 case Intrinsic::x86_avx512_psll_d_512:
4160 case Intrinsic::x86_avx512_psll_q_512:
4161 case Intrinsic::x86_avx512_pslli_w_512:
4162 case Intrinsic::x86_avx512_pslli_d_512:
4163 case Intrinsic::x86_avx512_pslli_q_512:
4164 case Intrinsic::x86_avx512_psrl_w_512:
4165 case Intrinsic::x86_avx512_psrl_d_512:
4166 case Intrinsic::x86_avx512_psrl_q_512:
4167 case Intrinsic::x86_avx512_psra_w_512:
4168 case Intrinsic::x86_avx512_psra_d_512:
4169 case Intrinsic::x86_avx512_psra_q_512:
4170 case Intrinsic::x86_avx512_psrli_w_512:
4171 case Intrinsic::x86_avx512_psrli_d_512:
4172 case Intrinsic::x86_avx512_psrli_q_512:
4173 case Intrinsic::x86_avx512_psrai_w_512:
4174 case Intrinsic::x86_avx512_psrai_d_512:
4175 case Intrinsic::x86_avx512_psrai_q_512:
4176 case Intrinsic::x86_avx512_psra_q_256:
4177 case Intrinsic::x86_avx512_psra_q_128:
4178 case Intrinsic::x86_avx512_psrai_q_256:
4179 case Intrinsic::x86_avx512_psrai_q_128:
4180 case Intrinsic::x86_avx2_psll_w:
4181 case Intrinsic::x86_avx2_psll_d:
4182 case Intrinsic::x86_avx2_psll_q:
4183 case Intrinsic::x86_avx2_pslli_w:
4184 case Intrinsic::x86_avx2_pslli_d:
4185 case Intrinsic::x86_avx2_pslli_q:
4186 case Intrinsic::x86_avx2_psrl_w:
4187 case Intrinsic::x86_avx2_psrl_d:
4188 case Intrinsic::x86_avx2_psrl_q:
4189 case Intrinsic::x86_avx2_psra_w:
4190 case Intrinsic::x86_avx2_psra_d:
4191 case Intrinsic::x86_avx2_psrli_w:
4192 case Intrinsic::x86_avx2_psrli_d:
4193 case Intrinsic::x86_avx2_psrli_q:
4194 case Intrinsic::x86_avx2_psrai_w:
4195 case Intrinsic::x86_avx2_psrai_d:
4196 case Intrinsic::x86_sse2_psll_w:
4197 case Intrinsic::x86_sse2_psll_d:
4198 case Intrinsic::x86_sse2_psll_q:
4199 case Intrinsic::x86_sse2_pslli_w:
4200 case Intrinsic::x86_sse2_pslli_d:
4201 case Intrinsic::x86_sse2_pslli_q:
4202 case Intrinsic::x86_sse2_psrl_w:
4203 case Intrinsic::x86_sse2_psrl_d:
4204 case Intrinsic::x86_sse2_psrl_q:
4205 case Intrinsic::x86_sse2_psra_w:
4206 case Intrinsic::x86_sse2_psra_d:
4207 case Intrinsic::x86_sse2_psrli_w:
4208 case Intrinsic::x86_sse2_psrli_d:
4209 case Intrinsic::x86_sse2_psrli_q:
4210 case Intrinsic::x86_sse2_psrai_w:
4211 case Intrinsic::x86_sse2_psrai_d:
4212 case Intrinsic::x86_mmx_psll_w:
4213 case Intrinsic::x86_mmx_psll_d:
4214 case Intrinsic::x86_mmx_psll_q:
4215 case Intrinsic::x86_mmx_pslli_w:
4216 case Intrinsic::x86_mmx_pslli_d:
4217 case Intrinsic::x86_mmx_pslli_q:
4218 case Intrinsic::x86_mmx_psrl_w:
4219 case Intrinsic::x86_mmx_psrl_d:
4220 case Intrinsic::x86_mmx_psrl_q:
4221 case Intrinsic::x86_mmx_psra_w:
4222 case Intrinsic::x86_mmx_psra_d:
4223 case Intrinsic::x86_mmx_psrli_w:
4224 case Intrinsic::x86_mmx_psrli_d:
4225 case Intrinsic::x86_mmx_psrli_q:
4226 case Intrinsic::x86_mmx_psrai_w:
4227 case Intrinsic::x86_mmx_psrai_d:
4228 case Intrinsic::aarch64_neon_rshrn:
4229 case Intrinsic::aarch64_neon_sqrshl:
4230 case Intrinsic::aarch64_neon_sqrshrn:
4231 case Intrinsic::aarch64_neon_sqrshrun:
4232 case Intrinsic::aarch64_neon_sqshl:
4233 case Intrinsic::aarch64_neon_sqshlu:
4234 case Intrinsic::aarch64_neon_sqshrn:
4235 case Intrinsic::aarch64_neon_sqshrun:
4236 case Intrinsic::aarch64_neon_srshl:
4237 case Intrinsic::aarch64_neon_sshl:
4238 case Intrinsic::aarch64_neon_uqrshl:
4239 case Intrinsic::aarch64_neon_uqrshrn:
4240 case Intrinsic::aarch64_neon_uqshl:
4241 case Intrinsic::aarch64_neon_uqshrn:
4242 case Intrinsic::aarch64_neon_urshl:
4243 case Intrinsic::aarch64_neon_ushl:
4244 // Not handled here: aarch64_neon_vsli (vector shift left and insert)
4245 handleVectorShiftIntrinsic(I, /* Variable */ false);
4246 break;
4247 case Intrinsic::x86_avx2_psllv_d:
4248 case Intrinsic::x86_avx2_psllv_d_256:
4249 case Intrinsic::x86_avx512_psllv_d_512:
4250 case Intrinsic::x86_avx2_psllv_q:
4251 case Intrinsic::x86_avx2_psllv_q_256:
4252 case Intrinsic::x86_avx512_psllv_q_512:
4253 case Intrinsic::x86_avx2_psrlv_d:
4254 case Intrinsic::x86_avx2_psrlv_d_256:
4255 case Intrinsic::x86_avx512_psrlv_d_512:
4256 case Intrinsic::x86_avx2_psrlv_q:
4257 case Intrinsic::x86_avx2_psrlv_q_256:
4258 case Intrinsic::x86_avx512_psrlv_q_512:
4259 case Intrinsic::x86_avx2_psrav_d:
4260 case Intrinsic::x86_avx2_psrav_d_256:
4261 case Intrinsic::x86_avx512_psrav_d_512:
4262 case Intrinsic::x86_avx512_psrav_q_128:
4263 case Intrinsic::x86_avx512_psrav_q_256:
4264 case Intrinsic::x86_avx512_psrav_q_512:
4265 handleVectorShiftIntrinsic(I, /* Variable */ true);
4266 break;
4267
4268 case Intrinsic::x86_sse2_packsswb_128:
4269 case Intrinsic::x86_sse2_packssdw_128:
4270 case Intrinsic::x86_sse2_packuswb_128:
4271 case Intrinsic::x86_sse41_packusdw:
4272 case Intrinsic::x86_avx2_packsswb:
4273 case Intrinsic::x86_avx2_packssdw:
4274 case Intrinsic::x86_avx2_packuswb:
4275 case Intrinsic::x86_avx2_packusdw:
4276 handleVectorPackIntrinsic(I);
4277 break;
4278
4279 case Intrinsic::x86_sse41_pblendvb:
4280 case Intrinsic::x86_sse41_blendvpd:
4281 case Intrinsic::x86_sse41_blendvps:
4282 case Intrinsic::x86_avx_blendv_pd_256:
4283 case Intrinsic::x86_avx_blendv_ps_256:
4284 case Intrinsic::x86_avx2_pblendvb:
4285 handleBlendvIntrinsic(I);
4286 break;
4287
4288 case Intrinsic::x86_avx_dp_ps_256:
4289 case Intrinsic::x86_sse41_dppd:
4290 case Intrinsic::x86_sse41_dpps:
4291 handleDppIntrinsic(I);
4292 break;
4293
4294 case Intrinsic::x86_mmx_packsswb:
4295 case Intrinsic::x86_mmx_packuswb:
4296 handleVectorPackIntrinsic(I, 16);
4297 break;
4298
4299 case Intrinsic::x86_mmx_packssdw:
4300 handleVectorPackIntrinsic(I, 32);
4301 break;
4302
4303 case Intrinsic::x86_mmx_psad_bw:
4304 handleVectorSadIntrinsic(I, true);
4305 break;
4306 case Intrinsic::x86_sse2_psad_bw:
4307 case Intrinsic::x86_avx2_psad_bw:
4308 handleVectorSadIntrinsic(I);
4309 break;
4310
4311 case Intrinsic::x86_sse2_pmadd_wd:
4312 case Intrinsic::x86_avx2_pmadd_wd:
4313 case Intrinsic::x86_ssse3_pmadd_ub_sw_128:
4314 case Intrinsic::x86_avx2_pmadd_ub_sw:
4315 handleVectorPmaddIntrinsic(I);
4316 break;
4317
4318 case Intrinsic::x86_ssse3_pmadd_ub_sw:
4319 handleVectorPmaddIntrinsic(I, 8);
4320 break;
4321
4322 case Intrinsic::x86_mmx_pmadd_wd:
4323 handleVectorPmaddIntrinsic(I, 16);
4324 break;
4325
4326 case Intrinsic::x86_sse_cmp_ss:
4327 case Intrinsic::x86_sse2_cmp_sd:
4328 case Intrinsic::x86_sse_comieq_ss:
4329 case Intrinsic::x86_sse_comilt_ss:
4330 case Intrinsic::x86_sse_comile_ss:
4331 case Intrinsic::x86_sse_comigt_ss:
4332 case Intrinsic::x86_sse_comige_ss:
4333 case Intrinsic::x86_sse_comineq_ss:
4334 case Intrinsic::x86_sse_ucomieq_ss:
4335 case Intrinsic::x86_sse_ucomilt_ss:
4336 case Intrinsic::x86_sse_ucomile_ss:
4337 case Intrinsic::x86_sse_ucomigt_ss:
4338 case Intrinsic::x86_sse_ucomige_ss:
4339 case Intrinsic::x86_sse_ucomineq_ss:
4340 case Intrinsic::x86_sse2_comieq_sd:
4341 case Intrinsic::x86_sse2_comilt_sd:
4342 case Intrinsic::x86_sse2_comile_sd:
4343 case Intrinsic::x86_sse2_comigt_sd:
4344 case Intrinsic::x86_sse2_comige_sd:
4345 case Intrinsic::x86_sse2_comineq_sd:
4346 case Intrinsic::x86_sse2_ucomieq_sd:
4347 case Intrinsic::x86_sse2_ucomilt_sd:
4348 case Intrinsic::x86_sse2_ucomile_sd:
4349 case Intrinsic::x86_sse2_ucomigt_sd:
4350 case Intrinsic::x86_sse2_ucomige_sd:
4351 case Intrinsic::x86_sse2_ucomineq_sd:
4352 handleVectorCompareScalarIntrinsic(I);
4353 break;
4354
4355 case Intrinsic::x86_avx_cmp_pd_256:
4356 case Intrinsic::x86_avx_cmp_ps_256:
4357 case Intrinsic::x86_sse2_cmp_pd:
4358 case Intrinsic::x86_sse_cmp_ps:
4359 handleVectorComparePackedIntrinsic(I);
4360 break;
4361
4362 case Intrinsic::x86_bmi_bextr_32:
4363 case Intrinsic::x86_bmi_bextr_64:
4364 case Intrinsic::x86_bmi_bzhi_32:
4365 case Intrinsic::x86_bmi_bzhi_64:
4366 case Intrinsic::x86_bmi_pdep_32:
4367 case Intrinsic::x86_bmi_pdep_64:
4368 case Intrinsic::x86_bmi_pext_32:
4369 case Intrinsic::x86_bmi_pext_64:
4370 handleBmiIntrinsic(I);
4371 break;
4372
4373 case Intrinsic::x86_pclmulqdq:
4374 case Intrinsic::x86_pclmulqdq_256:
4375 case Intrinsic::x86_pclmulqdq_512:
4376 handlePclmulIntrinsic(I);
4377 break;
4378
4379 case Intrinsic::x86_avx_round_pd_256:
4380 case Intrinsic::x86_avx_round_ps_256:
4381 case Intrinsic::x86_sse41_round_pd:
4382 case Intrinsic::x86_sse41_round_ps:
4383 handleRoundPdPsIntrinsic(I);
4384 break;
4385
4386 case Intrinsic::x86_sse41_round_sd:
4387 case Intrinsic::x86_sse41_round_ss:
4388 handleUnarySdSsIntrinsic(I);
4389 break;
4390
4391 case Intrinsic::x86_sse2_max_sd:
4392 case Intrinsic::x86_sse_max_ss:
4393 case Intrinsic::x86_sse2_min_sd:
4394 case Intrinsic::x86_sse_min_ss:
4395 handleBinarySdSsIntrinsic(I);
4396 break;
4397
4398 case Intrinsic::x86_avx_vtestc_pd:
4399 case Intrinsic::x86_avx_vtestc_pd_256:
4400 case Intrinsic::x86_avx_vtestc_ps:
4401 case Intrinsic::x86_avx_vtestc_ps_256:
4402 case Intrinsic::x86_avx_vtestnzc_pd:
4403 case Intrinsic::x86_avx_vtestnzc_pd_256:
4404 case Intrinsic::x86_avx_vtestnzc_ps:
4405 case Intrinsic::x86_avx_vtestnzc_ps_256:
4406 case Intrinsic::x86_avx_vtestz_pd:
4407 case Intrinsic::x86_avx_vtestz_pd_256:
4408 case Intrinsic::x86_avx_vtestz_ps:
4409 case Intrinsic::x86_avx_vtestz_ps_256:
4410 case Intrinsic::x86_avx_ptestc_256:
4411 case Intrinsic::x86_avx_ptestnzc_256:
4412 case Intrinsic::x86_avx_ptestz_256:
4413 case Intrinsic::x86_sse41_ptestc:
4414 case Intrinsic::x86_sse41_ptestnzc:
4415 case Intrinsic::x86_sse41_ptestz:
4416 handleVtestIntrinsic(I);
4417 break;
4418
4419 case Intrinsic::fshl:
4420 case Intrinsic::fshr:
4421 handleFunnelShift(I);
4422 break;
4423
4424 case Intrinsic::is_constant:
4425 // The result of llvm.is.constant() is always defined.
4426 setShadow(&I, getCleanShadow(&I));
4427 setOrigin(&I, getCleanOrigin());
4428 break;
4429
4430 case Intrinsic::aarch64_neon_st1x2:
4431 case Intrinsic::aarch64_neon_st1x3:
4432 case Intrinsic::aarch64_neon_st1x4:
4433 case Intrinsic::aarch64_neon_st2:
4434 case Intrinsic::aarch64_neon_st3:
4435 case Intrinsic::aarch64_neon_st4: {
4436 handleNEONVectorStoreIntrinsic(I, false);
4437 break;
4438 }
4439
4440 case Intrinsic::aarch64_neon_st2lane:
4441 case Intrinsic::aarch64_neon_st3lane:
4442 case Intrinsic::aarch64_neon_st4lane: {
4443 handleNEONVectorStoreIntrinsic(I, true);
4444 break;
4445 }
4446
4447 // Arm NEON vector table intrinsics have the source/table register(s) as
4448 // arguments, followed by the index register. They return the output.
4449 //
4450 // 'TBL writes a zero if an index is out-of-range, while TBX leaves the
4451 // original value unchanged in the destination register.'
4452 // Conveniently, zero denotes a clean shadow, which means out-of-range
4453 // indices for TBL will initialize the user data with zero and also clean
4454 // the shadow. (For TBX, neither the user data nor the shadow will be
4455 // updated, which is also correct.)
4456 case Intrinsic::aarch64_neon_tbl1:
4457 case Intrinsic::aarch64_neon_tbl2:
4458 case Intrinsic::aarch64_neon_tbl3:
4459 case Intrinsic::aarch64_neon_tbl4:
4460 case Intrinsic::aarch64_neon_tbx1:
4461 case Intrinsic::aarch64_neon_tbx2:
4462 case Intrinsic::aarch64_neon_tbx3:
4463 case Intrinsic::aarch64_neon_tbx4: {
4464 // The last trailing argument (index register) should be handled verbatim
4465 handleIntrinsicByApplyingToShadow(I, 1);
4466 break;
4467 }
4468
4469 case Intrinsic::aarch64_neon_fmulx:
4470 case Intrinsic::aarch64_neon_pmul:
4471 case Intrinsic::aarch64_neon_pmull:
4472 case Intrinsic::aarch64_neon_smull:
4473 case Intrinsic::aarch64_neon_pmull64:
4474 case Intrinsic::aarch64_neon_umull: {
4475 handleNEONVectorMultiplyIntrinsic(I);
4476 break;
4477 }
4478
4479 default:
4480 if (!handleUnknownIntrinsic(I))
4481 visitInstruction(I);
4482 break;
4483 }
4484 }
4485
4486 void visitLibAtomicLoad(CallBase &CB) {
4487 // Since we use getNextNode here, we can't have CB terminate the BB.
4488 assert(isa<CallInst>(CB));
4489
4490 IRBuilder<> IRB(&CB);
4491 Value *Size = CB.getArgOperand(0);
4492 Value *SrcPtr = CB.getArgOperand(1);
4493 Value *DstPtr = CB.getArgOperand(2);
4494 Value *Ordering = CB.getArgOperand(3);
4495 // Convert the call to have at least Acquire ordering to make sure
4496 // the shadow operations aren't reordered before it.
4497 Value *NewOrdering =
4498 IRB.CreateExtractElement(makeAddAcquireOrderingTable(IRB), Ordering);
4499 CB.setArgOperand(3, NewOrdering);
4500
4501 NextNodeIRBuilder NextIRB(&CB);
4502 Value *SrcShadowPtr, *SrcOriginPtr;
4503 std::tie(SrcShadowPtr, SrcOriginPtr) =
4504 getShadowOriginPtr(SrcPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
4505 /*isStore*/ false);
4506 Value *DstShadowPtr =
4507 getShadowOriginPtr(DstPtr, NextIRB, NextIRB.getInt8Ty(), Align(1),
4508 /*isStore*/ true)
4509 .first;
4510
4511 NextIRB.CreateMemCpy(DstShadowPtr, Align(1), SrcShadowPtr, Align(1), Size);
4512 if (MS.TrackOrigins) {
4513 Value *SrcOrigin = NextIRB.CreateAlignedLoad(MS.OriginTy, SrcOriginPtr,
4514 kMinOriginAlignment);
4515 Value *NewOrigin = updateOrigin(SrcOrigin, NextIRB);
4516 NextIRB.CreateCall(MS.MsanSetOriginFn, {DstPtr, Size, NewOrigin});
4517 }
4518 }
4519
4520 void visitLibAtomicStore(CallBase &CB) {
4521 IRBuilder<> IRB(&CB);
4522 Value *Size = CB.getArgOperand(0);
4523 Value *DstPtr = CB.getArgOperand(2);
4524 Value *Ordering = CB.getArgOperand(3);
4525 // Convert the call to have at least Release ordering to make sure
4526 // the shadow operations aren't reordered after it.
4527 Value *NewOrdering =
4528 IRB.CreateExtractElement(makeAddReleaseOrderingTable(IRB), Ordering);
4529 CB.setArgOperand(3, NewOrdering);
4530
4531 Value *DstShadowPtr =
4532 getShadowOriginPtr(DstPtr, IRB, IRB.getInt8Ty(), Align(1),
4533 /*isStore*/ true)
4534 .first;
4535
4536 // Atomic store always paints clean shadow/origin. See file header.
4537 IRB.CreateMemSet(DstShadowPtr, getCleanShadow(IRB.getInt8Ty()), Size,
4538 Align(1));
4539 }
4540
4541 void visitCallBase(CallBase &CB) {
4542 assert(!CB.getMetadata(LLVMContext::MD_nosanitize));
4543 if (CB.isInlineAsm()) {
4544 // For inline asm (either a call to asm function, or callbr instruction),
4545 // do the usual thing: check argument shadow and mark all outputs as
4546 // clean. Note that any side effects of the inline asm that are not
4547 // immediately visible in its constraints are not handled.
4548 if (ClHandleAsmConservative)
4549 visitAsmInstruction(CB);
4550 else
4551 visitInstruction(CB);
4552 return;
4553 }
4554 LibFunc LF;
4555 if (TLI->getLibFunc(CB, LF)) {
4556 // libatomic.a functions need to have special handling because there isn't
4557 // a good way to intercept them or compile the library with
4558 // instrumentation.
4559 switch (LF) {
4560 case LibFunc_atomic_load:
4561 if (!isa<CallInst>(CB)) {
4562 llvm::errs() << "MSAN -- cannot instrument invoke of libatomic load."
4563 "Ignoring!\n";
4564 break;
4565 }
4566 visitLibAtomicLoad(CB);
4567 return;
4568 case LibFunc_atomic_store:
4569 visitLibAtomicStore(CB);
4570 return;
4571 default:
4572 break;
4573 }
4574 }
4575
4576 if (auto *Call = dyn_cast<CallInst>(&CB)) {
4577 assert(!isa<IntrinsicInst>(Call) && "intrinsics are handled elsewhere");
4578
4579 // We are going to insert code that relies on the fact that the callee
4580 // will become a non-readonly function after it is instrumented by us. To
4581 // prevent this code from being optimized out, mark that function
4582 // non-readonly in advance.
4583 // TODO: We can likely do better than dropping memory() completely here.
4584 AttributeMask B;
4585 B.addAttribute(Attribute::Memory).addAttribute(Attribute::Speculatable);
4586
4587 Call->removeFnAttrs(B);
4588 if (Function *Func = Call->getCalledFunction()) {
4589 Func->removeFnAttrs(B);
4590 }
4591
4592 maybeMarkSanitizerLibraryCallNoBuiltin(Call, TLI);
4593 }
4594 IRBuilder<> IRB(&CB);
4595 bool MayCheckCall = MS.EagerChecks;
4596 if (Function *Func = CB.getCalledFunction()) {
4597 // __sanitizer_unaligned_{load,store} functions may be called by users
4598 // and always expects shadows in the TLS. So don't check them.
4599 MayCheckCall &= !Func->getName().starts_with("__sanitizer_unaligned_");
4600 }
4601
4602 unsigned ArgOffset = 0;
4603 LLVM_DEBUG(dbgs() << " CallSite: " << CB << "\n");
4604 for (const auto &[i, A] : llvm::enumerate(CB.args())) {
4605 if (!A->getType()->isSized()) {
4606 LLVM_DEBUG(dbgs() << "Arg " << i << " is not sized: " << CB << "\n");
4607 continue;
4608 }
4609
4610 if (A->getType()->isScalableTy()) {
4611 LLVM_DEBUG(dbgs() << "Arg " << i << " is vscale: " << CB << "\n");
4612 // Handle as noundef, but don't reserve tls slots.
4613 insertShadowCheck(A, &CB);
4614 continue;
4615 }
4616
4617 unsigned Size = 0;
4618 const DataLayout &DL = F.getDataLayout();
4619
4620 bool ByVal = CB.paramHasAttr(i, Attribute::ByVal);
4621 bool NoUndef = CB.paramHasAttr(i, Attribute::NoUndef);
4622 bool EagerCheck = MayCheckCall && !ByVal && NoUndef;
4623
4624 if (EagerCheck) {
4625 insertShadowCheck(A, &CB);
4626 Size = DL.getTypeAllocSize(A->getType());
4627 } else {
4628 Value *Store = nullptr;
4629 // Compute the Shadow for arg even if it is ByVal, because
4630 // in that case getShadow() will copy the actual arg shadow to
4631 // __msan_param_tls.
4632 Value *ArgShadow = getShadow(A);
4633 Value *ArgShadowBase = getShadowPtrForArgument(IRB, ArgOffset);
4634 LLVM_DEBUG(dbgs() << " Arg#" << i << ": " << *A
4635 << " Shadow: " << *ArgShadow << "\n");
4636 if (ByVal) {
4637 // ByVal requires some special handling as it's too big for a single
4638 // load
4639 assert(A->getType()->isPointerTy() &&
4640 "ByVal argument is not a pointer!");
4641 Size = DL.getTypeAllocSize(CB.getParamByValType(i));
4642 if (ArgOffset + Size > kParamTLSSize)
4643 break;
4644 const MaybeAlign ParamAlignment(CB.getParamAlign(i));
4645 MaybeAlign Alignment = std::nullopt;
4646 if (ParamAlignment)
4647 Alignment = std::min(*ParamAlignment, kShadowTLSAlignment);
4648 Value *AShadowPtr, *AOriginPtr;
4649 std::tie(AShadowPtr, AOriginPtr) =
4650 getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), Alignment,
4651 /*isStore*/ false);
4652 if (!PropagateShadow) {
4653 Store = IRB.CreateMemSet(ArgShadowBase,
4654 Constant::getNullValue(IRB.getInt8Ty()),
4655 Size, Alignment);
4656 } else {
4657 Store = IRB.CreateMemCpy(ArgShadowBase, Alignment, AShadowPtr,
4658 Alignment, Size);
4659 if (MS.TrackOrigins) {
4660 Value *ArgOriginBase = getOriginPtrForArgument(IRB, ArgOffset);
4661 // FIXME: OriginSize should be:
4662 // alignTo(A % kMinOriginAlignment + Size, kMinOriginAlignment)
4663 unsigned OriginSize = alignTo(Size, kMinOriginAlignment);
4664 IRB.CreateMemCpy(
4665 ArgOriginBase,
4666 /* by origin_tls[ArgOffset] */ kMinOriginAlignment,
4667 AOriginPtr,
4668 /* by getShadowOriginPtr */ kMinOriginAlignment, OriginSize);
4669 }
4670 }
4671 } else {
4672 // Any other parameters mean we need bit-grained tracking of uninit
4673 // data
4674 Size = DL.getTypeAllocSize(A->getType());
4675 if (ArgOffset + Size > kParamTLSSize)
4676 break;
4677 Store = IRB.CreateAlignedStore(ArgShadow, ArgShadowBase,
4678 kShadowTLSAlignment);
4679 Constant *Cst = dyn_cast<Constant>(ArgShadow);
4680 if (MS.TrackOrigins && !(Cst && Cst->isNullValue())) {
4681 IRB.CreateStore(getOrigin(A),
4682 getOriginPtrForArgument(IRB, ArgOffset));
4683 }
4684 }
4685 (void)Store;
4686 assert(Store != nullptr);
4687 LLVM_DEBUG(dbgs() << " Param:" << *Store << "\n");
4688 }
4689 assert(Size != 0);
4690 ArgOffset += alignTo(Size, kShadowTLSAlignment);
4691 }
4692 LLVM_DEBUG(dbgs() << " done with call args\n");
4693
4694 FunctionType *FT = CB.getFunctionType();
4695 if (FT->isVarArg()) {
4696 VAHelper->visitCallBase(CB, IRB);
4697 }
4698
4699 // Now, get the shadow for the RetVal.
4700 if (!CB.getType()->isSized())
4701 return;
4702 // Don't emit the epilogue for musttail call returns.
4703 if (isa<CallInst>(CB) && cast<CallInst>(CB).isMustTailCall())
4704 return;
4705
4706 if (MayCheckCall && CB.hasRetAttr(Attribute::NoUndef)) {
4707 setShadow(&CB, getCleanShadow(&CB));
4708 setOrigin(&CB, getCleanOrigin());
4709 return;
4710 }
4711
4712 IRBuilder<> IRBBefore(&CB);
4713 // Until we have full dynamic coverage, make sure the retval shadow is 0.
4714 Value *Base = getShadowPtrForRetval(IRBBefore);
4715 IRBBefore.CreateAlignedStore(getCleanShadow(&CB), Base,
4716 kShadowTLSAlignment);
4717 BasicBlock::iterator NextInsn;
4718 if (isa<CallInst>(CB)) {
4719 NextInsn = ++CB.getIterator();
4720 assert(NextInsn != CB.getParent()->end());
4721 } else {
4722 BasicBlock *NormalDest = cast<InvokeInst>(CB).getNormalDest();
4723 if (!NormalDest->getSinglePredecessor()) {
4724 // FIXME: this case is tricky, so we are just conservative here.
4725 // Perhaps we need to split the edge between this BB and NormalDest,
4726 // but a naive attempt to use SplitEdge leads to a crash.
4727 setShadow(&CB, getCleanShadow(&CB));
4728 setOrigin(&CB, getCleanOrigin());
4729 return;
4730 }
4731 // FIXME: NextInsn is likely in a basic block that has not been visited
4732 // yet. Anything inserted there will be instrumented by MSan later!
4733 NextInsn = NormalDest->getFirstInsertionPt();
4734 assert(NextInsn != NormalDest->end() &&
4735 "Could not find insertion point for retval shadow load");
4736 }
4737 IRBuilder<> IRBAfter(&*NextInsn);
4738 Value *RetvalShadow = IRBAfter.CreateAlignedLoad(
4739 getShadowTy(&CB), getShadowPtrForRetval(IRBAfter), kShadowTLSAlignment,
4740 "_msret");
4741 setShadow(&CB, RetvalShadow);
4742 if (MS.TrackOrigins)
4743 setOrigin(&CB, IRBAfter.CreateLoad(MS.OriginTy, getOriginPtrForRetval()));
4744 }
4745
4746 bool isAMustTailRetVal(Value *RetVal) {
4747 if (auto *I = dyn_cast<BitCastInst>(RetVal)) {
4748 RetVal = I->getOperand(0);
4749 }
4750 if (auto *I = dyn_cast<CallInst>(RetVal)) {
4751 return I->isMustTailCall();
4752 }
4753 return false;
4754 }
4755
4756 void visitReturnInst(ReturnInst &I) {
4757 IRBuilder<> IRB(&I);
4758 Value *RetVal = I.getReturnValue();
4759 if (!RetVal)
4760 return;
4761 // Don't emit the epilogue for musttail call returns.
4762 if (isAMustTailRetVal(RetVal))
4763 return;
4764 Value *ShadowPtr = getShadowPtrForRetval(IRB);
4765 bool HasNoUndef = F.hasRetAttribute(Attribute::NoUndef);
4766 bool StoreShadow = !(MS.EagerChecks && HasNoUndef);
4767 // FIXME: Consider using SpecialCaseList to specify a list of functions that
4768 // must always return fully initialized values. For now, we hardcode "main".
4769 bool EagerCheck = (MS.EagerChecks && HasNoUndef) || (F.getName() == "main");
4770
4771 Value *Shadow = getShadow(RetVal);
4772 bool StoreOrigin = true;
4773 if (EagerCheck) {
4774 insertShadowCheck(RetVal, &I);
4775 Shadow = getCleanShadow(RetVal);
4776 StoreOrigin = false;
4777 }
4778
4779 // The caller may still expect information passed over TLS if we pass our
4780 // check
4781 if (StoreShadow) {
4782 IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
4783 if (MS.TrackOrigins && StoreOrigin)
4784 IRB.CreateStore(getOrigin(RetVal), getOriginPtrForRetval());
4785 }
4786 }
4787
4788 void visitPHINode(PHINode &I) {
4789 IRBuilder<> IRB(&I);
4790 if (!PropagateShadow) {
4791 setShadow(&I, getCleanShadow(&I));
4792 setOrigin(&I, getCleanOrigin());
4793 return;
4794 }
4795
4796 ShadowPHINodes.push_back(&I);
4797 setShadow(&I, IRB.CreatePHI(getShadowTy(&I), I.getNumIncomingValues(),
4798 "_msphi_s"));
4799 if (MS.TrackOrigins)
4800 setOrigin(
4801 &I, IRB.CreatePHI(MS.OriginTy, I.getNumIncomingValues(), "_msphi_o"));
4802 }
4803
4804 Value *getLocalVarIdptr(AllocaInst &I) {
4805 ConstantInt *IntConst =
4806 ConstantInt::get(Type::getInt32Ty((*F.getParent()).getContext()), 0);
4807 return new GlobalVariable(*F.getParent(), IntConst->getType(),
4808 /*isConstant=*/false, GlobalValue::PrivateLinkage,
4809 IntConst);
4810 }
4811
4812 Value *getLocalVarDescription(AllocaInst &I) {
4813 return createPrivateConstGlobalForString(*F.getParent(), I.getName());
4814 }
4815
4816 void poisonAllocaUserspace(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
4817 if (PoisonStack && ClPoisonStackWithCall) {
4818 IRB.CreateCall(MS.MsanPoisonStackFn, {&I, Len});
4819 } else {
4820 Value *ShadowBase, *OriginBase;
4821 std::tie(ShadowBase, OriginBase) = getShadowOriginPtr(
4822 &I, IRB, IRB.getInt8Ty(), Align(1), /*isStore*/ true);
4823
4824 Value *PoisonValue = IRB.getInt8(PoisonStack ? ClPoisonStackPattern : 0);
4825 IRB.CreateMemSet(ShadowBase, PoisonValue, Len, I.getAlign());
4826 }
4827
4828 if (PoisonStack && MS.TrackOrigins) {
4829 Value *Idptr = getLocalVarIdptr(I);
4830 if (ClPrintStackNames) {
4831 Value *Descr = getLocalVarDescription(I);
4832 IRB.CreateCall(MS.MsanSetAllocaOriginWithDescriptionFn,
4833 {&I, Len, Idptr, Descr});
4834 } else {
4835 IRB.CreateCall(MS.MsanSetAllocaOriginNoDescriptionFn, {&I, Len, Idptr});
4836 }
4837 }
4838 }
4839
4840 void poisonAllocaKmsan(AllocaInst &I, IRBuilder<> &IRB, Value *Len) {
4841 Value *Descr = getLocalVarDescription(I);
4842 if (PoisonStack) {
4843 IRB.CreateCall(MS.MsanPoisonAllocaFn, {&I, Len, Descr});
4844 } else {
4845 IRB.CreateCall(MS.MsanUnpoisonAllocaFn, {&I, Len});
4846 }
4847 }
4848
4849 void instrumentAlloca(AllocaInst &I, Instruction *InsPoint = nullptr) {
4850 if (!InsPoint)
4851 InsPoint = &I;
4852 NextNodeIRBuilder IRB(InsPoint);
4853 const DataLayout &DL = F.getDataLayout();
4854 TypeSize TS = DL.getTypeAllocSize(I.getAllocatedType());
4855 Value *Len = IRB.CreateTypeSize(MS.IntptrTy, TS);
4856 if (I.isArrayAllocation())
4857 Len = IRB.CreateMul(Len,
4858 IRB.CreateZExtOrTrunc(I.getArraySize(), MS.IntptrTy));
4859
4860 if (MS.CompileKernel)
4861 poisonAllocaKmsan(I, IRB, Len);
4862 else
4863 poisonAllocaUserspace(I, IRB, Len);
4864 }
4865
4866 void visitAllocaInst(AllocaInst &I) {
4867 setShadow(&I, getCleanShadow(&I));
4868 setOrigin(&I, getCleanOrigin());
4869 // We'll get to this alloca later unless it's poisoned at the corresponding
4870 // llvm.lifetime.start.
4871 AllocaSet.insert(&I);
4872 }
4873
4874 void visitSelectInst(SelectInst &I) {
4875 // a = select b, c, d
4876 Value *B = I.getCondition();
4877 Value *C = I.getTrueValue();
4878 Value *D = I.getFalseValue();
4879
4880 handleSelectLikeInst(I, B, C, D);
4881 }
4882
4883 void handleSelectLikeInst(Instruction &I, Value *B, Value *C, Value *D) {
4884 IRBuilder<> IRB(&I);
4885
4886 Value *Sb = getShadow(B);
4887 Value *Sc = getShadow(C);
4888 Value *Sd = getShadow(D);
4889
4890 Value *Ob = MS.TrackOrigins ? getOrigin(B) : nullptr;
4891 Value *Oc = MS.TrackOrigins ? getOrigin(C) : nullptr;
4892 Value *Od = MS.TrackOrigins ? getOrigin(D) : nullptr;
4893
4894 // Result shadow if condition shadow is 0.
4895 Value *Sa0 = IRB.CreateSelect(B, Sc, Sd);
4896 Value *Sa1;
4897 if (I.getType()->isAggregateType()) {
4898 // To avoid "sign extending" i1 to an arbitrary aggregate type, we just do
4899 // an extra "select". This results in much more compact IR.
4900 // Sa = select Sb, poisoned, (select b, Sc, Sd)
4901 Sa1 = getPoisonedShadow(getShadowTy(I.getType()));
4902 } else {
4903 // Sa = select Sb, [ (c^d) | Sc | Sd ], [ b ? Sc : Sd ]
4904 // If Sb (condition is poisoned), look for bits in c and d that are equal
4905 // and both unpoisoned.
4906 // If !Sb (condition is unpoisoned), simply pick one of Sc and Sd.
4907
4908 // Cast arguments to shadow-compatible type.
4909 C = CreateAppToShadowCast(IRB, C);
4910 D = CreateAppToShadowCast(IRB, D);
4911
4912 // Result shadow if condition shadow is 1.
4913 Sa1 = IRB.CreateOr({IRB.CreateXor(C, D), Sc, Sd});
4914 }
4915 Value *Sa = IRB.CreateSelect(Sb, Sa1, Sa0, "_msprop_select");
4916 setShadow(&I, Sa);
4917 if (MS.TrackOrigins) {
4918 // Origins are always i32, so any vector conditions must be flattened.
4919 // FIXME: consider tracking vector origins for app vectors?
4920 if (B->getType()->isVectorTy()) {
4921 B = convertToBool(B, IRB);
4922 Sb = convertToBool(Sb, IRB);
4923 }
4924 // a = select b, c, d
4925 // Oa = Sb ? Ob : (b ? Oc : Od)
4926 setOrigin(&I, IRB.CreateSelect(Sb, Ob, IRB.CreateSelect(B, Oc, Od)));
4927 }
4928 }
4929
4930 void visitLandingPadInst(LandingPadInst &I) {
4931 // Do nothing.
4932 // See https://github.com/google/sanitizers/issues/504
4933 setShadow(&I, getCleanShadow(&I));
4934 setOrigin(&I, getCleanOrigin());
4935 }
4936
4937 void visitCatchSwitchInst(CatchSwitchInst &I) {
4938 setShadow(&I, getCleanShadow(&I));
4939 setOrigin(&I, getCleanOrigin());
4940 }
4941
4942 void visitFuncletPadInst(FuncletPadInst &I) {
4943 setShadow(&I, getCleanShadow(&I));
4944 setOrigin(&I, getCleanOrigin());
4945 }
4946
4947 void visitGetElementPtrInst(GetElementPtrInst &I) { handleShadowOr(I); }
4948
4949 void visitExtractValueInst(ExtractValueInst &I) {
4950 IRBuilder<> IRB(&I);
4951 Value *Agg = I.getAggregateOperand();
4952 LLVM_DEBUG(dbgs() << "ExtractValue: " << I << "\n");
4953 Value *AggShadow = getShadow(Agg);
4954 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
4955 Value *ResShadow = IRB.CreateExtractValue(AggShadow, I.getIndices());
4956 LLVM_DEBUG(dbgs() << " ResShadow: " << *ResShadow << "\n");
4957 setShadow(&I, ResShadow);
4958 setOriginForNaryOp(I);
4959 }
4960
4961 void visitInsertValueInst(InsertValueInst &I) {
4962 IRBuilder<> IRB(&I);
4963 LLVM_DEBUG(dbgs() << "InsertValue: " << I << "\n");
4964 Value *AggShadow = getShadow(I.getAggregateOperand());
4965 Value *InsShadow = getShadow(I.getInsertedValueOperand());
4966 LLVM_DEBUG(dbgs() << " AggShadow: " << *AggShadow << "\n");
4967 LLVM_DEBUG(dbgs() << " InsShadow: " << *InsShadow << "\n");
4968 Value *Res = IRB.CreateInsertValue(AggShadow, InsShadow, I.getIndices());
4969 LLVM_DEBUG(dbgs() << " Res: " << *Res << "\n");
4970 setShadow(&I, Res);
4971 setOriginForNaryOp(I);
4972 }
4973
4974 void dumpInst(Instruction &I) {
4975 if (CallInst *CI = dyn_cast<CallInst>(&I)) {
4976 errs() << "ZZZ call " << CI->getCalledFunction()->getName() << "\n";
4977 } else {
4978 errs() << "ZZZ " << I.getOpcodeName() << "\n";
4979 }
4980 errs() << "QQQ " << I << "\n";
4981 }
4982
4983 void visitResumeInst(ResumeInst &I) {
4984 LLVM_DEBUG(dbgs() << "Resume: " << I << "\n");
4985 // Nothing to do here.
4986 }
4987
4988 void visitCleanupReturnInst(CleanupReturnInst &CRI) {
4989 LLVM_DEBUG(dbgs() << "CleanupReturn: " << CRI << "\n");
4990 // Nothing to do here.
4991 }
4992
4993 void visitCatchReturnInst(CatchReturnInst &CRI) {
4994 LLVM_DEBUG(dbgs() << "CatchReturn: " << CRI << "\n");
4995 // Nothing to do here.
4996 }
4997
4998 void instrumentAsmArgument(Value *Operand, Type *ElemTy, Instruction &I,
4999 IRBuilder<> &IRB, const DataLayout &DL,
5000 bool isOutput) {
5001 // For each assembly argument, we check its value for being initialized.
5002 // If the argument is a pointer, we assume it points to a single element
5003 // of the corresponding type (or to a 8-byte word, if the type is unsized).
5004 // Each such pointer is instrumented with a call to the runtime library.
5005 Type *OpType = Operand->getType();
5006 // Check the operand value itself.
5007 insertShadowCheck(Operand, &I);
5008 if (!OpType->isPointerTy() || !isOutput) {
5009 assert(!isOutput);
5010 return;
5011 }
5012 if (!ElemTy->isSized())
5013 return;
5014 auto Size = DL.getTypeStoreSize(ElemTy);
5015 Value *SizeVal = IRB.CreateTypeSize(MS.IntptrTy, Size);
5016 if (MS.CompileKernel) {
5017 IRB.CreateCall(MS.MsanInstrumentAsmStoreFn, {Operand, SizeVal});
5018 } else {
5019 // ElemTy, derived from elementtype(), does not encode the alignment of
5020 // the pointer. Conservatively assume that the shadow memory is unaligned.
5021 // When Size is large, avoid StoreInst as it would expand to many
5022 // instructions.
5023 auto [ShadowPtr, _] =
5024 getShadowOriginPtrUserspace(Operand, IRB, IRB.getInt8Ty(), Align(1));
5025 if (Size <= 32)
5026 IRB.CreateAlignedStore(getCleanShadow(ElemTy), ShadowPtr, Align(1));
5027 else
5028 IRB.CreateMemSet(ShadowPtr, ConstantInt::getNullValue(IRB.getInt8Ty()),
5029 SizeVal, Align(1));
5030 }
5031 }
5032
5033 /// Get the number of output arguments returned by pointers.
5034 int getNumOutputArgs(InlineAsm *IA, CallBase *CB) {
5035 int NumRetOutputs = 0;
5036 int NumOutputs = 0;
5037 Type *RetTy = cast<Value>(CB)->getType();
5038 if (!RetTy->isVoidTy()) {
5039 // Register outputs are returned via the CallInst return value.
5040 auto *ST = dyn_cast<StructType>(RetTy);
5041 if (ST)
5042 NumRetOutputs = ST->getNumElements();
5043 else
5044 NumRetOutputs = 1;
5045 }
5046 InlineAsm::ConstraintInfoVector Constraints = IA->ParseConstraints();
5047 for (const InlineAsm::ConstraintInfo &Info : Constraints) {
5048 switch (Info.Type) {
5049 case InlineAsm::isOutput:
5050 NumOutputs++;
5051 break;
5052 default:
5053 break;
5054 }
5055 }
5056 return NumOutputs - NumRetOutputs;
5057 }
5058
5059 void visitAsmInstruction(Instruction &I) {
5060 // Conservative inline assembly handling: check for poisoned shadow of
5061 // asm() arguments, then unpoison the result and all the memory locations
5062 // pointed to by those arguments.
5063 // An inline asm() statement in C++ contains lists of input and output
5064 // arguments used by the assembly code. These are mapped to operands of the
5065 // CallInst as follows:
5066 // - nR register outputs ("=r) are returned by value in a single structure
5067 // (SSA value of the CallInst);
5068 // - nO other outputs ("=m" and others) are returned by pointer as first
5069 // nO operands of the CallInst;
5070 // - nI inputs ("r", "m" and others) are passed to CallInst as the
5071 // remaining nI operands.
5072 // The total number of asm() arguments in the source is nR+nO+nI, and the
5073 // corresponding CallInst has nO+nI+1 operands (the last operand is the
5074 // function to be called).
5075 const DataLayout &DL = F.getDataLayout();
5076 CallBase *CB = cast<CallBase>(&I);
5077 IRBuilder<> IRB(&I);
5078 InlineAsm *IA = cast<InlineAsm>(CB->getCalledOperand());
5079 int OutputArgs = getNumOutputArgs(IA, CB);
5080 // The last operand of a CallInst is the function itself.
5081 int NumOperands = CB->getNumOperands() - 1;
5082
5083 // Check input arguments. Doing so before unpoisoning output arguments, so
5084 // that we won't overwrite uninit values before checking them.
5085 for (int i = OutputArgs; i < NumOperands; i++) {
5086 Value *Operand = CB->getOperand(i);
5087 instrumentAsmArgument(Operand, CB->getParamElementType(i), I, IRB, DL,
5088 /*isOutput*/ false);
5089 }
5090 // Unpoison output arguments. This must happen before the actual InlineAsm
5091 // call, so that the shadow for memory published in the asm() statement
5092 // remains valid.
5093 for (int i = 0; i < OutputArgs; i++) {
5094 Value *Operand = CB->getOperand(i);
5095 instrumentAsmArgument(Operand, CB->getParamElementType(i), I, IRB, DL,
5096 /*isOutput*/ true);
5097 }
5098
5099 setShadow(&I, getCleanShadow(&I));
5100 setOrigin(&I, getCleanOrigin());
5101 }
5102
5103 void visitFreezeInst(FreezeInst &I) {
5104 // Freeze always returns a fully defined value.
5105 setShadow(&I, getCleanShadow(&I));
5106 setOrigin(&I, getCleanOrigin());
5107 }
5108
5109 void visitInstruction(Instruction &I) {
5110 // Everything else: stop propagating and check for poisoned shadow.
5111 if (ClDumpStrictInstructions)
5112 dumpInst(I);
5113 LLVM_DEBUG(dbgs() << "DEFAULT: " << I << "\n");
5114 for (size_t i = 0, n = I.getNumOperands(); i < n; i++) {
5115 Value *Operand = I.getOperand(i);
5116 if (Operand->getType()->isSized())
5117 insertShadowCheck(Operand, &I);
5118 }
5119 setShadow(&I, getCleanShadow(&I));
5120 setOrigin(&I, getCleanOrigin());
5121 }
5122};
5123
5124struct VarArgHelperBase : public VarArgHelper {
5125 Function &F;
5126 MemorySanitizer &MS;
5127 MemorySanitizerVisitor &MSV;
5128 SmallVector<CallInst *, 16> VAStartInstrumentationList;
5129 const unsigned VAListTagSize;
5130
5131 VarArgHelperBase(Function &F, MemorySanitizer &MS,
5132 MemorySanitizerVisitor &MSV, unsigned VAListTagSize)
5133 : F(F), MS(MS), MSV(MSV), VAListTagSize(VAListTagSize) {}
5134
5135 Value *getShadowAddrForVAArgument(IRBuilder<> &IRB, unsigned ArgOffset) {
5136 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
5137 return IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
5138 }
5139
5140 /// Compute the shadow address for a given va_arg.
5141 Value *getShadowPtrForVAArgument(IRBuilder<> &IRB, unsigned ArgOffset) {
5142 Value *Base = IRB.CreatePointerCast(MS.VAArgTLS, MS.IntptrTy);
5143 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
5144 return IRB.CreateIntToPtr(Base, MS.PtrTy, "_msarg_va_s");
5145 }
5146
5147 /// Compute the shadow address for a given va_arg.
5148 Value *getShadowPtrForVAArgument(IRBuilder<> &IRB, unsigned ArgOffset,
5149 unsigned ArgSize) {
5150 // Make sure we don't overflow __msan_va_arg_tls.
5151 if (ArgOffset + ArgSize > kParamTLSSize)
5152 return nullptr;
5153 return getShadowPtrForVAArgument(IRB, ArgOffset);
5154 }
5155
5156 /// Compute the origin address for a given va_arg.
5157 Value *getOriginPtrForVAArgument(IRBuilder<> &IRB, int ArgOffset) {
5158 Value *Base = IRB.CreatePointerCast(MS.VAArgOriginTLS, MS.IntptrTy);
5159 // getOriginPtrForVAArgument() is always called after
5160 // getShadowPtrForVAArgument(), so __msan_va_arg_origin_tls can never
5161 // overflow.
5162 Base = IRB.CreateAdd(Base, ConstantInt::get(MS.IntptrTy, ArgOffset));
5163 return IRB.CreateIntToPtr(Base, MS.PtrTy, "_msarg_va_o");
5164 }
5165
5166 void CleanUnusedTLS(IRBuilder<> &IRB, Value *ShadowBase,
5167 unsigned BaseOffset) {
5168 // The tails of __msan_va_arg_tls is not large enough to fit full
5169 // value shadow, but it will be copied to backup anyway. Make it
5170 // clean.
5171 if (BaseOffset >= kParamTLSSize)
5172 return;
5173 Value *TailSize =
5174 ConstantInt::getSigned(IRB.getInt32Ty(), kParamTLSSize - BaseOffset);
5175 IRB.CreateMemSet(ShadowBase, ConstantInt::getNullValue(IRB.getInt8Ty()),
5176 TailSize, Align(8));
5177 }
5178
5179 void unpoisonVAListTagForInst(IntrinsicInst &I) {
5180 IRBuilder<> IRB(&I);
5181 Value *VAListTag = I.getArgOperand(0);
5182 const Align Alignment = Align(8);
5183 auto [ShadowPtr, OriginPtr] = MSV.getShadowOriginPtr(
5184 VAListTag, IRB, IRB.getInt8Ty(), Alignment, /*isStore*/ true);
5185 // Unpoison the whole __va_list_tag.
5186 IRB.CreateMemSet(ShadowPtr, Constant::getNullValue(IRB.getInt8Ty()),
5187 VAListTagSize, Alignment, false);
5188 }
5189
5190 void visitVAStartInst(VAStartInst &I) override {
5191 if (F.getCallingConv() == CallingConv::Win64)
5192 return;
5193 VAStartInstrumentationList.push_back(&I);
5194 unpoisonVAListTagForInst(I);
5195 }
5196
5197 void visitVACopyInst(VACopyInst &I) override {
5198 if (F.getCallingConv() == CallingConv::Win64)
5199 return;
5200 unpoisonVAListTagForInst(I);
5201 }
5202};
5203
5204/// AMD64-specific implementation of VarArgHelper.
5205struct VarArgAMD64Helper : public VarArgHelperBase {
5206 // An unfortunate workaround for asymmetric lowering of va_arg stuff.
5207 // See a comment in visitCallBase for more details.
5208 static const unsigned AMD64GpEndOffset = 48; // AMD64 ABI Draft 0.99.6 p3.5.7
5209 static const unsigned AMD64FpEndOffsetSSE = 176;
5210 // If SSE is disabled, fp_offset in va_list is zero.
5211 static const unsigned AMD64FpEndOffsetNoSSE = AMD64GpEndOffset;
5212
5213 unsigned AMD64FpEndOffset;
5214 AllocaInst *VAArgTLSCopy = nullptr;
5215 AllocaInst *VAArgTLSOriginCopy = nullptr;
5216 Value *VAArgOverflowSize = nullptr;
5217
5218 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
5219
5220 VarArgAMD64Helper(Function &F, MemorySanitizer &MS,
5221 MemorySanitizerVisitor &MSV)
5222 : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/24) {
5223 AMD64FpEndOffset = AMD64FpEndOffsetSSE;
5224 for (const auto &Attr : F.getAttributes().getFnAttrs()) {
5225 if (Attr.isStringAttribute() &&
5226 (Attr.getKindAsString() == "target-features")) {
5227 if (Attr.getValueAsString().contains("-sse"))
5228 AMD64FpEndOffset = AMD64FpEndOffsetNoSSE;
5229 break;
5230 }
5231 }
5232 }
5233
5234 ArgKind classifyArgument(Value *arg) {
5235 // A very rough approximation of X86_64 argument classification rules.
5236 Type *T = arg->getType();
5237 if (T->isX86_FP80Ty())
5238 return AK_Memory;
5239 if (T->isFPOrFPVectorTy())
5240 return AK_FloatingPoint;
5241 if (T->isIntegerTy() && T->getPrimitiveSizeInBits() <= 64)
5242 return AK_GeneralPurpose;
5243 if (T->isPointerTy())
5244 return AK_GeneralPurpose;
5245 return AK_Memory;
5246 }
5247
5248 // For VarArg functions, store the argument shadow in an ABI-specific format
5249 // that corresponds to va_list layout.
5250 // We do this because Clang lowers va_arg in the frontend, and this pass
5251 // only sees the low level code that deals with va_list internals.
5252 // A much easier alternative (provided that Clang emits va_arg instructions)
5253 // would have been to associate each live instance of va_list with a copy of
5254 // MSanParamTLS, and extract shadow on va_arg() call in the argument list
5255 // order.
5256 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5257 unsigned GpOffset = 0;
5258 unsigned FpOffset = AMD64GpEndOffset;
5259 unsigned OverflowOffset = AMD64FpEndOffset;
5260 const DataLayout &DL = F.getDataLayout();
5261
5262 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5263 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5264 bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
5265 if (IsByVal) {
5266 // ByVal arguments always go to the overflow area.
5267 // Fixed arguments passed through the overflow area will be stepped
5268 // over by va_start, so don't count them towards the offset.
5269 if (IsFixed)
5270 continue;
5271 assert(A->getType()->isPointerTy());
5272 Type *RealTy = CB.getParamByValType(ArgNo);
5273 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
5274 uint64_t AlignedSize = alignTo(ArgSize, 8);
5275 unsigned BaseOffset = OverflowOffset;
5276 Value *ShadowBase = getShadowPtrForVAArgument(IRB, OverflowOffset);
5277 Value *OriginBase = nullptr;
5278 if (MS.TrackOrigins)
5279 OriginBase = getOriginPtrForVAArgument(IRB, OverflowOffset);
5280 OverflowOffset += AlignedSize;
5281
5282 if (OverflowOffset > kParamTLSSize) {
5283 CleanUnusedTLS(IRB, ShadowBase, BaseOffset);
5284 continue; // We have no space to copy shadow there.
5285 }
5286
5287 Value *ShadowPtr, *OriginPtr;
5288 std::tie(ShadowPtr, OriginPtr) =
5289 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(), kShadowTLSAlignment,
5290 /*isStore*/ false);
5291 IRB.CreateMemCpy(ShadowBase, kShadowTLSAlignment, ShadowPtr,
5292 kShadowTLSAlignment, ArgSize);
5293 if (MS.TrackOrigins)
5294 IRB.CreateMemCpy(OriginBase, kShadowTLSAlignment, OriginPtr,
5295 kShadowTLSAlignment, ArgSize);
5296 } else {
5297 ArgKind AK = classifyArgument(A);
5298 if (AK == AK_GeneralPurpose && GpOffset >= AMD64GpEndOffset)
5299 AK = AK_Memory;
5300 if (AK == AK_FloatingPoint && FpOffset >= AMD64FpEndOffset)
5301 AK = AK_Memory;
5302 Value *ShadowBase, *OriginBase = nullptr;
5303 switch (AK) {
5304 case AK_GeneralPurpose:
5305 ShadowBase = getShadowPtrForVAArgument(IRB, GpOffset);
5306 if (MS.TrackOrigins)
5307 OriginBase = getOriginPtrForVAArgument(IRB, GpOffset);
5308 GpOffset += 8;
5309 assert(GpOffset <= kParamTLSSize);
5310 break;
5311 case AK_FloatingPoint:
5312 ShadowBase = getShadowPtrForVAArgument(IRB, FpOffset);
5313 if (MS.TrackOrigins)
5314 OriginBase = getOriginPtrForVAArgument(IRB, FpOffset);
5315 FpOffset += 16;
5316 assert(FpOffset <= kParamTLSSize);
5317 break;
5318 case AK_Memory:
5319 if (IsFixed)
5320 continue;
5321 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5322 uint64_t AlignedSize = alignTo(ArgSize, 8);
5323 unsigned BaseOffset = OverflowOffset;
5324 ShadowBase = getShadowPtrForVAArgument(IRB, OverflowOffset);
5325 if (MS.TrackOrigins) {
5326 OriginBase = getOriginPtrForVAArgument(IRB, OverflowOffset);
5327 }
5328 OverflowOffset += AlignedSize;
5329 if (OverflowOffset > kParamTLSSize) {
5330 // We have no space to copy shadow there.
5331 CleanUnusedTLS(IRB, ShadowBase, BaseOffset);
5332 continue;
5333 }
5334 }
5335 // Take fixed arguments into account for GpOffset and FpOffset,
5336 // but don't actually store shadows for them.
5337 // TODO(glider): don't call get*PtrForVAArgument() for them.
5338 if (IsFixed)
5339 continue;
5340 Value *Shadow = MSV.getShadow(A);
5341 IRB.CreateAlignedStore(Shadow, ShadowBase, kShadowTLSAlignment);
5342 if (MS.TrackOrigins) {
5343 Value *Origin = MSV.getOrigin(A);
5344 TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
5345 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
5346 std::max(kShadowTLSAlignment, kMinOriginAlignment));
5347 }
5348 }
5349 }
5350 Constant *OverflowSize =
5351 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AMD64FpEndOffset);
5352 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5353 }
5354
5355 void finalizeInstrumentation() override {
5356 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5357 "finalizeInstrumentation called twice");
5358 if (!VAStartInstrumentationList.empty()) {
5359 // If there is a va_start in this function, make a backup copy of
5360 // va_arg_tls somewhere in the function entry block.
5361 IRBuilder<> IRB(MSV.FnPrologueEnd);
5362 VAArgOverflowSize =
5363 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5364 Value *CopySize = IRB.CreateAdd(
5365 ConstantInt::get(MS.IntptrTy, AMD64FpEndOffset), VAArgOverflowSize);
5366 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5367 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5368 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5369 CopySize, kShadowTLSAlignment, false);
5370
5371 Value *SrcSize = IRB.CreateBinaryIntrinsic(
5372 Intrinsic::umin, CopySize,
5373 ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5374 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5375 kShadowTLSAlignment, SrcSize);
5376 if (MS.TrackOrigins) {
5377 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5378 VAArgTLSOriginCopy->setAlignment(kShadowTLSAlignment);
5379 IRB.CreateMemCpy(VAArgTLSOriginCopy, kShadowTLSAlignment,
5380 MS.VAArgOriginTLS, kShadowTLSAlignment, SrcSize);
5381 }
5382 }
5383
5384 // Instrument va_start.
5385 // Copy va_list shadow from the backup copy of the TLS contents.
5386 for (CallInst *OrigInst : VAStartInstrumentationList) {
5387 NextNodeIRBuilder IRB(OrigInst);
5388 Value *VAListTag = OrigInst->getArgOperand(0);
5389
5390 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
5391 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5392 ConstantInt::get(MS.IntptrTy, 16)),
5393 MS.PtrTy);
5394 Value *RegSaveAreaPtr = IRB.CreateLoad(MS.PtrTy, RegSaveAreaPtrPtr);
5395 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5396 const Align Alignment = Align(16);
5397 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5398 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5399 Alignment, /*isStore*/ true);
5400 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5401 AMD64FpEndOffset);
5402 if (MS.TrackOrigins)
5403 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
5404 Alignment, AMD64FpEndOffset);
5405 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
5406 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5407 ConstantInt::get(MS.IntptrTy, 8)),
5408 MS.PtrTy);
5409 Value *OverflowArgAreaPtr =
5410 IRB.CreateLoad(MS.PtrTy, OverflowArgAreaPtrPtr);
5411 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
5412 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
5413 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
5414 Alignment, /*isStore*/ true);
5415 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
5416 AMD64FpEndOffset);
5417 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
5418 VAArgOverflowSize);
5419 if (MS.TrackOrigins) {
5420 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
5421 AMD64FpEndOffset);
5422 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
5423 VAArgOverflowSize);
5424 }
5425 }
5426 }
5427};
5428
5429/// AArch64-specific implementation of VarArgHelper.
5430struct VarArgAArch64Helper : public VarArgHelperBase {
5431 static const unsigned kAArch64GrArgSize = 64;
5432 static const unsigned kAArch64VrArgSize = 128;
5433
5434 static const unsigned AArch64GrBegOffset = 0;
5435 static const unsigned AArch64GrEndOffset = kAArch64GrArgSize;
5436 // Make VR space aligned to 16 bytes.
5437 static const unsigned AArch64VrBegOffset = AArch64GrEndOffset;
5438 static const unsigned AArch64VrEndOffset =
5439 AArch64VrBegOffset + kAArch64VrArgSize;
5440 static const unsigned AArch64VAEndOffset = AArch64VrEndOffset;
5441
5442 AllocaInst *VAArgTLSCopy = nullptr;
5443 Value *VAArgOverflowSize = nullptr;
5444
5445 enum ArgKind { AK_GeneralPurpose, AK_FloatingPoint, AK_Memory };
5446
5447 VarArgAArch64Helper(Function &F, MemorySanitizer &MS,
5448 MemorySanitizerVisitor &MSV)
5449 : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/32) {}
5450
5451 // A very rough approximation of aarch64 argument classification rules.
5452 std::pair<ArgKind, uint64_t> classifyArgument(Type *T) {
5453 if (T->isIntOrPtrTy() && T->getPrimitiveSizeInBits() <= 64)
5454 return {AK_GeneralPurpose, 1};
5455 if (T->isFloatingPointTy() && T->getPrimitiveSizeInBits() <= 128)
5456 return {AK_FloatingPoint, 1};
5457
5458 if (T->isArrayTy()) {
5459 auto R = classifyArgument(T->getArrayElementType());
5460 R.second *= T->getScalarType()->getArrayNumElements();
5461 return R;
5462 }
5463
5464 if (const FixedVectorType *FV = dyn_cast<FixedVectorType>(T)) {
5465 auto R = classifyArgument(FV->getScalarType());
5466 R.second *= FV->getNumElements();
5467 return R;
5468 }
5469
5470 LLVM_DEBUG(errs() << "Unknown vararg type: " << *T << "\n");
5471 return {AK_Memory, 0};
5472 }
5473
5474 // The instrumentation stores the argument shadow in a non ABI-specific
5475 // format because it does not know which argument is named (since Clang,
5476 // like x86_64 case, lowers the va_args in the frontend and this pass only
5477 // sees the low level code that deals with va_list internals).
5478 // The first seven GR registers are saved in the first 56 bytes of the
5479 // va_arg tls arra, followed by the first 8 FP/SIMD registers, and then
5480 // the remaining arguments.
5481 // Using constant offset within the va_arg TLS array allows fast copy
5482 // in the finalize instrumentation.
5483 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5484 unsigned GrOffset = AArch64GrBegOffset;
5485 unsigned VrOffset = AArch64VrBegOffset;
5486 unsigned OverflowOffset = AArch64VAEndOffset;
5487
5488 const DataLayout &DL = F.getDataLayout();
5489 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5490 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5491 auto [AK, RegNum] = classifyArgument(A->getType());
5492 if (AK == AK_GeneralPurpose &&
5493 (GrOffset + RegNum * 8) > AArch64GrEndOffset)
5494 AK = AK_Memory;
5495 if (AK == AK_FloatingPoint &&
5496 (VrOffset + RegNum * 16) > AArch64VrEndOffset)
5497 AK = AK_Memory;
5498 Value *Base;
5499 switch (AK) {
5500 case AK_GeneralPurpose:
5501 Base = getShadowPtrForVAArgument(IRB, GrOffset);
5502 GrOffset += 8 * RegNum;
5503 break;
5504 case AK_FloatingPoint:
5505 Base = getShadowPtrForVAArgument(IRB, VrOffset);
5506 VrOffset += 16 * RegNum;
5507 break;
5508 case AK_Memory:
5509 // Don't count fixed arguments in the overflow area - va_start will
5510 // skip right over them.
5511 if (IsFixed)
5512 continue;
5513 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5514 uint64_t AlignedSize = alignTo(ArgSize, 8);
5515 unsigned BaseOffset = OverflowOffset;
5516 Base = getShadowPtrForVAArgument(IRB, BaseOffset);
5517 OverflowOffset += AlignedSize;
5518 if (OverflowOffset > kParamTLSSize) {
5519 // We have no space to copy shadow there.
5520 CleanUnusedTLS(IRB, Base, BaseOffset);
5521 continue;
5522 }
5523 break;
5524 }
5525 // Count Gp/Vr fixed arguments to their respective offsets, but don't
5526 // bother to actually store a shadow.
5527 if (IsFixed)
5528 continue;
5529 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
5530 }
5531 Constant *OverflowSize =
5532 ConstantInt::get(IRB.getInt64Ty(), OverflowOffset - AArch64VAEndOffset);
5533 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
5534 }
5535
5536 // Retrieve a va_list field of 'void*' size.
5537 Value *getVAField64(IRBuilder<> &IRB, Value *VAListTag, int offset) {
5538 Value *SaveAreaPtrPtr = IRB.CreateIntToPtr(
5539 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5540 ConstantInt::get(MS.IntptrTy, offset)),
5541 MS.PtrTy);
5542 return IRB.CreateLoad(Type::getInt64Ty(*MS.C), SaveAreaPtrPtr);
5543 }
5544
5545 // Retrieve a va_list field of 'int' size.
5546 Value *getVAField32(IRBuilder<> &IRB, Value *VAListTag, int offset) {
5547 Value *SaveAreaPtr = IRB.CreateIntToPtr(
5548 IRB.CreateAdd(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
5549 ConstantInt::get(MS.IntptrTy, offset)),
5550 MS.PtrTy);
5551 Value *SaveArea32 = IRB.CreateLoad(IRB.getInt32Ty(), SaveAreaPtr);
5552 return IRB.CreateSExt(SaveArea32, MS.IntptrTy);
5553 }
5554
5555 void finalizeInstrumentation() override {
5556 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
5557 "finalizeInstrumentation called twice");
5558 if (!VAStartInstrumentationList.empty()) {
5559 // If there is a va_start in this function, make a backup copy of
5560 // va_arg_tls somewhere in the function entry block.
5561 IRBuilder<> IRB(MSV.FnPrologueEnd);
5562 VAArgOverflowSize =
5563 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5564 Value *CopySize = IRB.CreateAdd(
5565 ConstantInt::get(MS.IntptrTy, AArch64VAEndOffset), VAArgOverflowSize);
5566 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5567 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5568 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5569 CopySize, kShadowTLSAlignment, false);
5570
5571 Value *SrcSize = IRB.CreateBinaryIntrinsic(
5572 Intrinsic::umin, CopySize,
5573 ConstantInt::get(MS.IntptrTy, kParamTLSSize));
5574 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5575 kShadowTLSAlignment, SrcSize);
5576 }
5577
5578 Value *GrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64GrArgSize);
5579 Value *VrArgSize = ConstantInt::get(MS.IntptrTy, kAArch64VrArgSize);
5580
5581 // Instrument va_start, copy va_list shadow from the backup copy of
5582 // the TLS contents.
5583 for (CallInst *OrigInst : VAStartInstrumentationList) {
5584 NextNodeIRBuilder IRB(OrigInst);
5585
5586 Value *VAListTag = OrigInst->getArgOperand(0);
5587
5588 // The variadic ABI for AArch64 creates two areas to save the incoming
5589 // argument registers (one for 64-bit general register xn-x7 and another
5590 // for 128-bit FP/SIMD vn-v7).
5591 // We need then to propagate the shadow arguments on both regions
5592 // 'va::__gr_top + va::__gr_offs' and 'va::__vr_top + va::__vr_offs'.
5593 // The remaining arguments are saved on shadow for 'va::stack'.
5594 // One caveat is it requires only to propagate the non-named arguments,
5595 // however on the call site instrumentation 'all' the arguments are
5596 // saved. So to copy the shadow values from the va_arg TLS array
5597 // we need to adjust the offset for both GR and VR fields based on
5598 // the __{gr,vr}_offs value (since they are stores based on incoming
5599 // named arguments).
5600 Type *RegSaveAreaPtrTy = IRB.getPtrTy();
5601
5602 // Read the stack pointer from the va_list.
5603 Value *StackSaveAreaPtr =
5604 IRB.CreateIntToPtr(getVAField64(IRB, VAListTag, 0), RegSaveAreaPtrTy);
5605
5606 // Read both the __gr_top and __gr_off and add them up.
5607 Value *GrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 8);
5608 Value *GrOffSaveArea = getVAField32(IRB, VAListTag, 24);
5609
5610 Value *GrRegSaveAreaPtr = IRB.CreateIntToPtr(
5611 IRB.CreateAdd(GrTopSaveAreaPtr, GrOffSaveArea), RegSaveAreaPtrTy);
5612
5613 // Read both the __vr_top and __vr_off and add them up.
5614 Value *VrTopSaveAreaPtr = getVAField64(IRB, VAListTag, 16);
5615 Value *VrOffSaveArea = getVAField32(IRB, VAListTag, 28);
5616
5617 Value *VrRegSaveAreaPtr = IRB.CreateIntToPtr(
5618 IRB.CreateAdd(VrTopSaveAreaPtr, VrOffSaveArea), RegSaveAreaPtrTy);
5619
5620 // It does not know how many named arguments is being used and, on the
5621 // callsite all the arguments were saved. Since __gr_off is defined as
5622 // '0 - ((8 - named_gr) * 8)', the idea is to just propagate the variadic
5623 // argument by ignoring the bytes of shadow from named arguments.
5624 Value *GrRegSaveAreaShadowPtrOff =
5625 IRB.CreateAdd(GrArgSize, GrOffSaveArea);
5626
5627 Value *GrRegSaveAreaShadowPtr =
5628 MSV.getShadowOriginPtr(GrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5629 Align(8), /*isStore*/ true)
5630 .first;
5631
5632 Value *GrSrcPtr =
5633 IRB.CreateInBoundsPtrAdd(VAArgTLSCopy, GrRegSaveAreaShadowPtrOff);
5634 Value *GrCopySize = IRB.CreateSub(GrArgSize, GrRegSaveAreaShadowPtrOff);
5635
5636 IRB.CreateMemCpy(GrRegSaveAreaShadowPtr, Align(8), GrSrcPtr, Align(8),
5637 GrCopySize);
5638
5639 // Again, but for FP/SIMD values.
5640 Value *VrRegSaveAreaShadowPtrOff =
5641 IRB.CreateAdd(VrArgSize, VrOffSaveArea);
5642
5643 Value *VrRegSaveAreaShadowPtr =
5644 MSV.getShadowOriginPtr(VrRegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5645 Align(8), /*isStore*/ true)
5646 .first;
5647
5648 Value *VrSrcPtr = IRB.CreateInBoundsPtrAdd(
5649 IRB.CreateInBoundsPtrAdd(VAArgTLSCopy,
5650 IRB.getInt32(AArch64VrBegOffset)),
5651 VrRegSaveAreaShadowPtrOff);
5652 Value *VrCopySize = IRB.CreateSub(VrArgSize, VrRegSaveAreaShadowPtrOff);
5653
5654 IRB.CreateMemCpy(VrRegSaveAreaShadowPtr, Align(8), VrSrcPtr, Align(8),
5655 VrCopySize);
5656
5657 // And finally for remaining arguments.
5658 Value *StackSaveAreaShadowPtr =
5659 MSV.getShadowOriginPtr(StackSaveAreaPtr, IRB, IRB.getInt8Ty(),
5660 Align(16), /*isStore*/ true)
5661 .first;
5662
5663 Value *StackSrcPtr = IRB.CreateInBoundsPtrAdd(
5664 VAArgTLSCopy, IRB.getInt32(AArch64VAEndOffset));
5665
5666 IRB.CreateMemCpy(StackSaveAreaShadowPtr, Align(16), StackSrcPtr,
5667 Align(16), VAArgOverflowSize);
5668 }
5669 }
5670};
5671
5672/// PowerPC-specific implementation of VarArgHelper.
5673struct VarArgPowerPCHelper : public VarArgHelperBase {
5674 AllocaInst *VAArgTLSCopy = nullptr;
5675 Value *VAArgSize = nullptr;
5676
5677 VarArgPowerPCHelper(Function &F, MemorySanitizer &MS,
5678 MemorySanitizerVisitor &MSV, unsigned VAListTagSize)
5679 : VarArgHelperBase(F, MS, MSV, VAListTagSize) {}
5680
5681 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5682 // For PowerPC, we need to deal with alignment of stack arguments -
5683 // they are mostly aligned to 8 bytes, but vectors and i128 arrays
5684 // are aligned to 16 bytes, byvals can be aligned to 8 or 16 bytes,
5685 // For that reason, we compute current offset from stack pointer (which is
5686 // always properly aligned), and offset for the first vararg, then subtract
5687 // them.
5688 unsigned VAArgBase;
5689 Triple TargetTriple(F.getParent()->getTargetTriple());
5690 // Parameter save area starts at 48 bytes from frame pointer for ABIv1,
5691 // and 32 bytes for ABIv2. This is usually determined by target
5692 // endianness, but in theory could be overridden by function attribute.
5693 if (TargetTriple.isPPC64()) {
5694 if (TargetTriple.isPPC64ELFv2ABI())
5695 VAArgBase = 32;
5696 else
5697 VAArgBase = 48;
5698 } else {
5699 // Parameter save area is 8 bytes from frame pointer in PPC32
5700 VAArgBase = 8;
5701 }
5702 unsigned VAArgOffset = VAArgBase;
5703 const DataLayout &DL = F.getDataLayout();
5704 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5705 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5706 bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
5707 if (IsByVal) {
5708 assert(A->getType()->isPointerTy());
5709 Type *RealTy = CB.getParamByValType(ArgNo);
5710 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
5711 Align ArgAlign = CB.getParamAlign(ArgNo).value_or(Align(8));
5712 if (ArgAlign < 8)
5713 ArgAlign = Align(8);
5714 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
5715 if (!IsFixed) {
5716 Value *Base =
5717 getShadowPtrForVAArgument(IRB, VAArgOffset - VAArgBase, ArgSize);
5718 if (Base) {
5719 Value *AShadowPtr, *AOriginPtr;
5720 std::tie(AShadowPtr, AOriginPtr) =
5721 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
5722 kShadowTLSAlignment, /*isStore*/ false);
5723
5724 IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
5725 kShadowTLSAlignment, ArgSize);
5726 }
5727 }
5728 VAArgOffset += alignTo(ArgSize, Align(8));
5729 } else {
5730 Value *Base;
5731 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
5732 Align ArgAlign = Align(8);
5733 if (A->getType()->isArrayTy()) {
5734 // Arrays are aligned to element size, except for long double
5735 // arrays, which are aligned to 8 bytes.
5736 Type *ElementTy = A->getType()->getArrayElementType();
5737 if (!ElementTy->isPPC_FP128Ty())
5738 ArgAlign = Align(DL.getTypeAllocSize(ElementTy));
5739 } else if (A->getType()->isVectorTy()) {
5740 // Vectors are naturally aligned.
5741 ArgAlign = Align(ArgSize);
5742 }
5743 if (ArgAlign < 8)
5744 ArgAlign = Align(8);
5745 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
5746 if (DL.isBigEndian()) {
5747 // Adjusting the shadow for argument with size < 8 to match the
5748 // placement of bits in big endian system
5749 if (ArgSize < 8)
5750 VAArgOffset += (8 - ArgSize);
5751 }
5752 if (!IsFixed) {
5753 Base =
5754 getShadowPtrForVAArgument(IRB, VAArgOffset - VAArgBase, ArgSize);
5755 if (Base)
5756 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
5757 }
5758 VAArgOffset += ArgSize;
5759 VAArgOffset = alignTo(VAArgOffset, Align(8));
5760 }
5761 if (IsFixed)
5762 VAArgBase = VAArgOffset;
5763 }
5764
5765 Constant *TotalVAArgSize =
5766 ConstantInt::get(MS.IntptrTy, VAArgOffset - VAArgBase);
5767 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
5768 // a new class member i.e. it is the total size of all VarArgs.
5769 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
5770 }
5771
5772 void finalizeInstrumentation() override {
5773 assert(!VAArgSize && !VAArgTLSCopy &&
5774 "finalizeInstrumentation called twice");
5775 IRBuilder<> IRB(MSV.FnPrologueEnd);
5776 VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
5777 Value *CopySize = VAArgSize;
5778
5779 if (!VAStartInstrumentationList.empty()) {
5780 // If there is a va_start in this function, make a backup copy of
5781 // va_arg_tls somewhere in the function entry block.
5782
5783 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
5784 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
5785 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
5786 CopySize, kShadowTLSAlignment, false);
5787
5788 Value *SrcSize = IRB.CreateBinaryIntrinsic(
5789 Intrinsic::umin, CopySize,
5790 ConstantInt::get(IRB.getInt64Ty(), kParamTLSSize));
5791 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
5792 kShadowTLSAlignment, SrcSize);
5793 }
5794
5795 // Instrument va_start.
5796 // Copy va_list shadow from the backup copy of the TLS contents.
5797 Triple TargetTriple(F.getParent()->getTargetTriple());
5798 for (CallInst *OrigInst : VAStartInstrumentationList) {
5799 NextNodeIRBuilder IRB(OrigInst);
5800 Value *VAListTag = OrigInst->getArgOperand(0);
5801 Value *RegSaveAreaPtrPtr = IRB.CreatePtrToInt(VAListTag, MS.IntptrTy);
5802
5803 // In PPC32 va_list_tag is a struct, whereas in PPC64 it's a pointer
5804 if (!TargetTriple.isPPC64()) {
5805 RegSaveAreaPtrPtr =
5806 IRB.CreateAdd(RegSaveAreaPtrPtr, ConstantInt::get(MS.IntptrTy, 8));
5807 }
5808 RegSaveAreaPtrPtr = IRB.CreateIntToPtr(RegSaveAreaPtrPtr, MS.PtrTy);
5809
5810 Value *RegSaveAreaPtr = IRB.CreateLoad(MS.PtrTy, RegSaveAreaPtrPtr);
5811 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
5812 const DataLayout &DL = F.getDataLayout();
5813 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
5814 const Align Alignment = Align(IntptrSize);
5815 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
5816 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
5817 Alignment, /*isStore*/ true);
5818 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
5819 CopySize);
5820 }
5821 }
5822};
5823
5824/// SystemZ-specific implementation of VarArgHelper.
5825struct VarArgSystemZHelper : public VarArgHelperBase {
5826 static const unsigned SystemZGpOffset = 16;
5827 static const unsigned SystemZGpEndOffset = 56;
5828 static const unsigned SystemZFpOffset = 128;
5829 static const unsigned SystemZFpEndOffset = 160;
5830 static const unsigned SystemZMaxVrArgs = 8;
5831 static const unsigned SystemZRegSaveAreaSize = 160;
5832 static const unsigned SystemZOverflowOffset = 160;
5833 static const unsigned SystemZVAListTagSize = 32;
5834 static const unsigned SystemZOverflowArgAreaPtrOffset = 16;
5835 static const unsigned SystemZRegSaveAreaPtrOffset = 24;
5836
5837 bool IsSoftFloatABI;
5838 AllocaInst *VAArgTLSCopy = nullptr;
5839 AllocaInst *VAArgTLSOriginCopy = nullptr;
5840 Value *VAArgOverflowSize = nullptr;
5841
5842 enum class ArgKind {
5843 GeneralPurpose,
5844 FloatingPoint,
5845 Vector,
5846 Memory,
5847 Indirect,
5848 };
5849
5850 enum class ShadowExtension { None, Zero, Sign };
5851
5852 VarArgSystemZHelper(Function &F, MemorySanitizer &MS,
5853 MemorySanitizerVisitor &MSV)
5854 : VarArgHelperBase(F, MS, MSV, SystemZVAListTagSize),
5855 IsSoftFloatABI(F.getFnAttribute("use-soft-float").getValueAsBool()) {}
5856
5857 ArgKind classifyArgument(Type *T) {
5858 // T is a SystemZABIInfo::classifyArgumentType() output, and there are
5859 // only a few possibilities of what it can be. In particular, enums, single
5860 // element structs and large types have already been taken care of.
5861
5862 // Some i128 and fp128 arguments are converted to pointers only in the
5863 // back end.
5864 if (T->isIntegerTy(128) || T->isFP128Ty())
5865 return ArgKind::Indirect;
5866 if (T->isFloatingPointTy())
5867 return IsSoftFloatABI ? ArgKind::GeneralPurpose : ArgKind::FloatingPoint;
5868 if (T->isIntegerTy() || T->isPointerTy())
5869 return ArgKind::GeneralPurpose;
5870 if (T->isVectorTy())
5871 return ArgKind::Vector;
5872 return ArgKind::Memory;
5873 }
5874
5875 ShadowExtension getShadowExtension(const CallBase &CB, unsigned ArgNo) {
5876 // ABI says: "One of the simple integer types no more than 64 bits wide.
5877 // ... If such an argument is shorter than 64 bits, replace it by a full
5878 // 64-bit integer representing the same number, using sign or zero
5879 // extension". Shadow for an integer argument has the same type as the
5880 // argument itself, so it can be sign or zero extended as well.
5881 bool ZExt = CB.paramHasAttr(ArgNo, Attribute::ZExt);
5882 bool SExt = CB.paramHasAttr(ArgNo, Attribute::SExt);
5883 if (ZExt) {
5884 assert(!SExt);
5885 return ShadowExtension::Zero;
5886 }
5887 if (SExt) {
5888 assert(!ZExt);
5889 return ShadowExtension::Sign;
5890 }
5891 return ShadowExtension::None;
5892 }
5893
5894 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
5895 unsigned GpOffset = SystemZGpOffset;
5896 unsigned FpOffset = SystemZFpOffset;
5897 unsigned VrIndex = 0;
5898 unsigned OverflowOffset = SystemZOverflowOffset;
5899 const DataLayout &DL = F.getDataLayout();
5900 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
5901 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
5902 // SystemZABIInfo does not produce ByVal parameters.
5903 assert(!CB.paramHasAttr(ArgNo, Attribute::ByVal));
5904 Type *T = A->getType();
5905 ArgKind AK = classifyArgument(T);
5906 if (AK == ArgKind::Indirect) {
5907 T = MS.PtrTy;
5908 AK = ArgKind::GeneralPurpose;
5909 }
5910 if (AK == ArgKind::GeneralPurpose && GpOffset >= SystemZGpEndOffset)
5911 AK = ArgKind::Memory;
5912 if (AK == ArgKind::FloatingPoint && FpOffset >= SystemZFpEndOffset)
5913 AK = ArgKind::Memory;
5914 if (AK == ArgKind::Vector && (VrIndex >= SystemZMaxVrArgs || !IsFixed))
5915 AK = ArgKind::Memory;
5916 Value *ShadowBase = nullptr;
5917 Value *OriginBase = nullptr;
5918 ShadowExtension SE = ShadowExtension::None;
5919 switch (AK) {
5920 case ArgKind::GeneralPurpose: {
5921 // Always keep track of GpOffset, but store shadow only for varargs.
5922 uint64_t ArgSize = 8;
5923 if (GpOffset + ArgSize <= kParamTLSSize) {
5924 if (!IsFixed) {
5925 SE = getShadowExtension(CB, ArgNo);
5926 uint64_t GapSize = 0;
5927 if (SE == ShadowExtension::None) {
5928 uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5929 assert(ArgAllocSize <= ArgSize);
5930 GapSize = ArgSize - ArgAllocSize;
5931 }
5932 ShadowBase = getShadowAddrForVAArgument(IRB, GpOffset + GapSize);
5933 if (MS.TrackOrigins)
5934 OriginBase = getOriginPtrForVAArgument(IRB, GpOffset + GapSize);
5935 }
5936 GpOffset += ArgSize;
5937 } else {
5938 GpOffset = kParamTLSSize;
5939 }
5940 break;
5941 }
5942 case ArgKind::FloatingPoint: {
5943 // Always keep track of FpOffset, but store shadow only for varargs.
5944 uint64_t ArgSize = 8;
5945 if (FpOffset + ArgSize <= kParamTLSSize) {
5946 if (!IsFixed) {
5947 // PoP says: "A short floating-point datum requires only the
5948 // left-most 32 bit positions of a floating-point register".
5949 // Therefore, in contrast to AK_GeneralPurpose and AK_Memory,
5950 // don't extend shadow and don't mind the gap.
5951 ShadowBase = getShadowAddrForVAArgument(IRB, FpOffset);
5952 if (MS.TrackOrigins)
5953 OriginBase = getOriginPtrForVAArgument(IRB, FpOffset);
5954 }
5955 FpOffset += ArgSize;
5956 } else {
5957 FpOffset = kParamTLSSize;
5958 }
5959 break;
5960 }
5961 case ArgKind::Vector: {
5962 // Keep track of VrIndex. No need to store shadow, since vector varargs
5963 // go through AK_Memory.
5964 assert(IsFixed);
5965 VrIndex++;
5966 break;
5967 }
5968 case ArgKind::Memory: {
5969 // Keep track of OverflowOffset and store shadow only for varargs.
5970 // Ignore fixed args, since we need to copy only the vararg portion of
5971 // the overflow area shadow.
5972 if (!IsFixed) {
5973 uint64_t ArgAllocSize = DL.getTypeAllocSize(T);
5974 uint64_t ArgSize = alignTo(ArgAllocSize, 8);
5975 if (OverflowOffset + ArgSize <= kParamTLSSize) {
5976 SE = getShadowExtension(CB, ArgNo);
5977 uint64_t GapSize =
5978 SE == ShadowExtension::None ? ArgSize - ArgAllocSize : 0;
5979 ShadowBase =
5980 getShadowAddrForVAArgument(IRB, OverflowOffset + GapSize);
5981 if (MS.TrackOrigins)
5982 OriginBase =
5983 getOriginPtrForVAArgument(IRB, OverflowOffset + GapSize);
5984 OverflowOffset += ArgSize;
5985 } else {
5986 OverflowOffset = kParamTLSSize;
5987 }
5988 }
5989 break;
5990 }
5991 case ArgKind::Indirect:
5992 llvm_unreachable("Indirect must be converted to GeneralPurpose");
5993 }
5994 if (ShadowBase == nullptr)
5995 continue;
5996 Value *Shadow = MSV.getShadow(A);
5997 if (SE != ShadowExtension::None)
5998 Shadow = MSV.CreateShadowCast(IRB, Shadow, IRB.getInt64Ty(),
5999 /*Signed*/ SE == ShadowExtension::Sign);
6000 ShadowBase = IRB.CreateIntToPtr(ShadowBase, MS.PtrTy, "_msarg_va_s");
6001 IRB.CreateStore(Shadow, ShadowBase);
6002 if (MS.TrackOrigins) {
6003 Value *Origin = MSV.getOrigin(A);
6004 TypeSize StoreSize = DL.getTypeStoreSize(Shadow->getType());
6005 MSV.paintOrigin(IRB, Origin, OriginBase, StoreSize,
6006 kMinOriginAlignment);
6007 }
6008 }
6009 Constant *OverflowSize = ConstantInt::get(
6010 IRB.getInt64Ty(), OverflowOffset - SystemZOverflowOffset);
6011 IRB.CreateStore(OverflowSize, MS.VAArgOverflowSizeTLS);
6012 }
6013
6014 void copyRegSaveArea(IRBuilder<> &IRB, Value *VAListTag) {
6015 Value *RegSaveAreaPtrPtr = IRB.CreateIntToPtr(
6016 IRB.CreateAdd(
6017 IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
6018 ConstantInt::get(MS.IntptrTy, SystemZRegSaveAreaPtrOffset)),
6019 MS.PtrTy);
6020 Value *RegSaveAreaPtr = IRB.CreateLoad(MS.PtrTy, RegSaveAreaPtrPtr);
6021 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
6022 const Align Alignment = Align(8);
6023 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
6024 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(), Alignment,
6025 /*isStore*/ true);
6026 // TODO(iii): copy only fragments filled by visitCallBase()
6027 // TODO(iii): support packed-stack && !use-soft-float
6028 // For use-soft-float functions, it is enough to copy just the GPRs.
6029 unsigned RegSaveAreaSize =
6030 IsSoftFloatABI ? SystemZGpEndOffset : SystemZRegSaveAreaSize;
6031 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
6032 RegSaveAreaSize);
6033 if (MS.TrackOrigins)
6034 IRB.CreateMemCpy(RegSaveAreaOriginPtr, Alignment, VAArgTLSOriginCopy,
6035 Alignment, RegSaveAreaSize);
6036 }
6037
6038 // FIXME: This implementation limits OverflowOffset to kParamTLSSize, so we
6039 // don't know real overflow size and can't clear shadow beyond kParamTLSSize.
6040 void copyOverflowArea(IRBuilder<> &IRB, Value *VAListTag) {
6041 Value *OverflowArgAreaPtrPtr = IRB.CreateIntToPtr(
6042 IRB.CreateAdd(
6043 IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
6044 ConstantInt::get(MS.IntptrTy, SystemZOverflowArgAreaPtrOffset)),
6045 MS.PtrTy);
6046 Value *OverflowArgAreaPtr = IRB.CreateLoad(MS.PtrTy, OverflowArgAreaPtrPtr);
6047 Value *OverflowArgAreaShadowPtr, *OverflowArgAreaOriginPtr;
6048 const Align Alignment = Align(8);
6049 std::tie(OverflowArgAreaShadowPtr, OverflowArgAreaOriginPtr) =
6050 MSV.getShadowOriginPtr(OverflowArgAreaPtr, IRB, IRB.getInt8Ty(),
6051 Alignment, /*isStore*/ true);
6052 Value *SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSCopy,
6053 SystemZOverflowOffset);
6054 IRB.CreateMemCpy(OverflowArgAreaShadowPtr, Alignment, SrcPtr, Alignment,
6055 VAArgOverflowSize);
6056 if (MS.TrackOrigins) {
6057 SrcPtr = IRB.CreateConstGEP1_32(IRB.getInt8Ty(), VAArgTLSOriginCopy,
6058 SystemZOverflowOffset);
6059 IRB.CreateMemCpy(OverflowArgAreaOriginPtr, Alignment, SrcPtr, Alignment,
6060 VAArgOverflowSize);
6061 }
6062 }
6063
6064 void finalizeInstrumentation() override {
6065 assert(!VAArgOverflowSize && !VAArgTLSCopy &&
6066 "finalizeInstrumentation called twice");
6067 if (!VAStartInstrumentationList.empty()) {
6068 // If there is a va_start in this function, make a backup copy of
6069 // va_arg_tls somewhere in the function entry block.
6070 IRBuilder<> IRB(MSV.FnPrologueEnd);
6071 VAArgOverflowSize =
6072 IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
6073 Value *CopySize =
6074 IRB.CreateAdd(ConstantInt::get(MS.IntptrTy, SystemZOverflowOffset),
6075 VAArgOverflowSize);
6076 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
6077 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
6078 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
6079 CopySize, kShadowTLSAlignment, false);
6080
6081 Value *SrcSize = IRB.CreateBinaryIntrinsic(
6082 Intrinsic::umin, CopySize,
6083 ConstantInt::get(MS.IntptrTy, kParamTLSSize));
6084 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
6085 kShadowTLSAlignment, SrcSize);
6086 if (MS.TrackOrigins) {
6087 VAArgTLSOriginCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
6088 VAArgTLSOriginCopy->setAlignment(kShadowTLSAlignment);
6089 IRB.CreateMemCpy(VAArgTLSOriginCopy, kShadowTLSAlignment,
6090 MS.VAArgOriginTLS, kShadowTLSAlignment, SrcSize);
6091 }
6092 }
6093
6094 // Instrument va_start.
6095 // Copy va_list shadow from the backup copy of the TLS contents.
6096 for (CallInst *OrigInst : VAStartInstrumentationList) {
6097 NextNodeIRBuilder IRB(OrigInst);
6098 Value *VAListTag = OrigInst->getArgOperand(0);
6099 copyRegSaveArea(IRB, VAListTag);
6100 copyOverflowArea(IRB, VAListTag);
6101 }
6102 }
6103};
6104
6105/// i386-specific implementation of VarArgHelper.
6106struct VarArgI386Helper : public VarArgHelperBase {
6107 AllocaInst *VAArgTLSCopy = nullptr;
6108 Value *VAArgSize = nullptr;
6109
6110 VarArgI386Helper(Function &F, MemorySanitizer &MS,
6111 MemorySanitizerVisitor &MSV)
6112 : VarArgHelperBase(F, MS, MSV, /*VAListTagSize=*/4) {}
6113
6114 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
6115 const DataLayout &DL = F.getDataLayout();
6116 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
6117 unsigned VAArgOffset = 0;
6118 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
6119 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
6120 bool IsByVal = CB.paramHasAttr(ArgNo, Attribute::ByVal);
6121 if (IsByVal) {
6122 assert(A->getType()->isPointerTy());
6123 Type *RealTy = CB.getParamByValType(ArgNo);
6124 uint64_t ArgSize = DL.getTypeAllocSize(RealTy);
6125 Align ArgAlign = CB.getParamAlign(ArgNo).value_or(Align(IntptrSize));
6126 if (ArgAlign < IntptrSize)
6127 ArgAlign = Align(IntptrSize);
6128 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
6129 if (!IsFixed) {
6130 Value *Base = getShadowPtrForVAArgument(IRB, VAArgOffset, ArgSize);
6131 if (Base) {
6132 Value *AShadowPtr, *AOriginPtr;
6133 std::tie(AShadowPtr, AOriginPtr) =
6134 MSV.getShadowOriginPtr(A, IRB, IRB.getInt8Ty(),
6135 kShadowTLSAlignment, /*isStore*/ false);
6136
6137 IRB.CreateMemCpy(Base, kShadowTLSAlignment, AShadowPtr,
6138 kShadowTLSAlignment, ArgSize);
6139 }
6140 VAArgOffset += alignTo(ArgSize, Align(IntptrSize));
6141 }
6142 } else {
6143 Value *Base;
6144 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
6145 Align ArgAlign = Align(IntptrSize);
6146 VAArgOffset = alignTo(VAArgOffset, ArgAlign);
6147 if (DL.isBigEndian()) {
6148 // Adjusting the shadow for argument with size < IntptrSize to match
6149 // the placement of bits in big endian system
6150 if (ArgSize < IntptrSize)
6151 VAArgOffset += (IntptrSize - ArgSize);
6152 }
6153 if (!IsFixed) {
6154 Base = getShadowPtrForVAArgument(IRB, VAArgOffset, ArgSize);
6155 if (Base)
6156 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
6157 VAArgOffset += ArgSize;
6158 VAArgOffset = alignTo(VAArgOffset, Align(IntptrSize));
6159 }
6160 }
6161 }
6162
6163 Constant *TotalVAArgSize = ConstantInt::get(MS.IntptrTy, VAArgOffset);
6164 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
6165 // a new class member i.e. it is the total size of all VarArgs.
6166 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
6167 }
6168
6169 void finalizeInstrumentation() override {
6170 assert(!VAArgSize && !VAArgTLSCopy &&
6171 "finalizeInstrumentation called twice");
6172 IRBuilder<> IRB(MSV.FnPrologueEnd);
6173 VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
6174 Value *CopySize = VAArgSize;
6175
6176 if (!VAStartInstrumentationList.empty()) {
6177 // If there is a va_start in this function, make a backup copy of
6178 // va_arg_tls somewhere in the function entry block.
6179 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
6180 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
6181 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
6182 CopySize, kShadowTLSAlignment, false);
6183
6184 Value *SrcSize = IRB.CreateBinaryIntrinsic(
6185 Intrinsic::umin, CopySize,
6186 ConstantInt::get(IRB.getInt64Ty(), kParamTLSSize));
6187 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
6188 kShadowTLSAlignment, SrcSize);
6189 }
6190
6191 // Instrument va_start.
6192 // Copy va_list shadow from the backup copy of the TLS contents.
6193 for (CallInst *OrigInst : VAStartInstrumentationList) {
6194 NextNodeIRBuilder IRB(OrigInst);
6195 Value *VAListTag = OrigInst->getArgOperand(0);
6196 Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C);
6197 Value *RegSaveAreaPtrPtr =
6198 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
6199 PointerType::get(*MS.C, 0));
6200 Value *RegSaveAreaPtr =
6201 IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
6202 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
6203 const DataLayout &DL = F.getDataLayout();
6204 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
6205 const Align Alignment = Align(IntptrSize);
6206 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
6207 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
6208 Alignment, /*isStore*/ true);
6209 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
6210 CopySize);
6211 }
6212 }
6213};
6214
6215/// Implementation of VarArgHelper that is used for ARM32, MIPS, RISCV,
6216/// LoongArch64.
6217struct VarArgGenericHelper : public VarArgHelperBase {
6218 AllocaInst *VAArgTLSCopy = nullptr;
6219 Value *VAArgSize = nullptr;
6220
6221 VarArgGenericHelper(Function &F, MemorySanitizer &MS,
6222 MemorySanitizerVisitor &MSV, const unsigned VAListTagSize)
6223 : VarArgHelperBase(F, MS, MSV, VAListTagSize) {}
6224
6225 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {
6226 unsigned VAArgOffset = 0;
6227 const DataLayout &DL = F.getDataLayout();
6228 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
6229 for (const auto &[ArgNo, A] : llvm::enumerate(CB.args())) {
6230 bool IsFixed = ArgNo < CB.getFunctionType()->getNumParams();
6231 if (IsFixed)
6232 continue;
6233 uint64_t ArgSize = DL.getTypeAllocSize(A->getType());
6234 if (DL.isBigEndian()) {
6235 // Adjusting the shadow for argument with size < IntptrSize to match the
6236 // placement of bits in big endian system
6237 if (ArgSize < IntptrSize)
6238 VAArgOffset += (IntptrSize - ArgSize);
6239 }
6240 Value *Base = getShadowPtrForVAArgument(IRB, VAArgOffset, ArgSize);
6241 VAArgOffset += ArgSize;
6242 VAArgOffset = alignTo(VAArgOffset, IntptrSize);
6243 if (!Base)
6244 continue;
6245 IRB.CreateAlignedStore(MSV.getShadow(A), Base, kShadowTLSAlignment);
6246 }
6247
6248 Constant *TotalVAArgSize = ConstantInt::get(MS.IntptrTy, VAArgOffset);
6249 // Here using VAArgOverflowSizeTLS as VAArgSizeTLS to avoid creation of
6250 // a new class member i.e. it is the total size of all VarArgs.
6251 IRB.CreateStore(TotalVAArgSize, MS.VAArgOverflowSizeTLS);
6252 }
6253
6254 void finalizeInstrumentation() override {
6255 assert(!VAArgSize && !VAArgTLSCopy &&
6256 "finalizeInstrumentation called twice");
6257 IRBuilder<> IRB(MSV.FnPrologueEnd);
6258 VAArgSize = IRB.CreateLoad(IRB.getInt64Ty(), MS.VAArgOverflowSizeTLS);
6259 Value *CopySize = VAArgSize;
6260
6261 if (!VAStartInstrumentationList.empty()) {
6262 // If there is a va_start in this function, make a backup copy of
6263 // va_arg_tls somewhere in the function entry block.
6264 VAArgTLSCopy = IRB.CreateAlloca(Type::getInt8Ty(*MS.C), CopySize);
6265 VAArgTLSCopy->setAlignment(kShadowTLSAlignment);
6266 IRB.CreateMemSet(VAArgTLSCopy, Constant::getNullValue(IRB.getInt8Ty()),
6267 CopySize, kShadowTLSAlignment, false);
6268
6269 Value *SrcSize = IRB.CreateBinaryIntrinsic(
6270 Intrinsic::umin, CopySize,
6271 ConstantInt::get(IRB.getInt64Ty(), kParamTLSSize));
6272 IRB.CreateMemCpy(VAArgTLSCopy, kShadowTLSAlignment, MS.VAArgTLS,
6273 kShadowTLSAlignment, SrcSize);
6274 }
6275
6276 // Instrument va_start.
6277 // Copy va_list shadow from the backup copy of the TLS contents.
6278 for (CallInst *OrigInst : VAStartInstrumentationList) {
6279 NextNodeIRBuilder IRB(OrigInst);
6280 Value *VAListTag = OrigInst->getArgOperand(0);
6281 Type *RegSaveAreaPtrTy = PointerType::getUnqual(*MS.C);
6282 Value *RegSaveAreaPtrPtr =
6283 IRB.CreateIntToPtr(IRB.CreatePtrToInt(VAListTag, MS.IntptrTy),
6284 PointerType::get(*MS.C, 0));
6285 Value *RegSaveAreaPtr =
6286 IRB.CreateLoad(RegSaveAreaPtrTy, RegSaveAreaPtrPtr);
6287 Value *RegSaveAreaShadowPtr, *RegSaveAreaOriginPtr;
6288 const DataLayout &DL = F.getDataLayout();
6289 unsigned IntptrSize = DL.getTypeStoreSize(MS.IntptrTy);
6290 const Align Alignment = Align(IntptrSize);
6291 std::tie(RegSaveAreaShadowPtr, RegSaveAreaOriginPtr) =
6292 MSV.getShadowOriginPtr(RegSaveAreaPtr, IRB, IRB.getInt8Ty(),
6293 Alignment, /*isStore*/ true);
6294 IRB.CreateMemCpy(RegSaveAreaShadowPtr, Alignment, VAArgTLSCopy, Alignment,
6295 CopySize);
6296 }
6297 }
6298};
6299
6300// ARM32, Loongarch64, MIPS and RISCV share the same calling conventions
6301// regarding VAArgs.
6302using VarArgARM32Helper = VarArgGenericHelper;
6303using VarArgRISCVHelper = VarArgGenericHelper;
6304using VarArgMIPSHelper = VarArgGenericHelper;
6305using VarArgLoongArch64Helper = VarArgGenericHelper;
6306
6307/// A no-op implementation of VarArgHelper.
6308struct VarArgNoOpHelper : public VarArgHelper {
6309 VarArgNoOpHelper(Function &F, MemorySanitizer &MS,
6310 MemorySanitizerVisitor &MSV) {}
6311
6312 void visitCallBase(CallBase &CB, IRBuilder<> &IRB) override {}
6313
6314 void visitVAStartInst(VAStartInst &I) override {}
6315
6316 void visitVACopyInst(VACopyInst &I) override {}
6317
6318 void finalizeInstrumentation() override {}
6319};
6320
6321} // end anonymous namespace
6322
6323static VarArgHelper *CreateVarArgHelper(Function &Func, MemorySanitizer &Msan,
6324 MemorySanitizerVisitor &Visitor) {
6325 // VarArg handling is only implemented on AMD64. False positives are possible
6326 // on other platforms.
6327 Triple TargetTriple(Func.getParent()->getTargetTriple());
6328
6329 if (TargetTriple.getArch() == Triple::x86)
6330 return new VarArgI386Helper(Func, Msan, Visitor);
6331
6332 if (TargetTriple.getArch() == Triple::x86_64)
6333 return new VarArgAMD64Helper(Func, Msan, Visitor);
6334
6335 if (TargetTriple.isARM())
6336 return new VarArgARM32Helper(Func, Msan, Visitor, /*VAListTagSize=*/4);
6337
6338 if (TargetTriple.isAArch64())
6339 return new VarArgAArch64Helper(Func, Msan, Visitor);
6340
6341 if (TargetTriple.isSystemZ())
6342 return new VarArgSystemZHelper(Func, Msan, Visitor);
6343
6344 // On PowerPC32 VAListTag is a struct
6345 // {char, char, i16 padding, char *, char *}
6346 if (TargetTriple.isPPC32())
6347 return new VarArgPowerPCHelper(Func, Msan, Visitor, /*VAListTagSize=*/12);
6348
6349 if (TargetTriple.isPPC64())
6350 return new VarArgPowerPCHelper(Func, Msan, Visitor, /*VAListTagSize=*/8);
6351
6352 if (TargetTriple.isRISCV32())
6353 return new VarArgRISCVHelper(Func, Msan, Visitor, /*VAListTagSize=*/4);
6354
6355 if (TargetTriple.isRISCV64())
6356 return new VarArgRISCVHelper(Func, Msan, Visitor, /*VAListTagSize=*/8);
6357
6358 if (TargetTriple.isMIPS32())
6359 return new VarArgMIPSHelper(Func, Msan, Visitor, /*VAListTagSize=*/4);
6360
6361 if (TargetTriple.isMIPS64())
6362 return new VarArgMIPSHelper(Func, Msan, Visitor, /*VAListTagSize=*/8);
6363
6364 if (TargetTriple.isLoongArch64())
6365 return new VarArgLoongArch64Helper(Func, Msan, Visitor,
6366 /*VAListTagSize=*/8);
6367
6368 return new VarArgNoOpHelper(Func, Msan, Visitor);
6369}
6370
6371bool MemorySanitizer::sanitizeFunction(Function &F, TargetLibraryInfo &TLI) {
6372 if (!CompileKernel && F.getName() == kMsanModuleCtorName)
6373 return false;
6374
6375 if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation))
6376 return false;
6377
6378 MemorySanitizerVisitor Visitor(F, *this, TLI);
6379
6380 // Clear out memory attributes.
6381 AttributeMask B;
6382 B.addAttribute(Attribute::Memory).addAttribute(Attribute::Speculatable);
6383 F.removeFnAttrs(B);
6384
6385 return Visitor.runOnFunction();
6386}
S1
static const LLT S1
Definition: AMDGPULegalizerInfo.cpp:282
APInt.h
This file implements a class to represent arbitrary precision integral constant values and operations...
isStore
static bool isStore(int Opcode)
Definition: ARCInstrInfo.cpp:58
DL
MachineBasicBlock MachineBasicBlock::iterator DebugLoc DL
Definition: ARMSLSHardening.cpp:73
IT
static cl::opt< ITMode > IT(cl::desc("IT block support"), cl::Hidden, cl::init(DefaultIT), cl::values(clEnumValN(DefaultIT, "arm-default-it", "Generate any type of IT block"), clEnumValN(RestrictedIT, "arm-restrict-it", "Disallow complex IT blocks")))
kNumberOfAccessSizes
static const size_t kNumberOfAccessSizes
Definition: AddressSanitizer.cpp:182
getNextNode
VarLocInsertPt getNextNode(const DbgRecord *DVR)
Definition: AssignmentTrackingAnalysis.cpp:1498
AtomicOrdering.h
Atomic ordering constants.
Attributes.h
This file contains the simple types necessary to represent the attributes associated with functions a...
B
static GCRegistry::Add< OcamlGC > B("ocaml", "ocaml 3.10-compatible GC")
A
static GCRegistry::Add< ErlangGC > A("erlang", "erlang-compatible garbage collector")
D
static GCRegistry::Add< StatepointGC > D("statepoint-example", "an example strategy for statepoint")
Info
Analysis containing CSE Info
Definition: CSEInfo.cpp:27
Constants.h
This file contains the declarations for the subclasses of Constant, which represent the different fla...
addReleaseOrdering
static AtomicOrdering addReleaseOrdering(AtomicOrdering AO)
Definition: DataFlowSanitizer.cpp:2639
addAcquireOrdering
static AtomicOrdering addAcquireOrdering(AtomicOrdering AO)
Definition: DataFlowSanitizer.cpp:2349
isAMustTailRetVal
static bool isAMustTailRetVal(Value *RetVal)
Definition: DataFlowSanitizer.cpp:2966
RetTy
return RetTy
Definition: DeadArgumentElimination.cpp:361
Idx
Returns the sub type a function will return at a given Idx Should correspond to the result type of an ExtractValue instruction executed with just that one unsigned Idx
Definition: DeadArgumentElimination.cpp:353
DebugCounter.h
This file provides an implementation of debug counters.
DEBUG_COUNTER
#define DEBUG_COUNTER(VARNAME, COUNTERNAME, DESC)
Definition: DebugCounter.h:190
LLVM_DEBUG
#define LLVM_DEBUG(...)
Definition: Debug.h:106
DenseMap.h
This file defines the DenseMap class.
DepthFirstIterator.h
This file builds on the ADT/GraphTraits.h file to build generic depth first graph iterator.
Default
@ Default
Definition: DwarfDebug.cpp:87
Addr
uint64_t Addr
Definition: ELFObjHandler.cpp:79
Name
std::string Name
Definition: ELFObjHandler.cpp:77
Index
uint32_t Index
Definition: ELFObjHandler.cpp:83
Size
uint64_t Size
Definition: ELFObjHandler.cpp:81
End
bool End
Definition: ELF_riscv.cpp:480
runOnFunction
static bool runOnFunction(Function &F, bool PostInlining)
Definition: EntryExitInstrumenter.cpp:98
X
static GCMetadataPrinterRegistry::Add< ErlangGCPrinter > X("erlang", "erlang-compatible garbage collector")
GlobalsModRef.h
This is the interface for a simple mod/ref and alias analysis over globals.
TypeSizeToSizeIndex
static size_t TypeSizeToSizeIndex(uint32_t TypeSize)
Definition: HWAddressSanitizer.cpp:949
op
#define op(i)
GEP
Hexagon Common GEP
Definition: HexagonCommonGEP.cpp:170
_
#define _
Definition: HexagonMCCodeEmitter.cpp:46
Combine
Hexagon Vector Combine
Definition: HexagonVectorCombine.cpp:2985
Module.h
Module.h This file contains the declarations for the Module class.
Options
static LVOptions Options
Definition: LVOptions.cpp:25
F
#define F(x, y, z)
Definition: MD5.cpp:55
I
#define I(x, y, z)
Definition: MD5.cpp:58
Linux_LoongArch64_MemoryMapParams
static const MemoryMapParams Linux_LoongArch64_MemoryMapParams
Definition: MemorySanitizer.cpp:466
Linux_S390_MemoryMapParams
static const PlatformMemoryMapParams Linux_S390_MemoryMapParams
Definition: MemorySanitizer.cpp:524
kMinOriginAlignment
static const Align kMinOriginAlignment
Definition: MemorySanitizer.cpp:224
Linux_X86_64_MemoryMapParams
static const MemoryMapParams Linux_X86_64_MemoryMapParams
Definition: MemorySanitizer.cpp:414
ClShadowBase
static cl::opt< uint64_t > ClShadowBase("msan-shadow-base", cl::desc("Define custom MSan ShadowBase"), cl::Hidden, cl::init(0))
ClDumpStrictInstructions
static cl::opt< bool > ClDumpStrictInstructions("msan-dump-strict-instructions", cl::desc("print out instructions with default strict semantics"), cl::Hidden, cl::init(false))
Linux_X86_MemoryMapParams
static const PlatformMemoryMapParams Linux_X86_MemoryMapParams
Definition: MemorySanitizer.cpp:509
ClOriginBase
static cl::opt< uint64_t > ClOriginBase("msan-origin-base", cl::desc("Define custom MSan OriginBase"), cl::Hidden, cl::init(0))
ClCheckConstantShadow
static cl::opt< bool > ClCheckConstantShadow("msan-check-constant-shadow", cl::desc("Insert checks for constant shadow values"), cl::Hidden, cl::init(true))
Linux_LoongArch_MemoryMapParams
static const PlatformMemoryMapParams Linux_LoongArch_MemoryMapParams
Definition: MemorySanitizer.cpp:534
NetBSD_X86_64_MemoryMapParams
static const MemoryMapParams NetBSD_X86_64_MemoryMapParams
Definition: MemorySanitizer.cpp:502
Linux_MIPS_MemoryMapParams
static const PlatformMemoryMapParams Linux_MIPS_MemoryMapParams
Definition: MemorySanitizer.cpp:514
kOriginSize
static const unsigned kOriginSize
Definition: MemorySanitizer.cpp:223
ClWithComdat
static cl::opt< bool > ClWithComdat("msan-with-comdat", cl::desc("Place MSan constructors in comdat sections"), cl::Hidden, cl::init(false))
ClTrackOrigins
static cl::opt< int > ClTrackOrigins("msan-track-origins", cl::desc("Track origins (allocation sites) of poisoned memory"), cl::Hidden, cl::init(0))
Track origins of uninitialized values.
ClInstrumentationWithCallThreshold
static cl::opt< int > ClInstrumentationWithCallThreshold("msan-instrumentation-with-call-threshold", cl::desc("If the function being instrumented requires more than " "this number of checks and origin stores, use callbacks instead of " "inline checks (-1 means never use callbacks)."), cl::Hidden, cl::init(3500))
ClPoisonStackPattern
static cl::opt< int > ClPoisonStackPattern("msan-poison-stack-pattern", cl::desc("poison uninitialized stack variables with the given pattern"), cl::Hidden, cl::init(0xff))
kShadowTLSAlignment
static const Align kShadowTLSAlignment
Definition: MemorySanitizer.cpp:225
ClHandleICmpExact
static cl::opt< bool > ClHandleICmpExact("msan-handle-icmp-exact", cl::desc("exact handling of relational integer ICmp"), cl::Hidden, cl::init(true))
Linux_ARM_MemoryMapParams
static const PlatformMemoryMapParams Linux_ARM_MemoryMapParams
Definition: MemorySanitizer.cpp:529
getOrInsertGlobal
static Constant * getOrInsertGlobal(Module &M, StringRef Name, Type *Ty)
Definition: MemorySanitizer.cpp:858
ClDumpStrictIntrinsics
static cl::opt< bool > ClDumpStrictIntrinsics("msan-dump-strict-intrinsics", cl::desc("Prints 'unknown' intrinsics that were handled heuristically. " "Use -msan-dump-strict-instructions to print intrinsics that " "could not be handled exactly nor heuristically."), cl::Hidden, cl::init(false))
Linux_S390X_MemoryMapParams
static const MemoryMapParams Linux_S390X_MemoryMapParams
Definition: MemorySanitizer.cpp:446
ClPoisonUndef
static cl::opt< bool > ClPoisonUndef("msan-poison-undef", cl::desc("poison undef temps"), cl::Hidden, cl::init(true))
ClPoisonStack
static cl::opt< bool > ClPoisonStack("msan-poison-stack", cl::desc("poison uninitialized stack variables"), cl::Hidden, cl::init(true))
Linux_I386_MemoryMapParams
static const MemoryMapParams Linux_I386_MemoryMapParams
Definition: MemorySanitizer.cpp:406
kMsanInitName
const char kMsanInitName[]
Definition: MemorySanitizer.cpp:383
ClPrintStackNames
static cl::opt< bool > ClPrintStackNames("msan-print-stack-names", cl::desc("Print name of local stack variable"), cl::Hidden, cl::init(true))
Linux_AArch64_MemoryMapParams
static const MemoryMapParams Linux_AArch64_MemoryMapParams
Definition: MemorySanitizer.cpp:458
ClAndMask
static cl::opt< uint64_t > ClAndMask("msan-and-mask", cl::desc("Define custom MSan AndMask"), cl::Hidden, cl::init(0))
ClHandleLifetimeIntrinsics
static cl::opt< bool > ClHandleLifetimeIntrinsics("msan-handle-lifetime-intrinsics", cl::desc("when possible, poison scoped variables at the beginning of the scope " "(slower, but more precise)"), cl::Hidden, cl::init(true))
ClKeepGoing
static cl::opt< bool > ClKeepGoing("msan-keep-going", cl::desc("keep going after reporting a UMR"), cl::Hidden, cl::init(false))
FreeBSD_X86_64_MemoryMapParams
static const MemoryMapParams FreeBSD_X86_64_MemoryMapParams
Definition: MemorySanitizer.cpp:494
createPrivateConstGlobalForString
static GlobalVariable * createPrivateConstGlobalForString(Module &M, StringRef Str)
Create a non-const global initialized with the given string.
Definition: MemorySanitizer.cpp:783
Linux_PowerPC_MemoryMapParams
static const PlatformMemoryMapParams Linux_PowerPC_MemoryMapParams
Definition: MemorySanitizer.cpp:519
kNumberOfAccessSizes
static const size_t kNumberOfAccessSizes
Definition: MemorySanitizer.cpp:232
ClEagerChecks
static cl::opt< bool > ClEagerChecks("msan-eager-checks", cl::desc("check arguments and return values at function call boundaries"), cl::Hidden, cl::init(false))
ClDisambiguateWarning
static cl::opt< int > ClDisambiguateWarning("msan-disambiguate-warning-threshold", cl::desc("Define threshold for number of checks per " "debug location to force origin update."), cl::Hidden, cl::init(3))
CreateVarArgHelper
static VarArgHelper * CreateVarArgHelper(Function &Func, MemorySanitizer &Msan, MemorySanitizerVisitor &Visitor)
Definition: MemorySanitizer.cpp:6323
Linux_MIPS64_MemoryMapParams
static const MemoryMapParams Linux_MIPS64_MemoryMapParams
Definition: MemorySanitizer.cpp:426
Linux_PowerPC64_MemoryMapParams
static const MemoryMapParams Linux_PowerPC64_MemoryMapParams
Definition: MemorySanitizer.cpp:438
ClXorMask
static cl::opt< uint64_t > ClXorMask("msan-xor-mask", cl::desc("Define custom MSan XorMask"), cl::Hidden, cl::init(0))
ClHandleAsmConservative
static cl::opt< bool > ClHandleAsmConservative("msan-handle-asm-conservative", cl::desc("conservative handling of inline assembly"), cl::Hidden, cl::init(true))
FreeBSD_X86_MemoryMapParams
static const PlatformMemoryMapParams FreeBSD_X86_MemoryMapParams
Definition: MemorySanitizer.cpp:544
FreeBSD_ARM_MemoryMapParams
static const PlatformMemoryMapParams FreeBSD_ARM_MemoryMapParams
Definition: MemorySanitizer.cpp:539
kParamTLSSize
static const unsigned kParamTLSSize
Definition: MemorySanitizer.cpp:228
ClHandleICmp
static cl::opt< bool > ClHandleICmp("msan-handle-icmp", cl::desc("propagate shadow through ICmpEQ and ICmpNE"), cl::Hidden, cl::init(true))
ClEnableKmsan
static cl::opt< bool > ClEnableKmsan("msan-kernel", cl::desc("Enable KernelMemorySanitizer instrumentation"), cl::Hidden, cl::init(false))
ClPoisonStackWithCall
static cl::opt< bool > ClPoisonStackWithCall("msan-poison-stack-with-call", cl::desc("poison uninitialized stack variables with a call"), cl::Hidden, cl::init(false))
NetBSD_X86_MemoryMapParams
static const PlatformMemoryMapParams NetBSD_X86_MemoryMapParams
Definition: MemorySanitizer.cpp:549
kRetvalTLSSize
static const unsigned kRetvalTLSSize
Definition: MemorySanitizer.cpp:229
FreeBSD_AArch64_MemoryMapParams
static const MemoryMapParams FreeBSD_AArch64_MemoryMapParams
Definition: MemorySanitizer.cpp:478
kMsanModuleCtorName
const char kMsanModuleCtorName[]
Definition: MemorySanitizer.cpp:382
FreeBSD_I386_MemoryMapParams
static const MemoryMapParams FreeBSD_I386_MemoryMapParams
Definition: MemorySanitizer.cpp:486
ClCheckAccessAddress
static cl::opt< bool > ClCheckAccessAddress("msan-check-access-address", cl::desc("report accesses through a pointer which has poisoned shadow"), cl::Hidden, cl::init(true))
ClDisableChecks
static cl::opt< bool > ClDisableChecks("msan-disable-checks", cl::desc("Apply no_sanitize to the whole file"), cl::Hidden, cl::init(false))
FAM
FunctionAnalysisManager FAM
Definition: PassBuilderBindings.cpp:61
Cond
const SmallVectorImpl< MachineOperand > & Cond
Definition: RISCVRedundantCopyElimination.cpp:75
assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
name
static const char * name
Definition: SMEABIPass.cpp:46
visit
void visit(MachineFunction &MF, MachineBasicBlock &Start, std::function< void(MachineBasicBlock *)> op)
Definition: SPIRVPostLegalizer.cpp:132
OS
raw_pwrite_stream & OS
Definition: SampleProfWriter.cpp:51
SetVector.h
This file implements a set that has insertion order iteration characteristics.
SmallPtrSet.h
This file defines the SmallPtrSet class.
SmallVector.h
This file defines the SmallVector class.
StringExtras.h
This file contains some functions that are useful when dealing with strings.
getType
static SymbolRef::Type getType(const Symbol *Sym)
Definition: TapiFile.cpp:39
Struct
@ Struct
Definition: TargetLibraryInfo.cpp:78
RHS
Value * RHS
Definition: X86PartialReduction.cpp:74
LHS
Value * LHS
Definition: X86PartialReduction.cpp:73
llvm::APInt
Class for arbitrary precision integers.
Definition: APInt.h:78
llvm::APInt::getSignedMinValue
static APInt getSignedMinValue(unsigned numBits)
Gets minimum signed value of APInt for a specific bit width.
Definition: APInt.h:219
llvm::AllocaInst
an instruction to allocate memory on the stack
Definition: Instructions.h:63
llvm::AllocaInst::setAlignment
void setAlignment(Align Align)
Definition: Instructions.h:128
llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: PassManager.h:253
llvm::AnalysisManager::getResult
PassT::Result & getResult(IRUnitT &IR, ExtraArgTs... ExtraArgs)
Get the result of an analysis pass for a given IR unit.
Definition: PassManager.h:410
llvm::Argument
This class represents an incoming formal argument to a Function.
Definition: Argument.h:31
llvm::ArrayRef
ArrayRef - Represent a constant reference to an array (0 or more elements consecutively in memory),...
Definition: ArrayRef.h:41
llvm::ArrayRef::front
const T & front() const
front - Get the first element.
Definition: ArrayRef.h:171
llvm::ArrayType::get
static ArrayType * get(Type *ElementType, uint64_t NumElements)
This static method is the primary way to construct an ArrayType.
llvm::AtomicCmpXchgInst
An instruction that atomically checks whether a specified value is in a memory location,...
Definition: Instructions.h:501
llvm::AtomicRMWInst
an instruction that atomically reads a memory location, combines it with another value,...
Definition: Instructions.h:704
llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:61
llvm::BasicBlock::end
iterator end()
Definition: BasicBlock.h:461
llvm::BasicBlock::getFirstInsertionPt
const_iterator getFirstInsertionPt() const
Returns an iterator to the first instruction in this block that is suitable for inserting a non-PHI i...
Definition: BasicBlock.cpp:416
llvm::BasicBlock::getSinglePredecessor
const BasicBlock * getSinglePredecessor() const
Return the predecessor of this block if it has a single predecessor block.
Definition: BasicBlock.cpp:459
llvm::BasicBlock::iterator
InstListType::iterator iterator
Instruction iterators...
Definition: BasicBlock.h:177
llvm::BitCastInst
This class represents a no-op cast from one type to another.
Definition: Instructions.h:4894
llvm::CallBase
Base class for all callable instructions (InvokeInst and CallInst) Holds everything related to callin...
Definition: InstrTypes.h:1112
llvm::CallBase::isInlineAsm
bool isInlineAsm() const
Check if this call is an inline asm statement.
Definition: InstrTypes.h:1408
llvm::CallBase::getCalledFunction
Function * getCalledFunction() const
Returns the function called, or null if this is an indirect function invocation or the function signa...
Definition: InstrTypes.h:1341
llvm::CallBase::hasRetAttr
bool hasRetAttr(Attribute::AttrKind Kind) const
Determine whether the return value has the given attribute.
Definition: InstrTypes.h:1573
llvm::CallBase::paramHasAttr
bool paramHasAttr(unsigned ArgNo, Attribute::AttrKind Kind) const
Determine whether the argument or parameter has the given attribute.
Definition: Instructions.cpp:409
llvm::CallBase::setCannotMerge
void setCannotMerge()
Definition: InstrTypes.h:1934
llvm::CallBase::getParamAlign
MaybeAlign getParamAlign(unsigned ArgNo) const
Extract the alignment for a call or parameter (0=unknown).
Definition: InstrTypes.h:1748
llvm::CallBase::getParamByValType
Type * getParamByValType(unsigned ArgNo) const
Extract the byval type for a call or parameter.
Definition: InstrTypes.h:1766
llvm::CallBase::getCalledOperand
Value * getCalledOperand() const
Definition: InstrTypes.h:1334
llvm::CallBase::getParamElementType
Type * getParamElementType(unsigned ArgNo) const
Extract the elementtype type for a parameter.
Definition: InstrTypes.h:1804
llvm::CallBase::getArgOperand
Value * getArgOperand(unsigned i) const
Definition: InstrTypes.h:1286
llvm::CallBase::setArgOperand
void setArgOperand(unsigned i, Value *v)
Definition: InstrTypes.h:1291
llvm::CallBase::getFunctionType
FunctionType * getFunctionType() const
Definition: InstrTypes.h:1199
llvm::CallBase::args
iterator_range< User::op_iterator > args()
Iteration adapter for range-for loops.
Definition: InstrTypes.h:1277
llvm::CallBase::addParamAttr
void addParamAttr(unsigned ArgNo, Attribute::AttrKind Kind)
Adds the attribute to the indicated argument.
Definition: InstrTypes.h:1494
llvm::CallInst
This class represents a function call, abstracting a target machine's calling convention.
Definition: Instructions.h:1479
llvm::CastInst
This is the base class for all instructions that perform data casts.
Definition: InstrTypes.h:444
llvm::CmpInst::Predicate
Predicate
This enumeration lists the possible predicates for CmpInst subclasses.
Definition: InstrTypes.h:673
llvm::CmpInst::ICMP_SLT
@ ICMP_SLT
signed less than
Definition: InstrTypes.h:702
llvm::CmpInst::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition: InstrTypes.h:703
llvm::CmpInst::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition: InstrTypes.h:700
llvm::CmpInst::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition: InstrTypes.h:701
llvm::Combiner
Combiner implementation.
Definition: Combiner.h:34
llvm::ConstantArray::get
static Constant * get(ArrayType *T, ArrayRef< Constant * > V)
Definition: Constants.cpp:1312
llvm::ConstantDataArray::getString
static Constant * getString(LLVMContext &Context, StringRef Initializer, bool AddNull=true)
This method constructs a CDS and initializes it with a text string.
Definition: Constants.cpp:2990
llvm::ConstantDataVector::get
static Constant * get(LLVMContext &Context, ArrayRef< uint8_t > Elts)
get() constructors - Return a constant with vector type with an element count and element type matchi...
Definition: Constants.cpp:3006
llvm::ConstantInt
This is the shared class of boolean and integer constants.
Definition: Constants.h:83
llvm::ConstantInt::getSigned
static ConstantInt * getSigned(IntegerType *Ty, int64_t V)
Return a ConstantInt with the specified value for the specified type.
Definition: Constants.h:126
llvm::ConstantInt::getBool
static ConstantInt * getBool(LLVMContext &Context, bool V)
Definition: Constants.cpp:880
llvm::ConstantStruct::get
static Constant * get(StructType *T, ArrayRef< Constant * > V)
Definition: Constants.cpp:1378
llvm::ConstantVector::getSplat
static Constant * getSplat(ElementCount EC, Constant *Elt)
Return a ConstantVector with the specified constant in each element.
Definition: Constants.cpp:1472
llvm::ConstantVector::get
static Constant * get(ArrayRef< Constant * > V)
Definition: Constants.cpp:1421
llvm::Constant
This is an important base class in LLVM.
Definition: Constant.h:42
llvm::Constant::getAllOnesValue
static Constant * getAllOnesValue(Type *Ty)
Definition: Constants.cpp:420
llvm::Constant::isAllOnesValue
bool isAllOnesValue() const
Return true if this is the value that would be returned by getAllOnesValue.
Definition: Constants.cpp:107
llvm::Constant::getNullValue
static Constant * getNullValue(Type *Ty)
Constructor to create a '0' constant of arbitrary type.
Definition: Constants.cpp:373
llvm::Constant::getAggregateElement
Constant * getAggregateElement(unsigned Elt) const
For aggregates (struct/array/vector) return the constant that corresponds to the specified element if...
Definition: Constants.cpp:435
llvm::Constant::isZeroValue
bool isZeroValue() const
Return true if the value is negative zero or null value.
Definition: Constants.cpp:76
llvm::Constant::isNullValue
bool isNullValue() const
Return true if this is the value that would be returned by getNullValue.
Definition: Constants.cpp:90
llvm::DWARFExpression::Operation
This class represents an Operation in the Expression.
Definition: DWARFExpression.h:32
llvm::DataLayout
A parsed version of the target data layout string in and methods for querying it.
Definition: DataLayout.h:63
llvm::DebugCounter::shouldExecute
static bool shouldExecute(unsigned CounterName)
Definition: DebugCounter.h:87
llvm::DebugLoc
A debug info location.
Definition: DebugLoc.h:33
llvm::DenseMapBase::empty
bool empty() const
Definition: DenseMap.h:98
llvm::ExtractElementInst
This instruction extracts a single (scalar) element from a VectorType value.
Definition: Instructions.h:1775
llvm::ExtractValueInst
This instruction extracts a struct member or array element value from an aggregate value.
Definition: Instructions.h:2397
llvm::FCmpInst
This instruction compares its operands according to the predicate given to the constructor.
Definition: Instructions.h:1379
llvm::FixedVectorType
Class to represent fixed width SIMD vectors.
Definition: DerivedTypes.h:563
llvm::FixedVectorType::getNumElements
unsigned getNumElements() const
Definition: DerivedTypes.h:606
llvm::FixedVectorType::get
static FixedVectorType * get(Type *ElementType, unsigned NumElts)
Definition: Type.cpp:791
llvm::FreezeInst
This class represents a freeze function that returns random concrete value if an operand is either a ...
Definition: Instructions.h:5088
llvm::FunctionCallee
A handy container for a FunctionType+Callee-pointer pair, which can be passed around as a single enti...
Definition: DerivedTypes.h:170
llvm::FunctionType::getNumParams
unsigned getNumParams() const
Return the number of fixed parameters this function type requires.
Definition: DerivedTypes.h:144
llvm::GetElementPtrInst
an instruction for type-safe pointer arithmetic to access elements of arrays and structs
Definition: Instructions.h:933
llvm::GlobalObject::setComdat
void setComdat(Comdat *C)
Definition: Globals.cpp:212
llvm::GlobalValue::PrivateLinkage
@ PrivateLinkage
Like Internal, but omit from symbol table.
Definition: GlobalValue.h:60
llvm::GlobalValue::ExternalLinkage
@ ExternalLinkage
Externally visible function.
Definition: GlobalValue.h:52
llvm::GlobalsAA
Analysis pass providing a never-invalidated alias analysis result.
Definition: GlobalsModRef.h:127
llvm::ICmpInst
This instruction compares its operands according to the predicate given to the constructor.
Definition: Instructions.h:1158
llvm::IRBuilderBase::CreateInsertElement
Value * CreateInsertElement(Type *VecTy, Value *NewElt, Value *Idx, const Twine &Name="")
Definition: IRBuilder.h:2511
llvm::IRBuilderBase::CreateConstGEP1_32
Value * CreateConstGEP1_32(Type *Ty, Value *Ptr, unsigned Idx0, const Twine &Name="")
Definition: IRBuilder.h:1887
llvm::IRBuilderBase::CreateAlloca
AllocaInst * CreateAlloca(Type *Ty, unsigned AddrSpace, Value *ArraySize=nullptr, const Twine &Name="")
Definition: IRBuilder.h:1781
llvm::IRBuilderBase::getInt1Ty
IntegerType * getInt1Ty()
Fetch the type representing a single bit.
Definition: IRBuilder.h:530
llvm::IRBuilderBase::CreateMaskedCompressStore
CallInst * CreateMaskedCompressStore(Value *Val, Value *Ptr, MaybeAlign Align, Value *Mask=nullptr)
Create a call to Masked Compress Store intrinsic.
Definition: IRBuilder.cpp:676
llvm::IRBuilderBase::CreateInsertValue
Value * CreateInsertValue(Value *Agg, Value *Val, ArrayRef< unsigned > Idxs, const Twine &Name="")
Definition: IRBuilder.h:2562
llvm::IRBuilderBase::CreateExtractElement
Value * CreateExtractElement(Value *Vec, Value *Idx, const Twine &Name="")
Definition: IRBuilder.h:2499
llvm::IRBuilderBase::getIntNTy
IntegerType * getIntNTy(unsigned N)
Fetch the type representing an N-bit integer.
Definition: IRBuilder.h:558
llvm::IRBuilderBase::CreateAlignedLoad
LoadInst * CreateAlignedLoad(Type *Ty, Value *Ptr, MaybeAlign Align, const char *Name)
Definition: IRBuilder.h:1815
llvm::IRBuilderBase::CreateZExtOrTrunc
Value * CreateZExtOrTrunc(Value *V, Type *DestTy, const Twine &Name="")
Create a ZExt or Trunc from the integer value V to DestTy.
Definition: IRBuilder.h:2051
llvm::IRBuilderBase::CreateAndReduce
CallInst * CreateAndReduce(Value *Src)
Create a vector int AND reduction intrinsic of the source vector.
Definition: IRBuilder.cpp:420
llvm::IRBuilderBase::CreatePointerCast
Value * CreatePointerCast(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:2199
llvm::IRBuilderBase::CreateExtractValue
Value * CreateExtractValue(Value *Agg, ArrayRef< unsigned > Idxs, const Twine &Name="")
Definition: IRBuilder.h:2555
llvm::IRBuilderBase::CreateMaskedLoad
CallInst * CreateMaskedLoad(Type *Ty, Value *Ptr, Align Alignment, Value *Mask, Value *PassThru=nullptr, const Twine &Name="")
Create a call to Masked Load intrinsic.
Definition: IRBuilder.cpp:546
llvm::IRBuilderBase::CreateMemSet
CallInst * CreateMemSet(Value *Ptr, Value *Val, uint64_t Size, MaybeAlign Align, bool isVolatile=false, MDNode *TBAATag=nullptr, MDNode *ScopeTag=nullptr, MDNode *NoAliasTag=nullptr)
Create and insert a memset to the specified pointer and the specified value.
Definition: IRBuilder.h:614
llvm::IRBuilderBase::CreateSelect
Value * CreateSelect(Value *C, Value *True, Value *False, const Twine &Name="", Instruction *MDFrom=nullptr)
Definition: IRBuilder.cpp:1053
llvm::IRBuilderBase::GetInsertPoint
BasicBlock::iterator GetInsertPoint() const
Definition: IRBuilder.h:194
llvm::IRBuilderBase::CreateSExt
Value * CreateSExt(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:2045
llvm::IRBuilderBase::CreateIntToPtr
Value * CreateIntToPtr(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:2147
llvm::IRBuilderBase::CreateTypeSize
Value * CreateTypeSize(Type *DstType, TypeSize Size)
Create an expression which evaluates to the number of units in Size at runtime.
Definition: IRBuilder.cpp:103
llvm::IRBuilderBase::CreateLShr
Value * CreateLShr(Value *LHS, Value *RHS, const Twine &Name="", bool isExact=false)
Definition: IRBuilder.h:1480
llvm::IRBuilderBase::getInt32Ty
IntegerType * getInt32Ty()
Fetch the type representing a 32-bit integer.
Definition: IRBuilder.h:545
llvm::IRBuilderBase::getInt8
ConstantInt * getInt8(uint8_t C)
Get a constant 8-bit value.
Definition: IRBuilder.h:495
llvm::IRBuilderBase::getInt64Ty
IntegerType * getInt64Ty()
Fetch the type representing a 64-bit integer.
Definition: IRBuilder.h:550
llvm::IRBuilderBase::CreateUDiv
Value * CreateUDiv(Value *LHS, Value *RHS, const Twine &Name="", bool isExact=false)
Definition: IRBuilder.h:1421
llvm::IRBuilderBase::CreateICmpNE
Value * CreateICmpNE(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2274
llvm::IRBuilderBase::CreateGEP
Value * CreateGEP(Type *Ty, Value *Ptr, ArrayRef< Value * > IdxList, const Twine &Name="", GEPNoWrapFlags NW=GEPNoWrapFlags::none())
Definition: IRBuilder.h:1874
llvm::IRBuilderBase::CreateNeg
Value * CreateNeg(Value *V, const Twine &Name="", bool HasNSW=false)
Definition: IRBuilder.h:1733
llvm::IRBuilderBase::CreateOrReduce
CallInst * CreateOrReduce(Value *Src)
Create a vector int OR reduction intrinsic of the source vector.
Definition: IRBuilder.cpp:424
llvm::IRBuilderBase::CreateBinaryIntrinsic
Value * CreateBinaryIntrinsic(Intrinsic::ID ID, Value *LHS, Value *RHS, FMFSource FMFSource={}, const Twine &Name="")
Create a call to intrinsic ID with 2 operands which is mangled on the first type.
Definition: IRBuilder.cpp:889
llvm::IRBuilderBase::CreateIntrinsic
CallInst * CreateIntrinsic(Intrinsic::ID ID, ArrayRef< Type * > Types, ArrayRef< Value * > Args, FMFSource FMFSource={}, const Twine &Name="")
Create a call to intrinsic ID with Args, mangled using Types.
Definition: IRBuilder.cpp:900
llvm::IRBuilderBase::getInt32
ConstantInt * getInt32(uint32_t C)
Get a constant 32-bit value.
Definition: IRBuilder.h:505
llvm::IRBuilderBase::CreatePHI
PHINode * CreatePHI(Type *Ty, unsigned NumReservedValues, const Twine &Name="")
Definition: IRBuilder.h:2435
llvm::IRBuilderBase::CreateNot
Value * CreateNot(Value *V, const Twine &Name="")
Definition: IRBuilder.h:1757
llvm::IRBuilderBase::CreateICmpEQ
Value * CreateICmpEQ(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2270
llvm::IRBuilderBase::getCurrentDebugLocation
DebugLoc getCurrentDebugLocation() const
Get location information used by debugging information.
Definition: IRBuilder.cpp:64
llvm::IRBuilderBase::CreateSub
Value * CreateSub(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1387
llvm::IRBuilderBase::CreateBitCast
Value * CreateBitCast(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:2152
llvm::IRBuilderBase::getIntN
ConstantInt * getIntN(unsigned N, uint64_t C)
Get a constant N-bit value, zero extended or truncated from a 64-bit value.
Definition: IRBuilder.h:516
llvm::IRBuilderBase::CreateLoad
LoadInst * CreateLoad(Type *Ty, Value *Ptr, const char *Name)
Provided to resolve 'CreateLoad(Ty, Ptr, "...")' correctly, instead of converting the string to 'bool...
Definition: IRBuilder.h:1798
llvm::IRBuilderBase::CreateShl
Value * CreateShl(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1459
llvm::IRBuilderBase::CreateZExt
Value * CreateZExt(Value *V, Type *DestTy, const Twine &Name="", bool IsNonNeg=false)
Definition: IRBuilder.h:2033
llvm::IRBuilderBase::CreateShuffleVector
Value * CreateShuffleVector(Value *V1, Value *V2, Value *Mask, const Twine &Name="")
Definition: IRBuilder.h:2533
llvm::IRBuilderBase::getContext
LLVMContext & getContext() const
Definition: IRBuilder.h:195
llvm::IRBuilderBase::CreateAnd
Value * CreateAnd(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1518
llvm::IRBuilderBase::CreateStore
StoreInst * CreateStore(Value *Val, Value *Ptr, bool isVolatile=false)
Definition: IRBuilder.h:1811
llvm::IRBuilderBase::CreateMaskedStore
CallInst * CreateMaskedStore(Value *Val, Value *Ptr, Align Alignment, Value *Mask)
Create a call to Masked Store intrinsic.
Definition: IRBuilder.cpp:566
llvm::IRBuilderBase::CreateAdd
Value * CreateAdd(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1370
llvm::IRBuilderBase::CreatePtrToInt
Value * CreatePtrToInt(Value *V, Type *DestTy, const Twine &Name="")
Definition: IRBuilder.h:2142
llvm::IRBuilderBase::CreateIsNotNull
Value * CreateIsNotNull(Value *Arg, const Twine &Name="")
Return a boolean value testing if Arg != 0.
Definition: IRBuilder.h:2588
llvm::IRBuilderBase::CreateCall
CallInst * CreateCall(FunctionType *FTy, Value *Callee, ArrayRef< Value * > Args={}, const Twine &Name="", MDNode *FPMathTag=nullptr)
Definition: IRBuilder.h:2449
llvm::IRBuilderBase::CreateTrunc
Value * CreateTrunc(Value *V, Type *DestTy, const Twine &Name="", bool IsNUW=false, bool IsNSW=false)
Definition: IRBuilder.h:2019
llvm::IRBuilderBase::CreateOr
Value * CreateOr(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1540
llvm::IRBuilderBase::getPtrTy
PointerType * getPtrTy(unsigned AddrSpace=0)
Fetch the type representing a pointer.
Definition: IRBuilder.h:588
llvm::IRBuilderBase::CreateBinOp
Value * CreateBinOp(Instruction::BinaryOps Opc, Value *LHS, Value *RHS, const Twine &Name="", MDNode *FPMathTag=nullptr)
Definition: IRBuilder.h:1671
llvm::IRBuilderBase::CreateICmpSLT
Value * CreateICmpSLT(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2302
llvm::IRBuilderBase::CreateIntCast
Value * CreateIntCast(Value *V, Type *DestTy, bool isSigned, const Twine &Name="")
Definition: IRBuilder.h:2225
llvm::IRBuilderBase::CreateIsNull
Value * CreateIsNull(Value *Arg, const Twine &Name="")
Return a boolean value testing if Arg == 0.
Definition: IRBuilder.h:2583
llvm::IRBuilderBase::SetInsertPoint
void SetInsertPoint(BasicBlock *TheBB)
This specifies that created instructions should be appended to the end of the specified block.
Definition: IRBuilder.h:199
llvm::IRBuilderBase::getVoidTy
Type * getVoidTy()
Fetch the type representing void.
Definition: IRBuilder.h:583
llvm::IRBuilderBase::CreateAlignedStore
StoreInst * CreateAlignedStore(Value *Val, Value *Ptr, MaybeAlign Align, bool isVolatile=false)
Definition: IRBuilder.h:1834
llvm::IRBuilderBase::CreateMaskedExpandLoad
CallInst * CreateMaskedExpandLoad(Type *Ty, Value *Ptr, MaybeAlign Align, Value *Mask=nullptr, Value *PassThru=nullptr, const Twine &Name="")
Create a call to Masked Expand Load intrinsic.
Definition: IRBuilder.cpp:653
llvm::IRBuilderBase::CreateInBoundsPtrAdd
Value * CreateInBoundsPtrAdd(Value *Ptr, Value *Offset, const Twine &Name="")
Definition: IRBuilder.h:1992
llvm::IRBuilderBase::CreateAShr
Value * CreateAShr(Value *LHS, Value *RHS, const Twine &Name="", bool isExact=false)
Definition: IRBuilder.h:1499
llvm::IRBuilderBase::CreateXor
Value * CreateXor(Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:1562
llvm::IRBuilderBase::CreateICmp
Value * CreateICmp(CmpInst::Predicate P, Value *LHS, Value *RHS, const Twine &Name="")
Definition: IRBuilder.h:2380
llvm::IRBuilderBase::getInt8Ty
IntegerType * getInt8Ty()
Fetch the type representing an 8-bit integer.
Definition: IRBuilder.h:535
llvm::IRBuilderBase::CreateMemCpy
CallInst * CreateMemCpy(Value *Dst, MaybeAlign DstAlign, Value *Src, MaybeAlign SrcAlign, uint64_t Size, bool isVolatile=false, MDNode *TBAATag=nullptr, MDNode *TBAAStructTag=nullptr, MDNode *ScopeTag=nullptr, MDNode *NoAliasTag=nullptr)
Create and insert a memcpy between the specified pointers.
Definition: IRBuilder.h:677
llvm::IRBuilderBase::CreateMul
Value * CreateMul(Value *LHS, Value *RHS, const Twine &Name="", bool HasNUW=false, bool HasNSW=false)
Definition: IRBuilder.h:1404
llvm::IRBuilderBase::CreateMaskedScatter
CallInst * CreateMaskedScatter(Value *Val, Value *Ptrs, Align Alignment, Value *Mask=nullptr)
Create a call to Masked Scatter intrinsic.
Definition: IRBuilder.cpp:627
llvm::IRBuilderBase::CreateMaskedGather
CallInst * CreateMaskedGather(Type *Ty, Value *Ptrs, Align Alignment, Value *Mask=nullptr, Value *PassThru=nullptr, const Twine &Name="")
Create a call to Masked Gather intrinsic.
Definition: IRBuilder.cpp:596
llvm::IRBuilder
This provides a uniform API for creating instructions and inserting them into a basic block: either a...
Definition: IRBuilder.h:2705
llvm::InlineAsm::ConstraintInfoVector
std::vector< ConstraintInfo > ConstraintInfoVector
Definition: InlineAsm.h:121
llvm::InnerAnalysisManagerProxy
An analysis over an "outer" IR unit that provides access to an analysis manager over an "inner" IR un...
Definition: PassManager.h:567
llvm::InsertElementInst
This instruction inserts a single (scalar) element into a VectorType value.
Definition: Instructions.h:1834
llvm::InsertValueInst
This instruction inserts a struct field of array element value into an aggregate value.
Definition: Instructions.h:2485
llvm::InstVisitor
Base class for instruction visitors.
Definition: InstVisitor.h:78
llvm::InstVisitor::visit
void visit(Iterator Start, Iterator End)
Definition: InstVisitor.h:87
llvm::Instruction::getDebugLoc
const DebugLoc & getDebugLoc() const
Return the debug location for this node as a DebugLoc.
Definition: Instruction.h:475
llvm::Instruction::getMetadata
MDNode * getMetadata(unsigned KindID) const
Get the metadata of given kind attached to this Instruction.
Definition: Instruction.h:390
llvm::IntToPtrInst
This class represents a cast from an integer to a pointer.
Definition: Instructions.h:4816
llvm::IntegerType
Class to represent integer types.
Definition: DerivedTypes.h:42
llvm::IntegerType::get
static IntegerType * get(LLVMContext &C, unsigned NumBits)
This static method is the primary way of constructing an IntegerType.
Definition: Type.cpp:311
llvm::IntrinsicInst
A wrapper class for inspecting calls to intrinsic functions.
Definition: IntrinsicInst.h:48
llvm::LLVMContext
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:67
llvm::LandingPadInst
The landingpad instruction holds all of the information necessary to generate correct exception handl...
Definition: Instructions.h:2840
llvm::LoadInst
An instruction for reading from memory.
Definition: Instructions.h:176
llvm::MDBuilder::createUnlikelyBranchWeights
MDNode * createUnlikelyBranchWeights()
Return metadata containing two branch weights, with significant bias towards false destination.
Definition: MDBuilder.cpp:47
llvm::MDNode
Metadata node.
Definition: Metadata.h:1073
llvm::MemCpyInst
This class wraps the llvm.memcpy intrinsic.
Definition: IntrinsicInst.h:1321
llvm::MemMoveInst
This class wraps the llvm.memmove intrinsic.
Definition: IntrinsicInst.h:1334
llvm::MemSetInst
This class wraps the llvm.memset and llvm.memset.inline intrinsics.
Definition: IntrinsicInst.h:1237
llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:65
llvm::PHINode::addIncoming
void addIncoming(Value *V, BasicBlock *BB)
Add an incoming value to the end of the PHI list.
Definition: Instructions.h:2735
llvm::PoisonValue
In order to facilitate speculative execution, many instructions do not invoke immediate undefined beh...
Definition: Constants.h:1460
llvm::PoisonValue::get
static PoisonValue * get(Type *T)
Static factory methods - Return an 'poison' object of the specified type.
Definition: Constants.cpp:1878
llvm::PreservedAnalyses
A set of analyses that are preserved following a run of a transformation pass.
Definition: Analysis.h:111
llvm::PreservedAnalyses::none
static PreservedAnalyses none()
Convenience factory function for the empty preserved set.
Definition: Analysis.h:114
llvm::PreservedAnalyses::all
static PreservedAnalyses all()
Construct a special preserved set that preserves all passes.
Definition: Analysis.h:117
llvm::PreservedAnalyses::abandon
void abandon()
Mark an analysis as abandoned.
Definition: Analysis.h:164
llvm::PtrToIntInst
This class represents a cast from a pointer to an integer.
Definition: Instructions.h:4851
llvm::ResumeInst
Resume the propagation of an exception.
Definition: Instructions.h:4002
llvm::ReturnInst
Return a value (possibly void), from a function.
Definition: Instructions.h:2938
llvm::SExtInst
This class represents a sign extension of integer types.
Definition: Instructions.h:4600
llvm::SelectInst
This class represents the LLVM 'select' instruction.
Definition: Instructions.h:1657
llvm::SetVector::remove
bool remove(const value_type &X)
Remove an item from the set vector.
Definition: SetVector.h:188
llvm::SetVector::insert
bool insert(const value_type &X)
Insert a new element into the SetVector.
Definition: SetVector.h:162
llvm::ShuffleVectorInst
This instruction constructs a fixed permutation of two input vectors.
Definition: Instructions.h:1901
llvm::SmallPtrSet
SmallPtrSet - This class implements a set which is optimized for holding SmallSize or less elements.
Definition: SmallPtrSet.h:519
llvm::SmallSetVector
A SetVector that performs no allocations if smaller than a certain size.
Definition: SetVector.h:370
llvm::SmallVectorBase::empty
bool empty() const
Definition: SmallVector.h:81
llvm::SmallVectorImpl::append
void append(ItTy in_start, ItTy in_end)
Add the specified range to the end of the SmallVector.
Definition: SmallVector.h:683
llvm::SmallVectorTemplateBase::push_back
void push_back(const T &Elt)
Definition: SmallVector.h:413
llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition: SmallVector.h:1196
llvm::StoreInst
An instruction for storing to memory.
Definition: Instructions.h:292
llvm::StringRef
StringRef - Represent a constant reference to a string, i.e.
Definition: StringRef.h:51
llvm::StructType
Class to represent struct types.
Definition: DerivedTypes.h:218
llvm::StructType::get
static StructType * get(LLVMContext &Context, ArrayRef< Type * > Elements, bool isPacked=false)
This static method is the primary way to create a literal StructType.
Definition: Type.cpp:406
llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:614
llvm::TargetLibraryInfo
Provides information about what library functions are available for the current target.
Definition: TargetLibraryInfo.h:280
llvm::TargetLibraryInfo::getAttrList
AttributeList getAttrList(LLVMContext *C, ArrayRef< unsigned > ArgNos, bool Signed, bool Ret=false, AttributeList AL=AttributeList()) const
Definition: TargetLibraryInfo.h:550
llvm::TargetLibraryInfo::getLibFunc
bool getLibFunc(StringRef funcName, LibFunc &F) const
Searches for a particular function name.
Definition: TargetLibraryInfo.h:345
llvm::Triple
Triple - Helper class for working with autoconf configuration names.
Definition: Triple.h:44
llvm::Triple::isMIPS64
bool isMIPS64() const
Tests whether the target is MIPS 64-bit (little and big endian).
Definition: Triple.h:980
llvm::Triple::aarch64_be
@ aarch64_be
Definition: Triple.h:52
llvm::Triple::loongarch64
@ loongarch64
Definition: Triple.h:62
llvm::Triple::mips64el
@ mips64el
Definition: Triple.h:67
llvm::Triple::isRISCV32
bool isRISCV32() const
Tests whether the target is 32-bit RISC-V.
Definition: Triple.h:1023
llvm::Triple::isPPC32
bool isPPC32() const
Tests whether the target is 32-bit PowerPC (little and big endian).
Definition: Triple.h:996
llvm::Triple::getArch
ArchType getArch() const
Get the parsed architecture type of this triple.
Definition: Triple.h:395
llvm::Triple::isRISCV64
bool isRISCV64() const
Tests whether the target is 64-bit RISC-V.
Definition: Triple.h:1026
llvm::Triple::isLoongArch64
bool isLoongArch64() const
Tests whether the target is 64-bit LoongArch.
Definition: Triple.h:969
llvm::Triple::isMIPS32
bool isMIPS32() const
Tests whether the target is MIPS 32-bit (little and big endian).
Definition: Triple.h:975
llvm::Triple::isARM
bool isARM() const
Tests whether the target is ARM (little and big endian).
Definition: Triple.h:892
llvm::Triple::isPPC64
bool isPPC64() const
Tests whether the target is 64-bit PowerPC (little and big endian).
Definition: Triple.h:1001
llvm::Triple::isAArch64
bool isAArch64() const
Tests whether the target is AArch64 (little and big endian).
Definition: Triple.h:948
llvm::Triple::isSystemZ
bool isSystemZ() const
Tests whether the target is SystemZ.
Definition: Triple.h:1043
llvm::TruncInst
This class represents a truncation of integer types.
Definition: Instructions.h:4503
llvm::Twine
Twine - A lightweight data structure for efficiently representing the concatenation of temporary valu...
Definition: Twine.h:81
llvm::Type
The instances of the Type class are immutable: once they are created, they are never changed.
Definition: Type.h:45
llvm::Type::getIntegerBitWidth
unsigned getIntegerBitWidth() const
llvm::Type::isVectorTy
bool isVectorTy() const
True if this is an instance of VectorType.
Definition: Type.h:270
llvm::Type::isPointerTy
bool isPointerTy() const
True if this is an instance of PointerType.
Definition: Type.h:264
llvm::Type::isPPC_FP128Ty
bool isPPC_FP128Ty() const
Return true if this is powerpc long double.
Definition: Type.h:165
llvm::Type::getIntNTy
static IntegerType * getIntNTy(LLVMContext &C, unsigned N)
llvm::Type::getScalarSizeInBits
unsigned getScalarSizeInBits() const LLVM_READONLY
If this is a vector type, return the getPrimitiveSizeInBits value for the element type.
llvm::Type::getVoidTy
static Type * getVoidTy(LLVMContext &C)
llvm::Type::isSized
bool isSized(SmallPtrSetImpl< Type * > *Visited=nullptr) const
Return true if it makes sense to take the size of this type.
Definition: Type.h:310
llvm::Type::getInt8Ty
static IntegerType * getInt8Ty(LLVMContext &C)
llvm::Type::isIntOrPtrTy
bool isIntOrPtrTy() const
Return true if this is an integer type or a pointer type.
Definition: Type.h:252
llvm::Type::getInt32Ty
static IntegerType * getInt32Ty(LLVMContext &C)
llvm::Type::getInt64Ty
static IntegerType * getInt64Ty(LLVMContext &C)
llvm::Type::isIntegerTy
bool isIntegerTy() const
True if this is an instance of IntegerType.
Definition: Type.h:237
llvm::Type::getPrimitiveSizeInBits
TypeSize getPrimitiveSizeInBits() const LLVM_READONLY
Return the basic size of this type if it is a primitive type.
llvm::Type::getScalarType
Type * getScalarType() const
If this is a vector type, return the element type, otherwise return 'this'.
Definition: Type.h:355
llvm::UndefValue
'undef' values are things that do not have specified contents.
Definition: Constants.h:1412
llvm::Use
A Use represents the edge between a Value definition and its users.
Definition: Use.h:43
llvm::User::getOperand
Value * getOperand(unsigned i) const
Definition: User.h:228
llvm::User::getNumOperands
unsigned getNumOperands() const
Definition: User.h:250
llvm::VACopyInst
This represents the llvm.va_copy intrinsic.
Definition: IntrinsicInst.h:1498
llvm::VAStartInst
This represents the llvm.va_start intrinsic.
Definition: IntrinsicInst.h:1472
llvm::ValueMap
See the file comment.
Definition: ValueMap.h:84
llvm::ValueMap::count
size_type count(const KeyT &Val) const
Return 1 if the specified key is in the map, 0 otherwise.
Definition: ValueMap.h:151
llvm::Value
LLVM Value Representation.
Definition: Value.h:74
llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:255
llvm::Value::setName
void setName(const Twine &Name)
Change the name of the value.
Definition: Value.cpp:377
llvm::Value::getName
StringRef getName() const
Return a constant reference to the value's name.
Definition: Value.cpp:309
llvm::VectorType::getElementType
Type * getElementType() const
Definition: DerivedTypes.h:460
llvm::ZExtInst
This class represents zero extension of integer types.
Definition: Instructions.h:4569
llvm::cl::Option::getNumOccurrences
int getNumOccurrences() const
Definition: CommandLine.h:399
llvm::details::FixedOrScalableQuantity::getFixedValue
constexpr ScalarTy getFixedValue() const
Definition: TypeSize.h:202
llvm::details::FixedOrScalableQuantity::isScalable
constexpr bool isScalable() const
Returns whether the quantity is scaled by a runtime quantity (vscale).
Definition: TypeSize.h:171
llvm::function_ref
An efficient, type-erasing, non-owning reference to a callable.
Definition: STLFunctionalExtras.h:37
llvm::ilist_detail::node_parent_access::getParent
const ParentTy * getParent() const
Definition: ilist_node.h:32
llvm::ilist_node_impl::getIterator
self_iterator getIterator()
Definition: ilist_node.h:132
llvm::raw_ostream
This class implements an extremely fast bulk output stream that can only output to a stream.
Definition: raw_ostream.h:52
llvm::sys::Memory
This class provides various memory handling functions that manipulate MemoryBlock instances.
Definition: Memory.h:53
uint32_t
uint64_t
llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition: ErrorHandling.h:143
llvm::ARM_MB::ST
@ ST
Definition: ARMBaseInfo.h:73
llvm::BitmaskEnumDetail::Mask
constexpr std::underlying_type_t< E > Mask()
Get a bitmask with 1s in all places up to the high-order bit of E's largest value.
Definition: BitmaskEnum.h:125
llvm::CallingConv::Win64
@ Win64
The C convention as implemented on Windows/x86-64 and AArch64.
Definition: CallingConv.h:159
llvm::CallingConv::C
@ C
The default llvm calling convention, compatible with C.
Definition: CallingConv.h:34
llvm::PPCISD::SC
@ SC
CHAIN = SC CHAIN, Imm128 - System call.
Definition: PPCISelLowering.h:429
llvm::cl::init
initializer< Ty > init(const Ty &Val)
Definition: CommandLine.h:443
llvm::omp::Kernel
Function * Kernel
Summary of a kernel (=entry point for target offloading).
Definition: OpenMPOpt.h:21
llvm::rdf::Func
NodeAddr< FuncNode * > Func
Definition: RDFGraph.h:393
llvm::tgtok::FalseVal
@ FalseVal
Definition: TGLexer.h:59
llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18
llvm::Log2_32_Ceil
unsigned Log2_32_Ceil(uint32_t Value)
Return the ceil log base 2 of the specified value, 32 if the value is zero.
Definition: MathExtras.h:355
llvm::size
auto size(R &&Range, std::enable_if_t< std::is_base_of< std::random_access_iterator_tag, typename std::iterator_traits< decltype(Range.begin())>::iterator_category >::value, void > *=nullptr)
Get the size of a range.
Definition: STLExtras.h:1697
llvm::enumerate
auto enumerate(FirstRange &&First, RestRanges &&...Rest)
Given two or more input ranges, returns a new range whose values are tuples (A, B,...
Definition: STLExtras.h:2448
llvm::findAllocaForValue
AllocaInst * findAllocaForValue(Value *V, bool OffsetZero=false)
Returns unique alloca where the value comes from, or nullptr.
Definition: ValueTracking.cpp:6963
llvm::Done
@ Done
Definition: Threading.h:61
llvm::getOrCreateSanitizerCtorAndInitFunctions
std::pair< Function *, FunctionCallee > getOrCreateSanitizerCtorAndInitFunctions(Module &M, StringRef CtorName, StringRef InitName, ArrayRef< Type * > InitArgTypes, ArrayRef< Value * > InitArgs, function_ref< void(Function *, FunctionCallee)> FunctionsCreatedCallback, StringRef VersionCheckName=StringRef(), bool Weak=false)
Creates sanitizer constructor function lazily.
Definition: ModuleUtils.cpp:295
llvm::None
@ None
Definition: CodeGenData.h:106
llvm::dbgs
raw_ostream & dbgs()
dbgs() - This returns a reference to a raw_ostream for debugging messages.
Definition: Debug.cpp:163
llvm::report_fatal_error
void report_fatal_error(Error Err, bool gen_crash_diag=true)
Report a serious error, calling any installed error handler.
Definition: Error.cpp:167
llvm::isKnownNonZero
bool isKnownNonZero(const Value *V, const SimplifyQuery &Q, unsigned Depth=0)
Return true if the given value is known to be non-zero when defined.
Definition: ValueTracking.cpp:3487
llvm::errs
raw_fd_ostream & errs()
This returns a reference to a raw_ostream for standard error.
Definition: raw_ostream.cpp:907
llvm::AtomicOrdering
AtomicOrdering
Atomic ordering for LLVM's memory model.
Definition: AtomicOrdering.h:56
llvm::IRMemLocation::First
@ First
Helpers to iterate all locations in the MemoryEffectsBase class.
llvm::RecurKind::Or
@ Or
Bitwise or logical OR of integers.
llvm::RecurKind::Add
@ Add
Sum of integers.
llvm::SplitBlockAndInsertSimpleForLoop
std::pair< Instruction *, Value * > SplitBlockAndInsertSimpleForLoop(Value *End, Instruction *SplitBefore)
Insert a for (int i = 0; i < End; i++) loop structure (with the exception that End is assumed > 0,...
Definition: BasicBlockUtils.cpp:1732
llvm::alignTo
uint64_t alignTo(uint64_t Size, Align A)
Returns a multiple of A needed to store Size bytes.
Definition: Alignment.h:155
llvm::BitWidth
constexpr unsigned BitWidth
Definition: BitmaskEnum.h:217
llvm::appendToGlobalCtors
void appendToGlobalCtors(Module &M, Function *F, int Priority, Constant *Data=nullptr)
Append F to the list of global ctors of module M with the given Priority.
Definition: ModuleUtils.cpp:73
llvm::depth_first
iterator_range< df_iterator< T > > depth_first(const T &G)
Definition: DepthFirstIterator.h:233
llvm::SplitBlockAndInsertIfThen
Instruction * SplitBlockAndInsertIfThen(Value *Cond, BasicBlock::iterator SplitBefore, bool Unreachable, MDNode *BranchWeights=nullptr, DomTreeUpdater *DTU=nullptr, LoopInfo *LI=nullptr, BasicBlock *ThenBlock=nullptr)
Split the containing block at the specified instruction - everything before SplitBefore stays in the ...
Definition: BasicBlockUtils.cpp:1609
llvm::maybeMarkSanitizerLibraryCallNoBuiltin
void maybeMarkSanitizerLibraryCallNoBuiltin(CallInst *CI, const TargetLibraryInfo *TLI)
Given a CallInst, check if it calls a string function known to CodeGen, and mark it with NoBuiltin if...
Definition: Local.cpp:4199
llvm::removeUnreachableBlocks
bool removeUnreachableBlocks(Function &F, DomTreeUpdater *DTU=nullptr, MemorySSAUpdater *MSSAU=nullptr)
Remove all blocks that can not be reached from the function's entry.
Definition: Local.cpp:3274
llvm::checkIfAlreadyInstrumented
bool checkIfAlreadyInstrumented(Module &M, StringRef Flag)
Check if module has flag attached, if not add the flag.
Definition: Instrumentation.cpp:28
raw_ostream.h
llvm::Align
This struct is a compact representation of a valid (non-zero power of two) alignment.
Definition: Alignment.h:39
llvm::Align::value
uint64_t value() const
This is a hole in the type system and should not be abused.
Definition: Alignment.h:85
llvm::MaybeAlign
This struct is a compact representation of a valid (power of two) or undefined (0) alignment.
Definition: Alignment.h:117
llvm::MemorySanitizerPass::printPipeline
void printPipeline(raw_ostream &OS, function_ref< StringRef(StringRef)> MapClassName2PassName)
Definition: MemorySanitizer.cpp:763
llvm::MemorySanitizerPass::run
PreservedAnalyses run(Module &M, ModuleAnalysisManager &AM)
Definition: MemorySanitizer.cpp:732
llvm::PassInfoMixin
A CRTP mix-in to automatically provide informational APIs needed for passes.
Definition: PassManager.h:69
Generated on Thu Jun 12 2025 23:55:36 for LLVM by doxygen 1.9.6