AddressSanitizer.cpp source code [llvm_projects/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp]

1	//===- AddressSanitizer.cpp - memory error detector -----------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file is a part of AddressSanitizer, an address basic correctness
10	// checker.
11	// Details of the algorithm:
12	// https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm
13	//
14	// FIXME: This sanitizer does not yet handle scalable vectors
15	//
16	//===----------------------------------------------------------------------===//
17
18	#include "llvm/Transforms/Instrumentation/AddressSanitizer.h"
19	#include "llvm/ADT/ArrayRef.h"
20	#include "llvm/ADT/DenseMap.h"
21	#include "llvm/ADT/DepthFirstIterator.h"
22	#include "llvm/ADT/SmallPtrSet.h"
23	#include "llvm/ADT/SmallVector.h"
24	#include "llvm/ADT/Statistic.h"
25	#include "llvm/ADT/StringExtras.h"
26	#include "llvm/ADT/StringRef.h"
27	#include "llvm/ADT/Twine.h"
28	#include "llvm/Analysis/GlobalsModRef.h"
29	#include "llvm/Analysis/MemoryBuiltins.h"
30	#include "llvm/Analysis/StackSafetyAnalysis.h"
31	#include "llvm/Analysis/TargetLibraryInfo.h"
32	#include "llvm/Analysis/ValueTracking.h"
33	#include "llvm/BinaryFormat/MachO.h"
34	#include "llvm/Demangle/Demangle.h"
35	#include "llvm/IR/Argument.h"
36	#include "llvm/IR/Attributes.h"
37	#include "llvm/IR/BasicBlock.h"
38	#include "llvm/IR/Comdat.h"
39	#include "llvm/IR/Constant.h"
40	#include "llvm/IR/Constants.h"
41	#include "llvm/IR/DIBuilder.h"
42	#include "llvm/IR/DataLayout.h"
43	#include "llvm/IR/DebugInfoMetadata.h"
44	#include "llvm/IR/DebugLoc.h"
45	#include "llvm/IR/DerivedTypes.h"
46	#include "llvm/IR/EHPersonalities.h"
47	#include "llvm/IR/Function.h"
48	#include "llvm/IR/GlobalAlias.h"
49	#include "llvm/IR/GlobalValue.h"
50	#include "llvm/IR/GlobalVariable.h"
51	#include "llvm/IR/IRBuilder.h"
52	#include "llvm/IR/InlineAsm.h"
53	#include "llvm/IR/InstVisitor.h"
54	#include "llvm/IR/InstrTypes.h"
55	#include "llvm/IR/Instruction.h"
56	#include "llvm/IR/Instructions.h"
57	#include "llvm/IR/IntrinsicInst.h"
58	#include "llvm/IR/Intrinsics.h"
59	#include "llvm/IR/LLVMContext.h"
60	#include "llvm/IR/MDBuilder.h"
61	#include "llvm/IR/Metadata.h"
62	#include "llvm/IR/Module.h"
63	#include "llvm/IR/Type.h"
64	#include "llvm/IR/Use.h"
65	#include "llvm/IR/Value.h"
66	#include "llvm/MC/MCSectionMachO.h"
67	#include "llvm/Support/Casting.h"
68	#include "llvm/Support/CommandLine.h"
69	#include "llvm/Support/Debug.h"
70	#include "llvm/Support/ErrorHandling.h"
71	#include "llvm/Support/MathExtras.h"
72	#include "llvm/Support/raw_ostream.h"
73	#include "llvm/TargetParser/Triple.h"
74	#include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h"
75	#include "llvm/Transforms/Instrumentation/AddressSanitizerOptions.h"
76	#include "llvm/Transforms/Utils/ASanStackFrameLayout.h"
77	#include "llvm/Transforms/Utils/BasicBlockUtils.h"
78	#include "llvm/Transforms/Utils/Instrumentation.h"
79	#include "llvm/Transforms/Utils/Local.h"
80	#include "llvm/Transforms/Utils/ModuleUtils.h"
81	#include "llvm/Transforms/Utils/PromoteMemToReg.h"
82	#include <algorithm>
83	#include <cassert>
84	#include <cstddef>
85	#include <cstdint>
86	#include <iomanip>
87	#include <limits>
88	#include <sstream>
89	#include <string>
90	#include <tuple>
91
92	using namespace llvm;
93
94	#define DEBUG_TYPE "asan"
95
96	static const uint64_t kDefaultShadowScale = `3`;
97	static const uint64_t kDefaultShadowOffset32 = `1ULL` << `29`;
98	static const uint64_t kDefaultShadowOffset64 = `1ULL` << `44`;
99	static const uint64_t kDynamicShadowSentinel =
100	std::numeric_limits<uint64_t>::max();
101	static const uint64_t kSmallX86_64ShadowOffsetBase = `0x7FFFFFFF`; // < 2G.
102	static const uint64_t kSmallX86_64ShadowOffsetAlignMask = ~`0xFFFULL`;
103	static const uint64_t kLinuxKasan_ShadowOffset64 = `0xdffffc0000000000`;
104	static const uint64_t kPPC64_ShadowOffset64 = `1ULL` << `44`;
105	static const uint64_t kSystemZ_ShadowOffset64 = `1ULL` << `52`;
106	static const uint64_t kMIPS_ShadowOffsetN32 = `1ULL` << `29`;
107	static const uint64_t kMIPS32_ShadowOffset32 = `0x0aaa0000`;
108	static const uint64_t kMIPS64_ShadowOffset64 = `1ULL` << `37`;
109	static const uint64_t kAArch64_ShadowOffset64 = `1ULL` << `36`;
110	static const uint64_t kLoongArch64_ShadowOffset64 = `1ULL` << `46`;
111	static const uint64_t kRISCV64_ShadowOffset64 = kDynamicShadowSentinel;
112	static const uint64_t kFreeBSD_ShadowOffset32 = `1ULL` << `30`;
113	static const uint64_t kFreeBSD_ShadowOffset64 = `1ULL` << `46`;
114	static const uint64_t kFreeBSDAArch64_ShadowOffset64 = `1ULL` << `47`;
115	static const uint64_t kFreeBSDKasan_ShadowOffset64 = `0xdffff7c000000000`;
116	static const uint64_t kNetBSD_ShadowOffset32 = `1ULL` << `30`;
117	static const uint64_t kNetBSD_ShadowOffset64 = `1ULL` << `46`;
118	static const uint64_t kNetBSDKasan_ShadowOffset64 = `0xdfff900000000000`;
119	static const uint64_t kPS_ShadowOffset64 = `1ULL` << `40`;
120	static const uint64_t kWindowsShadowOffset32 = `3ULL` << `28`;
121	static const uint64_t kWebAssemblyShadowOffset = `0`;
122
123	// The shadow memory space is dynamically allocated.
124	static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel;
125
126	static const size_t kMinStackMallocSize = `1` << `6`; // 64B
127	static const size_t kMaxStackMallocSize = `1` << `16`; // 64K
128	static const uintptr_t kCurrentStackFrameMagic = `0x41B58AB3`;
129	static const uintptr_t kRetiredStackFrameMagic = `0x45E0360E`;
130
131	const char kAsanModuleCtorName[] = "asan.module_ctor";
132	const char kAsanModuleDtorName[] = "asan.module_dtor";
133	static const uint64_t kAsanCtorAndDtorPriority = `1`;
134	// On Emscripten, the system needs more than one priorities for constructors.
135	static const uint64_t kAsanEmscriptenCtorAndDtorPriority = `50`;
136	const char kAsanReportErrorTemplate[] = "__asan_report_";
137	const char kAsanRegisterGlobalsName[] = "__asan_register_globals";
138	const char kAsanUnregisterGlobalsName[] = "__asan_unregister_globals";
139	const char kAsanRegisterImageGlobalsName[] = "__asan_register_image_globals";
140	const char kAsanUnregisterImageGlobalsName[] =
141	"__asan_unregister_image_globals";
142	const char kAsanRegisterElfGlobalsName[] = "__asan_register_elf_globals";
143	const char kAsanUnregisterElfGlobalsName[] = "__asan_unregister_elf_globals";
144	const char kAsanPoisonGlobalsName[] = "__asan_before_dynamic_init";
145	const char kAsanUnpoisonGlobalsName[] = "__asan_after_dynamic_init";
146	const char kAsanInitName[] = "__asan_init";
147	const char kAsanVersionCheckNamePrefix[] = "__asan_version_mismatch_check_v";
148	const char kAsanPtrCmp[] = "__sanitizer_ptr_cmp";
149	const char kAsanPtrSub[] = "__sanitizer_ptr_sub";
150	const char kAsanHandleNoReturnName[] = "__asan_handle_no_return";
151	static const int kMaxAsanStackMallocSizeClass = `10`;
152	const char kAsanStackMallocNameTemplate[] = "__asan_stack_malloc_";
153	const char kAsanStackMallocAlwaysNameTemplate[] =
154	"__asan_stack_malloc_always_";
155	const char kAsanStackFreeNameTemplate[] = "__asan_stack_free_";
156	const char kAsanGenPrefix[] = "___asan_gen_";
157	const char kODRGenPrefix[] = "__odr_asan_gen_";
158	const char kSanCovGenPrefix[] = "__sancov_gen_";
159	const char kAsanSetShadowPrefix[] = "__asan_set_shadow_";
160	const char kAsanPoisonStackMemoryName[] = "__asan_poison_stack_memory";
161	const char kAsanUnpoisonStackMemoryName[] = "__asan_unpoison_stack_memory";
162
163	// ASan version script has __asan_ wildcard. Triple underscore prevents a*
164	// linker (gold) warning about attempting to export a local symbol.
165	const char kAsanGlobalsRegisteredFlagName[] = "___asan_globals_registered";
166
167	const char kAsanOptionDetectUseAfterReturn[] =
168	"__asan_option_detect_stack_use_after_return";
169
170	const char kAsanShadowMemoryDynamicAddress[] =
171	"__asan_shadow_memory_dynamic_address";
172
173	const char kAsanAllocaPoison[] = "__asan_alloca_poison";
174	const char kAsanAllocasUnpoison[] = "__asan_allocas_unpoison";
175
176	const char kAMDGPUAddressSharedName[] = "llvm.amdgcn.is.shared";
177	const char kAMDGPUAddressPrivateName[] = "llvm.amdgcn.is.private";
178	const char kAMDGPUBallotName[] = "llvm.amdgcn.ballot.i64";
179	const char kAMDGPUUnreachableName[] = "llvm.amdgcn.unreachable";
180
181	// Accesses sizes are powers of two: 1, 2, 4, 8, 16.
182	static const size_t kNumberOfAccessSizes = `5`;
183
184	static const uint64_t kAllocaRzSize = `32`;
185
186	// ASanAccessInfo implementation constants.
187	constexpr size_t kCompileKernelShift = `0`;
188	constexpr size_t kCompileKernelMask = `0x1`;
189	constexpr size_t kAccessSizeIndexShift = `1`;
190	constexpr size_t kAccessSizeIndexMask = `0xf`;
191	constexpr size_t kIsWriteShift = `5`;
192	constexpr size_t kIsWriteMask = `0x1`;
193
194	// Command-line flags.
195
196	static cl::opt<bool> ClEnableKasan(
197	"asan-kernel", cl::desc ("Enable KernelAddressSanitizer instrumentation"),
198	cl::Hidden, cl::init(Val: false));
199
200	static cl::opt<bool> ClRecover(
201	"asan-recover",
202	cl::desc ("Enable recovery mode (continue-after-error)."),
203	cl::Hidden, cl::init(Val: false));
204
205	static cl::opt<bool> ClInsertVersionCheck(
206	"asan-guard-against-version-mismatch",
207	cl::desc ("Guard against compiler/runtime version mismatch."), cl::Hidden,
208	cl::init(Val: true));
209
210	// This flag may need to be replaced with -f[no-]asan-reads.
211	static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",
212	cl::desc ("instrument read instructions"),
213	cl::Hidden, cl::init(Val: true));
214
215	static cl::opt<bool> ClInstrumentWrites(
216	"asan-instrument-writes", cl::desc ("instrument write instructions"),
217	cl::Hidden, cl::init(Val: true));
218
219	static cl::opt<bool>
220	ClUseStackSafety("asan-use-stack-safety", cl::Hidden, cl::init(Val: true),
221	cl::Hidden, cl::desc ("Use Stack Safety analysis results"),
222	cl::Optional);
223
224	static cl::opt<bool> ClInstrumentAtomics(
225	"asan-instrument-atomics",
226	cl::desc ("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
227	cl::init(Val: true));
228
229	static cl::opt<bool>
230	ClInstrumentByval("asan-instrument-byval",
231	cl::desc ("instrument byval call arguments"), cl::Hidden,
232	cl::init(Val: true));
233
234	static cl::opt<bool> ClAlwaysSlowPath(
235	"asan-always-slow-path",
236	cl::desc ("use instrumentation with slow path for all accesses"), cl::Hidden,
237	cl::init(Val: false));
238
239	static cl::opt<bool> ClForceDynamicShadow(
240	"asan-force-dynamic-shadow",
241	cl::desc ("Load shadow address into a local variable for each function"),
242	cl::Hidden, cl::init(Val: false));
243
244	static cl::opt<bool>
245	ClWithIfunc("asan-with-ifunc",
246	cl::desc ("Access dynamic shadow through an ifunc global on "
247	"platforms that support this"),
248	cl::Hidden, cl::init(Val: true));
249
250	static cl::opt<bool> ClWithIfuncSuppressRemat(
251	"asan-with-ifunc-suppress-remat",
252	cl::desc ("Suppress rematerialization of dynamic shadow address by passing "
253	"it through inline asm in prologue."),
254	cl::Hidden, cl::init(Val: true));
255
256	// This flag limits the number of instructions to be instrumented
257	// in any given BB. Normally, this should be set to unlimited (INT_MAX),
258	// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary
259	// set it to 10000.
260	static cl::opt<int> ClMaxInsnsToInstrumentPerBB(
261	"asan-max-ins-per-bb", cl::init(Val: `10000`),
262	cl::desc ("maximal number of instructions to instrument in any given BB"),
263	cl::Hidden);
264
265	// This flag may need to be replaced with -f[no]asan-stack.
266	static cl::opt<bool> ClStack("asan-stack", cl::desc ("Handle stack memory"),
267	cl::Hidden, cl::init(Val: true));
268	static cl::opt<uint32_t> ClMaxInlinePoisoningSize(
269	"asan-max-inline-poisoning-size",
270	cl::desc (
271	"Inline shadow poisoning for blocks up to the given size in bytes."),
272	cl::Hidden, cl::init(Val: `64`));
273
274	static cl::opt<AsanDetectStackUseAfterReturnMode> ClUseAfterReturn(
275	"asan-use-after-return",
276	cl::desc ("Sets the mode of detection for stack-use-after-return."),
277	cl::values(
278	clEnumValN(AsanDetectStackUseAfterReturnMode::Never, "never",
279	"Never detect stack use after return."),
280	clEnumValN(
281	AsanDetectStackUseAfterReturnMode::Runtime, "runtime",
282	"Detect stack use after return if "
283	"binary flag 'ASAN_OPTIONS=detect_stack_use_after_return' is set."),
284	clEnumValN(AsanDetectStackUseAfterReturnMode::Always, "always",
285	"Always detect stack use after return.")),
286	cl::Hidden, cl::init(Val: AsanDetectStackUseAfterReturnMode::Runtime));
287
288	static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args",
289	cl::desc ("Create redzones for byval "
290	"arguments (extra copy "
291	"required)"), cl::Hidden,
292	cl::init(Val: true));
293
294	static cl::opt<bool> ClUseAfterScope("asan-use-after-scope",
295	cl::desc ("Check stack-use-after-scope"),
296	cl::Hidden, cl::init(Val: false));
297
298	// This flag may need to be replaced with -f[no]asan-globals.
299	static cl::opt<bool> ClGlobals("asan-globals",
300	cl::desc ("Handle global objects"), cl::Hidden,
301	cl::init(Val: true));
302
303	static cl::opt<bool> ClInitializers("asan-initialization-order",
304	cl::desc ("Handle C++ initializer order"),
305	cl::Hidden, cl::init(Val: true));
306
307	static cl::opt<bool> ClInvalidPointerPairs(
308	"asan-detect-invalid-pointer-pair",
309	cl::desc ("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden,
310	cl::init(Val: false));
311
312	static cl::opt<bool> ClInvalidPointerCmp(
313	"asan-detect-invalid-pointer-cmp",
314	cl::desc ("Instrument <, <=, >, >= with pointer operands"), cl::Hidden,
315	cl::init(Val: false));
316
317	static cl::opt<bool> ClInvalidPointerSub(
318	"asan-detect-invalid-pointer-sub",
319	cl::desc ("Instrument - operations with pointer operands"), cl::Hidden,
320	cl::init(Val: false));
321
322	static cl::opt<unsigned> ClRealignStack(
323	"asan-realign-stack",
324	cl::desc ("Realign stack to the value of this flag (power of two)"),
325	cl::Hidden, cl::init(Val: `32`));
326
327	static cl::opt<int> ClInstrumentationWithCallsThreshold(
328	"asan-instrumentation-with-call-threshold",
329	cl::desc ("If the function being instrumented contains more than "
330	"this number of memory accesses, use callbacks instead of "
331	"inline checks (-1 means never use callbacks)."),
332	cl::Hidden, cl::init(Val: `7000`));
333
334	static cl::opt<std::string> ClMemoryAccessCallbackPrefix(
335	"asan-memory-access-callback-prefix",
336	cl::desc ("Prefix for memory access callbacks"), cl::Hidden,
337	cl::init(Val: "__asan_"));
338
339	static cl::opt<bool> ClKasanMemIntrinCallbackPrefix(
340	"asan-kernel-mem-intrinsic-prefix",
341	cl::desc ("Use prefix for memory intrinsics in KASAN mode"), cl::Hidden,
342	cl::init(Val: false));
343
344	static cl::opt<bool>
345	ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas",
346	cl::desc ("instrument dynamic allocas"),
347	cl::Hidden, cl::init(Val: true));
348
349	static cl::opt<bool> ClSkipPromotableAllocas(
350	"asan-skip-promotable-allocas",
351	cl::desc ("Do not instrument promotable allocas"), cl::Hidden,
352	cl::init(Val: true));
353
354	static cl::opt<AsanCtorKind> ClConstructorKind(
355	"asan-constructor-kind",
356	cl::desc ("Sets the ASan constructor kind"),
357	cl::values(clEnumValN(AsanCtorKind::None, "none", "No constructors"),
358	clEnumValN(AsanCtorKind::Global, "global",
359	"Use global constructors")),
360	cl::init(Val: AsanCtorKind::Global), cl::Hidden);
361	// These flags allow to change the shadow mapping.
362	// The shadow mapping looks like
363	// Shadow = (Mem >> scale) + offset
364
365	static cl::opt<int> ClMappingScale("asan-mapping-scale",
366	cl::desc ("scale of asan shadow mapping"),
367	cl::Hidden, cl::init(Val: `0`));
368
369	static cl::opt<uint64_t>
370	ClMappingOffset("asan-mapping-offset",
371	cl::desc ("offset of asan shadow mapping [EXPERIMENTAL]"),
372	cl::Hidden, cl::init(Val: `0`));
373
374	// Optimization flags. Not user visible, used mostly for testing
375	// and benchmarking the tool.
376
377	static cl::opt<bool> ClOpt("asan-opt", cl::desc ("Optimize instrumentation"),
378	cl::Hidden, cl::init(Val: true));
379
380	static cl::opt<bool> ClOptimizeCallbacks("asan-optimize-callbacks",
381	cl::desc ("Optimize callbacks"),
382	cl::Hidden, cl::init(Val: false));
383
384	static cl::opt<bool> ClOptSameTemp(
385	"asan-opt-same-temp", cl::desc ("Instrument the same temp just once"),
386	cl::Hidden, cl::init(Val: true));
387
388	static cl::opt<bool> ClOptGlobals("asan-opt-globals",
389	cl::desc ("Don't instrument scalar globals"),
390	cl::Hidden, cl::init(Val: true));
391
392	static cl::opt<bool> ClOptStack(
393	"asan-opt-stack", cl::desc ("Don't instrument scalar stack variables"),
394	cl::Hidden, cl::init(Val: false));
395
396	static cl::opt<bool> ClDynamicAllocaStack(
397	"asan-stack-dynamic-alloca",
398	cl::desc ("Use dynamic alloca to represent stack variables"), cl::Hidden,
399	cl::init(Val: true));
400
401	static cl::opt<uint32_t> ClForceExperiment(
402	"asan-force-experiment",
403	cl::desc ("Force optimization experiment (for testing)"), cl::Hidden,
404	cl::init(Val: `0`));
405
406	static cl::opt<bool>
407	ClUsePrivateAlias("asan-use-private-alias",
408	cl::desc ("Use private aliases for global variables"),
409	cl::Hidden, cl::init(Val: true));
410
411	static cl::opt<bool>
412	ClUseOdrIndicator("asan-use-odr-indicator",
413	cl::desc ("Use odr indicators to improve ODR reporting"),
414	cl::Hidden, cl::init(Val: true));
415
416	static cl::opt<bool>
417	ClUseGlobalsGC("asan-globals-live-support",
418	cl::desc ("Use linker features to support dead "
419	"code stripping of globals"),
420	cl::Hidden, cl::init(Val: true));
421
422	// This is on by default even though there is a bug in gold:
423	// https://sourceware.org/bugzilla/show_bug.cgi?id=19002
424	static cl::opt<bool>
425	ClWithComdat("asan-with-comdat",
426	cl::desc ("Place ASan constructors in comdat sections"),
427	cl::Hidden, cl::init(Val: true));
428
429	static cl::opt<AsanDtorKind> ClOverrideDestructorKind(
430	"asan-destructor-kind",
431	cl::desc ("Sets the ASan destructor kind. The default is to use the value "
432	"provided to the pass constructor"),
433	cl::values(clEnumValN(AsanDtorKind::None, "none", "No destructors"),
434	clEnumValN(AsanDtorKind::Global, "global",
435	"Use global destructors")),
436	cl::init(Val: AsanDtorKind::Invalid), cl::Hidden);
437
438	// Debug flags.
439
440	static cl::opt<int> ClDebug("asan-debug", cl::desc ("debug"), cl::Hidden,
441	cl::init(Val: `0`));
442
443	static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc ("debug stack"),
444	cl::Hidden, cl::init(Val: `0`));
445
446	static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden,
447	cl::desc ("Debug func"));
448
449	static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc ("Debug min inst"),
450	cl::Hidden, cl::init(Val: -`1`));
451
452	static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc ("Debug max inst"),
453	cl::Hidden, cl::init(Val: -`1`));
454
455	STATISTIC(NumInstrumentedReads, "Number of instrumented reads");
456	STATISTIC(NumInstrumentedWrites, "Number of instrumented writes");
457	STATISTIC(NumOptimizedAccessesToGlobalVar,
458	"Number of optimized accesses to global vars");
459	STATISTIC(NumOptimizedAccessesToStackVar,
460	"Number of optimized accesses to stack vars");
461
462	namespace {
463
464	/// This struct defines the shadow mapping using the rule:
465	/// shadow = (mem >> Scale) ADD-or-OR Offset.
466	/// If InGlobal is true, then
467	/// extern char __asan_shadow[];
468	/// shadow = (mem >> Scale) + &__asan_shadow
469	struct ShadowMapping {
470	int Scale;
471	uint64_t Offset;
472	bool OrShadowOffset;
473	bool InGlobal;
474	};
475
476	} // end anonymous namespace
477
478	static ShadowMapping getShadowMapping(const Triple &TargetTriple, int LongSize,
479	bool IsKasan) {
480	bool IsAndroid = TargetTriple.isAndroid();
481	bool IsIOS = TargetTriple.isiOS() \|\| TargetTriple.isWatchOS() \|\|
482	TargetTriple.isDriverKit();
483	bool IsMacOS = TargetTriple.isMacOSX();
484	bool IsFreeBSD = TargetTriple.isOSFreeBSD();
485	bool IsNetBSD = TargetTriple.isOSNetBSD();
486	bool IsPS = TargetTriple.isPS();
487	bool IsLinux = TargetTriple.isOSLinux();
488	bool IsPPC64 = TargetTriple.getArch() == Triple::ppc64 \|\|
489	TargetTriple.getArch() == Triple::ppc64le;
490	bool IsSystemZ = TargetTriple.getArch() == Triple::systemz;
491	bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
492	bool IsMIPSN32ABI = TargetTriple.isABIN32();
493	bool IsMIPS32 = TargetTriple.isMIPS32();
494	bool IsMIPS64 = TargetTriple.isMIPS64();
495	bool IsArmOrThumb = TargetTriple.isARM() \|\| TargetTriple.isThumb();
496	bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 \|\|
497	TargetTriple.getArch() == Triple::aarch64_be;
498	bool IsLoongArch64 = TargetTriple.isLoongArch64();
499	bool IsRISCV64 = TargetTriple.getArch() == Triple::riscv64;
500	bool IsWindows = TargetTriple.isOSWindows();
501	bool IsFuchsia = TargetTriple.isOSFuchsia();
502	bool IsAMDGPU = TargetTriple.isAMDGPU();
503	bool IsHaiku = TargetTriple.isOSHaiku();
504	bool IsWasm = TargetTriple.isWasm();
505
506	ShadowMapping Mapping;
507
508	Mapping.Scale = kDefaultShadowScale;
509	if (ClMappingScale.getNumOccurrences() > `0`) {
510	Mapping.Scale = ClMappingScale;
511	}
512
513	if (LongSize == `32`) {
514	if (IsAndroid)
515	Mapping.Offset = kDynamicShadowSentinel;
516	else if (IsMIPSN32ABI)
517	Mapping.Offset = kMIPS_ShadowOffsetN32;
518	else if (IsMIPS32)
519	Mapping.Offset = kMIPS32_ShadowOffset32;
520	else if (IsFreeBSD)
521	Mapping.Offset = kFreeBSD_ShadowOffset32;
522	else if (IsNetBSD)
523	Mapping.Offset = kNetBSD_ShadowOffset32;
524	else if (IsIOS)
525	Mapping.Offset = kDynamicShadowSentinel;
526	else if (IsWindows)
527	Mapping.Offset = kWindowsShadowOffset32;
528	else if (IsWasm)
529	Mapping.Offset = kWebAssemblyShadowOffset;
530	else
531	Mapping.Offset = kDefaultShadowOffset32;
532	} else { // LongSize == 64
533	// Fuchsia is always PIE, which means that the beginning of the address
534	// space is always available.
535	if (IsFuchsia)
536	Mapping.Offset = `0`;
537	else if (IsPPC64)
538	Mapping.Offset = kPPC64_ShadowOffset64;
539	else if (IsSystemZ)
540	Mapping.Offset = kSystemZ_ShadowOffset64;
541	else if (IsFreeBSD && IsAArch64)
542	Mapping.Offset = kFreeBSDAArch64_ShadowOffset64;
543	else if (IsFreeBSD && !IsMIPS64) {
544	if (IsKasan)
545	Mapping.Offset = kFreeBSDKasan_ShadowOffset64;
546	else
547	Mapping.Offset = kFreeBSD_ShadowOffset64;
548	} else if (IsNetBSD) {
549	if (IsKasan)
550	Mapping.Offset = kNetBSDKasan_ShadowOffset64;
551	else
552	Mapping.Offset = kNetBSD_ShadowOffset64;
553	} else if (IsPS)
554	Mapping.Offset = kPS_ShadowOffset64;
555	else if (IsLinux && IsX86_64) {
556	if (IsKasan)
557	Mapping.Offset = kLinuxKasan_ShadowOffset64;
558	else
559	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
560	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
561	} else if (IsWindows && IsX86_64) {
562	Mapping.Offset = kWindowsShadowOffset64;
563	} else if (IsMIPS64)
564	Mapping.Offset = kMIPS64_ShadowOffset64;
565	else if (IsIOS)
566	Mapping.Offset = kDynamicShadowSentinel;
567	else if (IsMacOS && IsAArch64)
568	Mapping.Offset = kDynamicShadowSentinel;
569	else if (IsAArch64)
570	Mapping.Offset = kAArch64_ShadowOffset64;
571	else if (IsLoongArch64)
572	Mapping.Offset = kLoongArch64_ShadowOffset64;
573	else if (IsRISCV64)
574	Mapping.Offset = kRISCV64_ShadowOffset64;
575	else if (IsAMDGPU)
576	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
577	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
578	else if (IsHaiku && IsX86_64)
579	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
580	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
581	else
582	Mapping.Offset = kDefaultShadowOffset64;
583	}
584
585	if (ClForceDynamicShadow) {
586	Mapping.Offset = kDynamicShadowSentinel;
587	}
588
589	if (ClMappingOffset.getNumOccurrences() > `0`) {
590	Mapping.Offset = ClMappingOffset;
591	}
592
593	// OR-ing shadow offset if more efficient (at least on x86) if the offset
594	// is a power of two, but on ppc64 and loongarch64 we have to use add since
595	// the shadow offset is not necessarily 1/8-th of the address space. On
596	// SystemZ, we could OR the constant in a single instruction, but it's more
597	// efficient to load it once and use indexed addressing.
598	Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS &&
599	!IsRISCV64 && !IsLoongArch64 &&
600	!(Mapping.Offset & (Mapping.Offset - `1`)) &&
601	Mapping.Offset != kDynamicShadowSentinel;
602	bool IsAndroidWithIfuncSupport =
603	IsAndroid && !TargetTriple.isAndroidVersionLT(Major: `21`);
604	Mapping.InGlobal = ClWithIfunc && IsAndroidWithIfuncSupport && IsArmOrThumb;
605
606	return Mapping;
607	}
608
609	namespace llvm {
610	void getAddressSanitizerParams(const Triple &TargetTriple, int LongSize,
611	bool IsKasan, uint64_t *ShadowBase,
612	int MappingScale, bool* *OrShadowOffset) {
613	auto Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan);
614	*ShadowBase = Mapping.Offset;
615	*MappingScale = Mapping.Scale;
616	*OrShadowOffset = Mapping.OrShadowOffset;
617	}
618
619	void removeASanIncompatibleFnAttributes(Function &F, bool ReadsArgMem) {
620	// Sanitizer checks read from shadow, which invalidates memory(argmem: ).*
621	//
622	// This is not only true for sanitized functions, because AttrInfer can
623	// infer those attributes on libc functions, which is not true if those
624	// are instrumented (Android) or intercepted.
625	//
626	// We might want to model ASan shadow memory more opaquely to get rid of
627	// this problem altogether, by hiding the shadow memory write in an
628	// intrinsic, essentially like in the AArch64StackTagging pass. But that's
629	// for another day.
630
631	// The API is weird. `onlyReadsMemory` actually means "does not write", and
632	// `onlyWritesMemory` actually means "does not read". So we reconstruct
633	// "accesses memory" && "does not read" <=> "writes".
634	bool Changed = false;
635	if (!F.doesNotAccessMemory()) {
636	bool WritesMemory = !F.onlyReadsMemory();
637	bool ReadsMemory = !F.onlyWritesMemory();
638	if ((WritesMemory && !ReadsMemory) \|\| F.onlyAccessesArgMemory()) {
639	F.removeFnAttr(Kind: Attribute::Memory);
640	Changed = true;
641	}
642	}
643	if (ReadsArgMem) {
644	for (Argument &A : F.args()) {
645	if (A.hasAttribute(Kind: Attribute::WriteOnly)) {
646	A.removeAttr(Kind: Attribute::WriteOnly);
647	Changed = true;
648	}
649	}
650	}
651	if (Changed) {
652	// nobuiltin makes sure later passes don't restore assumptions about
653	// the function.
654	F.addFnAttr(Kind: Attribute::NoBuiltin);
655	}
656	}
657
658	ASanAccessInfo::ASanAccessInfo(int32_t Packed)
659	: Packed(Packed),
660	AccessSizeIndex((Packed >> kAccessSizeIndexShift) & kAccessSizeIndexMask),
661	IsWrite((Packed >> kIsWriteShift) & kIsWriteMask),
662	CompileKernel((Packed >> kCompileKernelShift) & kCompileKernelMask) {}
663
664	ASanAccessInfo::ASanAccessInfo(bool IsWrite, bool CompileKernel,
665	uint8_t AccessSizeIndex)
666	: Packed((IsWrite << kIsWriteShift) +
667	(CompileKernel << kCompileKernelShift) +
668	(AccessSizeIndex << kAccessSizeIndexShift)),
669	AccessSizeIndex(AccessSizeIndex), IsWrite(IsWrite),
670	CompileKernel(CompileKernel) {}
671
672	} // namespace llvm
673
674	static uint64_t getRedzoneSizeForScale(int MappingScale) {
675	// Redzone used for stack and globals is at least 32 bytes.
676	// For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively.
677	return std::max(a: `32U`, b: `1U` << MappingScale);
678	}
679
680	static uint64_t GetCtorAndDtorPriority(Triple &TargetTriple) {
681	if (TargetTriple.isOSEmscripten()) {
682	return kAsanEmscriptenCtorAndDtorPriority;
683	} else {
684	return kAsanCtorAndDtorPriority;
685	}
686	}
687
688	static Twine genName(StringRef suffix) {
689	return Twine (kAsanGenPrefix) + suffix;
690	}
691
692	namespace {
693	/// Helper RAII class to post-process inserted asan runtime calls during a
694	/// pass on a single Function. Upon end of scope, detects and applies the
695	/// required funclet OpBundle.
696	class RuntimeCallInserter {
697	Function OwnerFn = nullptr*;
698	bool TrackInsertedCalls = false;
699	SmallVector<CallInst *> InsertedCalls;
700
701	public:
702	RuntimeCallInserter(Function &Fn) : OwnerFn(&Fn) {
703	if (Fn.hasPersonalityFn()) {
704	auto Personality = classifyEHPersonality(Pers: Fn.getPersonalityFn());
705	if (isScopedEHPersonality(Pers: Personality))
706	TrackInsertedCalls = true;
707	}
708	}
709
710	~RuntimeCallInserter() {
711	if (InsertedCalls.empty())
712	return;
713	assert(TrackInsertedCalls && "Calls were wrongly tracked");
714
715	DenseMap<BasicBlock , ColorVector> BlockColors = colorEHFunclets(F&: OwnerFn);
716	for (CallInst *CI : InsertedCalls) {
717	BasicBlock *BB = CI->getParent();
718	assert(BB && "Instruction doesn't belong to a BasicBlock");
719	assert(BB->getParent() == OwnerFn &&
720	"Instruction doesn't belong to the expected Function!");
721
722	ColorVector &Colors = BlockColors [BB];
723	// funclet opbundles are only valid in monochromatic BBs.
724	// Note that unreachable BBs are seen as colorless by colorEHFunclets()
725	// and will be DCE'ed later.
726	if (Colors.empty())
727	continue;
728	if (Colors.size() != `1`) {
729	OwnerFn->getContext().emitError(
730	ErrorStr: "Instruction's BasicBlock is not monochromatic");
731	continue;
732	}
733
734	BasicBlock *Color = Colors.front();
735	BasicBlock::iterator EHPadIt = Color->getFirstNonPHIIt();
736
737	if (EHPadIt != Color->end() && EHPadIt ->isEHPad()) {
738	// Replace CI with a clone with an added funclet OperandBundle
739	OperandBundleDef OB("funclet", &*EHPadIt);
740	auto *NewCall = CallBase::addOperandBundle(CB: CI, ID: LLVMContext::OB_funclet,
741	OB, InsertPt: CI->getIterator());
742	NewCall->copyMetadata(SrcInst: *CI);
743	CI->replaceAllUsesWith(V: NewCall);
744	CI->eraseFromParent();
745	}
746	}
747	}
748
749	CallInst *createRuntimeCall(IRBuilder<> &IRB, FunctionCallee Callee,
750	ArrayRef<Value *> Args = {},
751	const Twine &Name = "") {
752	assert(IRB.GetInsertBlock()->getParent() == OwnerFn);
753
754	CallInst Inst = IRB.CreateCall(Callee, Args, Name, FPMathTag: nullptr*);
755	if (TrackInsertedCalls)
756	InsertedCalls.push_back(Elt: Inst);
757	return Inst;
758	}
759	};
760
761	/// AddressSanitizer: instrument the code in module to find memory bugs.
762	struct AddressSanitizer {
763	AddressSanitizer(Module &M, const StackSafetyGlobalInfo *SSGI,
764	int InstrumentationWithCallsThreshold,
765	uint32_t MaxInlinePoisoningSize, bool CompileKernel = false,
766	bool Recover = false, bool UseAfterScope = false,
767	AsanDetectStackUseAfterReturnMode UseAfterReturn =
768	AsanDetectStackUseAfterReturnMode::Runtime)
769	: M(M),
770	CompileKernel(ClEnableKasan.getNumOccurrences() > `0` ? ClEnableKasan
771	: CompileKernel),
772	Recover(ClRecover.getNumOccurrences() > `0` ? ClRecover : Recover),
773	UseAfterScope(UseAfterScope \|\| ClUseAfterScope),
774	UseAfterReturn(ClUseAfterReturn.getNumOccurrences() ? ClUseAfterReturn
775	: UseAfterReturn),
776	SSGI(SSGI),
777	InstrumentationWithCallsThreshold(
778	ClInstrumentationWithCallsThreshold.getNumOccurrences() > `0`
779	? ClInstrumentationWithCallsThreshold
780	: InstrumentationWithCallsThreshold),
781	MaxInlinePoisoningSize(ClMaxInlinePoisoningSize.getNumOccurrences() > `0`
782	? ClMaxInlinePoisoningSize
783	: MaxInlinePoisoningSize) {
784	C = &(M.getContext());
785	DL = &M.getDataLayout();
786	LongSize = M.getDataLayout().getPointerSizeInBits();
787	IntptrTy = Type::getIntNTy(C&: *C, N: LongSize);
788	PtrTy = PointerType::getUnqual(C&: *C);
789	Int32Ty = Type::getInt32Ty(C&: *C);
790	TargetTriple = M.getTargetTriple();
791
792	Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan: this->CompileKernel);
793
794	assert(this->UseAfterReturn != AsanDetectStackUseAfterReturnMode::Invalid);
795	}
796
797	TypeSize getAllocaSizeInBytes(const AllocaInst &AI) const {
798	return *AI.getAllocationSize(DL: AI.getDataLayout());
799	}
800
801	/// Check if we want (and can) handle this alloca.
802	bool isInterestingAlloca(const AllocaInst &AI);
803
804	bool ignoreAccess(Instruction Inst, Value Ptr);
805	void getInterestingMemoryOperands(
806	Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting);
807
808	void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
809	InterestingMemoryOperand &O, bool UseCalls,
810	const DataLayout &DL, RuntimeCallInserter &RTCI);
811	void instrumentPointerComparisonOrSubtraction(Instruction *I,
812	RuntimeCallInserter &RTCI);
813	void instrumentAddress(Instruction OrigIns, Instruction InsertBefore,
814	Value *Addr, MaybeAlign Alignment,
815	uint32_t TypeStoreSize, bool IsWrite,
816	Value SizeArgument, bool* UseCalls, uint32_t Exp,
817	RuntimeCallInserter &RTCI);
818	Instruction instrumentAMDGPUAddress(Instruction OrigIns,
819	Instruction InsertBefore, Value Addr,
820	uint32_t TypeStoreSize, bool IsWrite,
821	Value *SizeArgument);
822	Instruction genAMDGPUReportBlock(IRBuilder<> &IRB, Value Cond,
823	bool Recover);
824	void instrumentUnusualSizeOrAlignment(Instruction *I,
825	Instruction InsertBefore, Value Addr,
826	TypeSize TypeStoreSize, bool IsWrite,
827	Value SizeArgument, bool* UseCalls,
828	uint32_t Exp,
829	RuntimeCallInserter &RTCI);
830	void instrumentMaskedLoadOrStore(AddressSanitizer Pass, const* DataLayout &DL,
831	Type IntptrTy, Value Mask, Value *EVL,
832	Value Stride, Instruction I, Value *Addr,
833	MaybeAlign Alignment, unsigned Granularity,
834	Type OpType, bool* IsWrite,
835	Value SizeArgument, bool* UseCalls,
836	uint32_t Exp, RuntimeCallInserter &RTCI);
837	Value createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
838	Value *ShadowValue, uint32_t TypeStoreSize);
839	Instruction generateCrashCode(Instruction InsertBefore, Value *Addr,
840	bool IsWrite, size_t AccessSizeIndex,
841	Value *SizeArgument, uint32_t Exp,
842	RuntimeCallInserter &RTCI);
843	void instrumentMemIntrinsic(MemIntrinsic *MI, RuntimeCallInserter &RTCI);
844	Value memToShadow(Value Shadow, IRBuilder<> &IRB);
845	bool suppressInstrumentationSiteForDebug(int &Instrumented);
846	bool instrumentFunction(Function &F, const TargetLibraryInfo *TLI);
847	bool maybeInsertAsanInitAtFunctionEntry(Function &F);
848	bool maybeInsertDynamicShadowAtFunctionEntry(Function &F);
849	void markEscapedLocalAllocas(Function &F);
850
851	private:
852	friend struct FunctionStackPoisoner;
853
854	void initializeCallbacks(const TargetLibraryInfo *TLI);
855
856	bool LooksLikeCodeInBug11395(Instruction *I);
857	bool GlobalIsLinkerInitialized(GlobalVariable *G);
858	bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr,
859	TypeSize TypeStoreSize) const;
860
861	/// Helper to cleanup per-function state.
862	struct FunctionStateRAII {
863	AddressSanitizer *Pass;
864
865	FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) {
866	assert(Pass->ProcessedAllocas.empty() &&
867	"last pass forgot to clear cache");
868	assert(!Pass->LocalDynamicShadow);
869	}
870
871	~FunctionStateRAII() {
872	Pass->LocalDynamicShadow = nullptr;
873	Pass->ProcessedAllocas.clear();
874	}
875	};
876
877	Module &M;
878	LLVMContext *C;
879	const DataLayout *DL;
880	Triple TargetTriple;
881	int LongSize;
882	bool CompileKernel;
883	bool Recover;
884	bool UseAfterScope;
885	AsanDetectStackUseAfterReturnMode UseAfterReturn;
886	Type *IntptrTy;
887	Type *Int32Ty;
888	PointerType *PtrTy;
889	ShadowMapping Mapping;
890	FunctionCallee AsanHandleNoReturnFunc;
891	FunctionCallee AsanPtrCmpFunction, AsanPtrSubFunction;
892	Constant *AsanShadowGlobal;
893
894	// These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize).
895	FunctionCallee AsanErrorCallback[`2`][`2`][kNumberOfAccessSizes];
896	FunctionCallee AsanMemoryAccessCallback[`2`][`2`][kNumberOfAccessSizes];
897
898	// These arrays is indexed by AccessIsWrite and Experiment.
899	FunctionCallee AsanErrorCallbackSized[`2`][`2`];
900	FunctionCallee AsanMemoryAccessCallbackSized[`2`][`2`];
901
902	FunctionCallee AsanMemmove, AsanMemcpy, AsanMemset;
903	Value LocalDynamicShadow = nullptr*;
904	const StackSafetyGlobalInfo *SSGI;
905	DenseMap<const AllocaInst , bool*> ProcessedAllocas;
906
907	FunctionCallee AMDGPUAddressShared;
908	FunctionCallee AMDGPUAddressPrivate;
909	int InstrumentationWithCallsThreshold;
910	uint32_t MaxInlinePoisoningSize;
911	};
912
913	class ModuleAddressSanitizer {
914	public:
915	ModuleAddressSanitizer(Module &M, bool InsertVersionCheck,
916	bool CompileKernel = false, bool Recover = false,
917	bool UseGlobalsGC = true, bool UseOdrIndicator = true,
918	AsanDtorKind DestructorKind = AsanDtorKind::Global,
919	AsanCtorKind ConstructorKind = AsanCtorKind::Global)
920	: M(M),
921	CompileKernel(ClEnableKasan.getNumOccurrences() > `0` ? ClEnableKasan
922	: CompileKernel),
923	InsertVersionCheck(ClInsertVersionCheck.getNumOccurrences() > `0`
924	? ClInsertVersionCheck
925	: InsertVersionCheck),
926	Recover(ClRecover.getNumOccurrences() > `0` ? ClRecover : Recover),
927	UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC && !this->CompileKernel),
928	// Enable aliases as they should have no downside with ODR indicators.
929	UsePrivateAlias(ClUsePrivateAlias.getNumOccurrences() > `0`
930	? ClUsePrivateAlias
931	: UseOdrIndicator),
932	UseOdrIndicator(ClUseOdrIndicator.getNumOccurrences() > `0`
933	? ClUseOdrIndicator
934	: UseOdrIndicator),
935	// Not a typo: ClWithComdat is almost completely pointless without
936	// ClUseGlobalsGC (because then it only works on modules without
937	// globals, which are rare); it is a prerequisite for ClUseGlobalsGC;
938	// and both suffer from gold PR19002 for which UseGlobalsGC constructor
939	// argument is designed as workaround. Therefore, disable both
940	// ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to
941	// do globals-gc.
942	UseCtorComdat(UseGlobalsGC && ClWithComdat && !this->CompileKernel),
943	DestructorKind(DestructorKind),
944	ConstructorKind(ClConstructorKind.getNumOccurrences() > `0`
945	? ClConstructorKind
946	: ConstructorKind) {
947	C = &(M.getContext());
948	int LongSize = M.getDataLayout().getPointerSizeInBits();
949	IntptrTy = Type::getIntNTy(C&: *C, N: LongSize);
950	PtrTy = PointerType::getUnqual(C&: *C);
951	TargetTriple = M.getTargetTriple();
952	Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan: this->CompileKernel);
953
954	if (ClOverrideDestructorKind != AsanDtorKind::Invalid)
955	this->DestructorKind = ClOverrideDestructorKind;
956	assert(this->DestructorKind != AsanDtorKind::Invalid);
957	}
958
959	bool instrumentModule();
960
961	private:
962	void initializeCallbacks();
963
964	void instrumentGlobals(IRBuilder<> &IRB, bool *CtorComdat);
965	void InstrumentGlobalsCOFF(IRBuilder<> &IRB,
966	ArrayRef<GlobalVariable *> ExtendedGlobals,
967	ArrayRef<Constant *> MetadataInitializers);
968	void instrumentGlobalsELF(IRBuilder<> &IRB,
969	ArrayRef<GlobalVariable *> ExtendedGlobals,
970	ArrayRef<Constant *> MetadataInitializers,
971	const std::string &UniqueModuleId);
972	void InstrumentGlobalsMachO(IRBuilder<> &IRB,
973	ArrayRef<GlobalVariable *> ExtendedGlobals,
974	ArrayRef<Constant *> MetadataInitializers);
975	void
976	InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB,
977	ArrayRef<GlobalVariable *> ExtendedGlobals,
978	ArrayRef<Constant *> MetadataInitializers);
979
980	GlobalVariable CreateMetadataGlobal(Constant Initializer,
981	StringRef OriginalName);
982	void SetComdatForGlobalMetadata(GlobalVariable G, GlobalVariable Metadata,
983	StringRef InternalSuffix);
984	Instruction *CreateAsanModuleDtor();
985
986	const GlobalVariable getExcludedAliasedGlobal(const* GlobalAlias &GA) const;
987	bool shouldInstrumentGlobal(GlobalVariable G) const*;
988	bool ShouldUseMachOGlobalsSection() const;
989	StringRef getGlobalMetadataSection() const;
990	void poisonOneInitializer(Function &GlobalInit);
991	void createInitializerPoisonCalls();
992	uint64_t getMinRedzoneSizeForGlobal() const {
993	return getRedzoneSizeForScale(MappingScale: Mapping.Scale);
994	}
995	uint64_t getRedzoneSizeForGlobal(uint64_t SizeInBytes) const;
996	int GetAsanVersion() const;
997	GlobalVariable *getOrCreateModuleName();
998
999	Module &M;
1000	bool CompileKernel;
1001	bool InsertVersionCheck;
1002	bool Recover;
1003	bool UseGlobalsGC;
1004	bool UsePrivateAlias;
1005	bool UseOdrIndicator;
1006	bool UseCtorComdat;
1007	AsanDtorKind DestructorKind;
1008	AsanCtorKind ConstructorKind;
1009	Type *IntptrTy;
1010	PointerType *PtrTy;
1011	LLVMContext *C;
1012	Triple TargetTriple;
1013	ShadowMapping Mapping;
1014	FunctionCallee AsanPoisonGlobals;
1015	FunctionCallee AsanUnpoisonGlobals;
1016	FunctionCallee AsanRegisterGlobals;
1017	FunctionCallee AsanUnregisterGlobals;
1018	FunctionCallee AsanRegisterImageGlobals;
1019	FunctionCallee AsanUnregisterImageGlobals;
1020	FunctionCallee AsanRegisterElfGlobals;
1021	FunctionCallee AsanUnregisterElfGlobals;
1022
1023	Function AsanCtorFunction = nullptr*;
1024	Function AsanDtorFunction = nullptr*;
1025	GlobalVariable ModuleName = nullptr*;
1026	};
1027
1028	// Stack poisoning does not play well with exception handling.
1029	// When an exception is thrown, we essentially bypass the code
1030	// that unpoisones the stack. This is why the run-time library has
1031	// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire
1032	// stack in the interceptor. This however does not work inside the
1033	// actual function which catches the exception. Most likely because the
1034	// compiler hoists the load of the shadow value somewhere too high.
1035	// This causes asan to report a non-existing bug on 453.povray.
1036	// It sounds like an LLVM bug.
1037	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
1038	Function &F;
1039	AddressSanitizer &ASan;
1040	RuntimeCallInserter &RTCI;
1041	DIBuilder DIB;
1042	LLVMContext *C;
1043	Type *IntptrTy;
1044	Type *IntptrPtrTy;
1045	ShadowMapping Mapping;
1046
1047	SmallVector<AllocaInst *, `16`> AllocaVec;
1048	SmallVector<AllocaInst *, `16`> StaticAllocasToMoveUp;
1049	SmallVector<Instruction *, `8`> RetVec;
1050
1051	FunctionCallee AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + `1`],
1052	AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + `1`];
1053	FunctionCallee AsanSetShadowFunc[`0x100`] = {};
1054	FunctionCallee AsanPoisonStackMemoryFunc, AsanUnpoisonStackMemoryFunc;
1055	FunctionCallee AsanAllocaPoisonFunc, AsanAllocasUnpoisonFunc;
1056
1057	// Stores a place and arguments of poisoning/unpoisoning call for alloca.
1058	struct AllocaPoisonCall {
1059	IntrinsicInst *InsBefore;
1060	AllocaInst *AI;
1061	uint64_t Size;
1062	bool DoPoison;
1063	};
1064	SmallVector<AllocaPoisonCall, `8`> DynamicAllocaPoisonCallVec;
1065	SmallVector<AllocaPoisonCall, `8`> StaticAllocaPoisonCallVec;
1066	bool HasUntracedLifetimeIntrinsic = false;
1067
1068	SmallVector<AllocaInst *, `1`> DynamicAllocaVec;
1069	SmallVector<IntrinsicInst *, `1`> StackRestoreVec;
1070	AllocaInst DynamicAllocaLayout = nullptr*;
1071	IntrinsicInst LocalEscapeCall = nullptr*;
1072
1073	bool HasInlineAsm = false;
1074	bool HasReturnsTwiceCall = false;
1075	bool PoisonStack;
1076
1077	FunctionStackPoisoner(Function &F, AddressSanitizer &ASan,
1078	RuntimeCallInserter &RTCI)
1079	: F(F), ASan(ASan), RTCI(RTCI),
1080	DIB (F.getParent(), /AllowUnresolved/* false), C(ASan.C),
1081	IntptrTy(ASan.IntptrTy),
1082	IntptrPtrTy(PointerType::get(C&: IntptrTy->getContext(), AddressSpace: `0`)),
1083	Mapping (ASan.Mapping),
1084	PoisonStack(ClStack && !F.getParent()->getTargetTriple().isAMDGPU()) {}
1085
1086	bool runOnFunction() {
1087	if (!PoisonStack)
1088	return false;
1089
1090	if (ClRedzoneByvalArgs)
1091	copyArgsPassedByValToAllocas();
1092
1093	// Collect alloca, ret, lifetime instructions etc.
1094	for (BasicBlock BB : depth_first(G: &F.getEntryBlock())) visit(BB&: BB);
1095
1096	if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
1097
1098	initializeCallbacks(M&: *F.getParent());
1099
1100	if (HasUntracedLifetimeIntrinsic) {
1101	// If there are lifetime intrinsics which couldn't be traced back to an
1102	// alloca, we may not know exactly when a variable enters scope, and
1103	// therefore should "fail safe" by not poisoning them.
1104	StaticAllocaPoisonCallVec.clear();
1105	DynamicAllocaPoisonCallVec.clear();
1106	}
1107
1108	processDynamicAllocas();
1109	processStaticAllocas();
1110
1111	if (ClDebugStack) {
1112	LLVM_DEBUG(dbgs() << F);
1113	}
1114	return true;
1115	}
1116
1117	// Arguments marked with the "byval" attribute are implicitly copied without
1118	// using an alloca instruction. To produce redzones for those arguments, we
1119	// copy them a second time into memory allocated with an alloca instruction.
1120	void copyArgsPassedByValToAllocas();
1121
1122	// Finds all Alloca instructions and puts
1123	// poisoned red zones around all of them.
1124	// Then unpoison everything back before the function returns.
1125	void processStaticAllocas();
1126	void processDynamicAllocas();
1127
1128	void createDynamicAllocasInitStorage();
1129
1130	// ----------------------- Visitors.
1131	/// Collect all Ret instructions, or the musttail call instruction if it
1132	/// precedes the return instruction.
1133	void visitReturnInst(ReturnInst &RI) {
1134	if (CallInst *CI = RI.getParent()->getTerminatingMustTailCall())
1135	RetVec.push_back(Elt: CI);
1136	else
1137	RetVec.push_back(Elt: &RI);
1138	}
1139
1140	/// Collect all Resume instructions.
1141	void visitResumeInst(ResumeInst &RI) { RetVec.push_back(Elt: &RI); }
1142
1143	/// Collect all CatchReturnInst instructions.
1144	void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(Elt: &CRI); }
1145
1146	void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore,
1147	Value *SavedStack) {
1148	IRBuilder<> IRB(InstBefore);
1149	Value *DynamicAreaPtr = IRB.CreatePtrToInt(V: SavedStack, DestTy: IntptrTy);
1150	// When we insert _asan_allocas_unpoison before @llvm.stackrestore, we
1151	// need to adjust extracted SP to compute the address of the most recent
1152	// alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for
1153	// this purpose.
1154	if (!isa<ReturnInst>(Val: InstBefore)) {
1155	Value *DynamicAreaOffset = IRB.CreateIntrinsic(
1156	ID: Intrinsic::get_dynamic_area_offset, Types: {IntptrTy}, Args: {});
1157
1158	DynamicAreaPtr = IRB.CreateAdd(LHS: IRB.CreatePtrToInt(V: SavedStack, DestTy: IntptrTy),
1159	RHS: DynamicAreaOffset);
1160	}
1161
1162	RTCI.createRuntimeCall(
1163	IRB, Callee: AsanAllocasUnpoisonFunc,
1164	Args: {IRB.CreateLoad(Ty: IntptrTy, Ptr: DynamicAllocaLayout), DynamicAreaPtr});
1165	}
1166
1167	// Unpoison dynamic allocas redzones.
1168	void unpoisonDynamicAllocas() {
1169	for (Instruction *Ret : RetVec)
1170	unpoisonDynamicAllocasBeforeInst(InstBefore: Ret, SavedStack: DynamicAllocaLayout);
1171
1172	for (Instruction *StackRestoreInst : StackRestoreVec)
1173	unpoisonDynamicAllocasBeforeInst(InstBefore: StackRestoreInst,
1174	SavedStack: StackRestoreInst->getOperand(i: `0`));
1175	}
1176
1177	// Deploy and poison redzones around dynamic alloca call. To do this, we
1178	// should replace this call with another one with changed parameters and
1179	// replace all its uses with new address, so
1180	// addr = alloca type, old_size, align
1181	// is replaced by
1182	// new_size = (old_size + additional_size) sizeof(type)*
1183	// tmp = alloca i8, new_size, max(align, 32)
1184	// addr = tmp + 32 (first 32 bytes are for the left redzone).
1185	// Additional_size is added to make new memory allocation contain not only
1186	// requested memory, but also left, partial and right redzones.
1187	void handleDynamicAllocaCall(AllocaInst *AI);
1188
1189	/// Collect Alloca instructions we want (and can) handle.
1190	void visitAllocaInst(AllocaInst &AI) {
1191	// FIXME: Handle scalable vectors instead of ignoring them.
1192	const Type *AllocaType = AI.getAllocatedType();
1193	const auto *STy = dyn_cast<StructType>(Val: AllocaType);
1194	if (!ASan.isInterestingAlloca(AI) \|\| isa<ScalableVectorType>(Val: AllocaType) \|\|
1195	(STy && STy->containsHomogeneousScalableVectorTypes())) {
1196	if (AI.isStaticAlloca()) {
1197	// Skip over allocas that are present before* the first instrumented*
1198	// alloca, we don't want to move those around.
1199	if (AllocaVec.empty())
1200	return;
1201
1202	StaticAllocasToMoveUp.push_back(Elt: &AI);
1203	}
1204	return;
1205	}
1206
1207	if (!AI.isStaticAlloca())
1208	DynamicAllocaVec.push_back(Elt: &AI);
1209	else
1210	AllocaVec.push_back(Elt: &AI);
1211	}
1212
1213	/// Collect lifetime intrinsic calls to check for use-after-scope
1214	/// errors.
1215	void visitIntrinsicInst(IntrinsicInst &II) {
1216	Intrinsic::ID ID = II.getIntrinsicID();
1217	if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(Elt: &II);
1218	if (ID == Intrinsic::localescape) LocalEscapeCall = &II;
1219	if (!ASan.UseAfterScope)
1220	return;
1221	if (!II.isLifetimeStartOrEnd())
1222	return;
1223	// Found lifetime intrinsic, add ASan instrumentation if necessary.
1224	auto *Size = cast<ConstantInt>(Val: II.getArgOperand(i: `0`));
1225	// If size argument is undefined, don't do anything.
1226	if (Size->isMinusOne()) return;
1227	// Check that size doesn't saturate uint64_t and can
1228	// be stored in IntptrTy.
1229	const uint64_t SizeValue = Size->getValue().getLimitedValue();
1230	if (SizeValue == ~`0ULL` \|\|
1231	!ConstantInt::isValueValidForType(Ty: IntptrTy, V: SizeValue))
1232	return;
1233	// Find alloca instruction that corresponds to llvm.lifetime argument.
1234	// Currently we can only handle lifetime markers pointing to the
1235	// beginning of the alloca.
1236	AllocaInst AI = findAllocaForValue(V: II.getArgOperand(i: `1`), OffsetZero: true*);
1237	if (!AI) {
1238	HasUntracedLifetimeIntrinsic = true;
1239	return;
1240	}
1241	// We're interested only in allocas we can handle.
1242	if (!ASan.isInterestingAlloca(AI: *AI))
1243	return;
1244	bool DoPoison = (ID == Intrinsic::lifetime_end);
1245	AllocaPoisonCall APC = {.InsBefore: &II, .AI: AI, .Size: SizeValue, .DoPoison: DoPoison};
1246	if (AI->isStaticAlloca())
1247	StaticAllocaPoisonCallVec.push_back(Elt: APC);
1248	else if (ClInstrumentDynamicAllocas)
1249	DynamicAllocaPoisonCallVec.push_back(Elt: APC);
1250	}
1251
1252	void visitCallBase(CallBase &CB) {
1253	if (CallInst *CI = dyn_cast<CallInst>(Val: &CB)) {
1254	HasInlineAsm \|= CI->isInlineAsm() && &CB != ASan.LocalDynamicShadow;
1255	HasReturnsTwiceCall \|= CI->canReturnTwice();
1256	}
1257	}
1258
1259	// ---------------------- Helpers.
1260	void initializeCallbacks(Module &M);
1261
1262	// Copies bytes from ShadowBytes into shadow memory for indexes where
1263	// ShadowMask is not zero. If ShadowMask[i] is zero, we assume that
1264	// ShadowBytes[i] is constantly zero and doesn't need to be overwritten.
1265	void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes,
1266	IRBuilder<> &IRB, Value *ShadowBase);
1267	void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes,
1268	size_t Begin, size_t End, IRBuilder<> &IRB,
1269	Value *ShadowBase);
1270	void copyToShadowInline(ArrayRef<uint8_t> ShadowMask,
1271	ArrayRef<uint8_t> ShadowBytes, size_t Begin,
1272	size_t End, IRBuilder<> &IRB, Value *ShadowBase);
1273
1274	void poisonAlloca(Value V, uint64_t Size, IRBuilder<> &IRB, bool* DoPoison);
1275
1276	Value createAllocaForLayout(IRBuilder<> &IRB, const* ASanStackFrameLayout &L,
1277	bool Dynamic);
1278	PHINode createPHI(IRBuilder<> &IRB, Value Cond, Value *ValueIfTrue,
1279	Instruction ThenTerm, Value ValueIfFalse);
1280	};
1281
1282	} // end anonymous namespace
1283
1284	void AddressSanitizerPass::printPipeline(
1285	raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) {
1286	static_cast<PassInfoMixin<AddressSanitizerPass> >(this*)->printPipeline(
1287	OS, MapClassName2PassName);
1288	OS << `'<'`;
1289	if (Options.CompileKernel)
1290	OS << "kernel;";
1291	if (Options.UseAfterScope)
1292	OS << "use-after-scope";
1293	OS << `'>'`;
1294	}
1295
1296	AddressSanitizerPass::AddressSanitizerPass(
1297	const AddressSanitizerOptions &Options, bool UseGlobalGC,
1298	bool UseOdrIndicator, AsanDtorKind DestructorKind,
1299	AsanCtorKind ConstructorKind)
1300	: Options (Options), UseGlobalGC(UseGlobalGC),
1301	UseOdrIndicator(UseOdrIndicator), DestructorKind(DestructorKind),
1302	ConstructorKind(ConstructorKind) {}
1303
1304	PreservedAnalyses AddressSanitizerPass::run(Module &M,
1305	ModuleAnalysisManager &MAM) {
1306	// Return early if nosanitize_address module flag is present for the module.
1307	// This implies that asan pass has already run before.
1308	if (checkIfAlreadyInstrumented(M, Flag: "nosanitize_address"))
1309	return PreservedAnalyses::all();
1310
1311	ModuleAddressSanitizer ModuleSanitizer(
1312	M, Options.InsertVersionCheck, Options.CompileKernel, Options.Recover,
1313	UseGlobalGC, UseOdrIndicator, DestructorKind, ConstructorKind);
1314	bool Modified = false;
1315	auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(IR&: M).getManager();
1316	const StackSafetyGlobalInfo *const SSGI =
1317	ClUseStackSafety ? &MAM.getResult<StackSafetyGlobalAnalysis>(IR&: M) : nullptr;
1318	for (Function &F : M) {
1319	if (F.empty())
1320	continue;
1321	if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage)
1322	continue;
1323	if (!ClDebugFunc.empty() && ClDebugFunc == F.getName())
1324	continue;
1325	if (F.getName().starts_with(Prefix: "__asan_"))
1326	continue;
1327	if (F.isPresplitCoroutine())
1328	continue;
1329	AddressSanitizer FunctionSanitizer(
1330	M, SSGI, Options.InstrumentationWithCallsThreshold,
1331	Options.MaxInlinePoisoningSize, Options.CompileKernel, Options.Recover,
1332	Options.UseAfterScope, Options.UseAfterReturn);
1333	const TargetLibraryInfo &TLI = FAM.getResult<TargetLibraryAnalysis>(IR&: F);
1334	Modified \|= FunctionSanitizer.instrumentFunction(F, TLI: &TLI);
1335	}
1336	Modified \|= ModuleSanitizer.instrumentModule();
1337	if (!Modified)
1338	return PreservedAnalyses::all();
1339
1340	PreservedAnalyses PA = PreservedAnalyses::none();
1341	// GlobalsAA is considered stateless and does not get invalidated unless
1342	// explicitly invalidated; PreservedAnalyses::none() is not enough. Sanitizers
1343	// make changes that require GlobalsAA to be invalidated.
1344	PA.abandon<GlobalsAA>();
1345	return PA;
1346	}
1347
1348	static size_t TypeStoreSizeToSizeIndex(uint32_t TypeSize) {
1349	size_t Res = llvm::countr_zero(Val: TypeSize / `8`);
1350	assert(Res < kNumberOfAccessSizes);
1351	return Res;
1352	}
1353
1354	/// Check if \p G has been created by a trusted compiler pass.
1355	static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) {
1356	// Do not instrument @llvm.global_ctors, @llvm.used, etc.
1357	if (G->getName().starts_with(Prefix: "llvm.") \|\|
1358	// Do not instrument gcov counter arrays.
1359	G->getName().starts_with(Prefix: "__llvm_gcov_ctr") \|\|
1360	// Do not instrument rtti proxy symbols for function sanitizer.
1361	G->getName().starts_with(Prefix: "__llvm_rtti_proxy"))
1362	return true;
1363
1364	// Do not instrument asan globals.
1365	if (G->getName().starts_with(Prefix: kAsanGenPrefix) \|\|
1366	G->getName().starts_with(Prefix: kSanCovGenPrefix) \|\|
1367	G->getName().starts_with(Prefix: kODRGenPrefix))
1368	return true;
1369
1370	return false;
1371	}
1372
1373	static bool isUnsupportedAMDGPUAddrspace(Value *Addr) {
1374	Type *PtrTy = cast<PointerType>(Val: Addr->getType()->getScalarType());
1375	unsigned int AddrSpace = PtrTy->getPointerAddressSpace();
1376	if (AddrSpace == `3` \|\| AddrSpace == `5`)
1377	return true;
1378	return false;
1379	}
1380
1381	Value AddressSanitizer::memToShadow(Value Shadow, IRBuilder<> &IRB) {
1382	// Shadow >> scale
1383	Shadow = IRB.CreateLShr(LHS: Shadow, RHS: Mapping.Scale);
1384	if (Mapping.Offset == `0`) return Shadow;
1385	// (Shadow >> scale) \| offset
1386	Value *ShadowBase;
1387	if (LocalDynamicShadow)
1388	ShadowBase = LocalDynamicShadow;
1389	else
1390	ShadowBase = ConstantInt::get(Ty: IntptrTy, V: Mapping.Offset);
1391	if (Mapping.OrShadowOffset)
1392	return IRB.CreateOr(LHS: Shadow, RHS: ShadowBase);
1393	else
1394	return IRB.CreateAdd(LHS: Shadow, RHS: ShadowBase);
1395	}
1396
1397	// Instrument memset/memmove/memcpy
1398	void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI,
1399	RuntimeCallInserter &RTCI) {
1400	InstrumentationIRBuilder IRB(MI);
1401	if (isa<MemTransferInst>(Val: MI)) {
1402	RTCI.createRuntimeCall(
1403	IRB, Callee: isa<MemMoveInst>(Val: MI) ? AsanMemmove : AsanMemcpy,
1404	Args: {IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `0`), DestTy: PtrTy),
1405	IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `1`), DestTy: PtrTy),
1406	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `2`), DestTy: IntptrTy, isSigned: false)});
1407	} else if (isa<MemSetInst>(Val: MI)) {
1408	RTCI.createRuntimeCall(
1409	IRB, Callee: AsanMemset,
1410	Args: {IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `0`), DestTy: PtrTy),
1411	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `1`), DestTy: IRB.getInt32Ty(), isSigned: false),
1412	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `2`), DestTy: IntptrTy, isSigned: false)});
1413	}
1414	MI->eraseFromParent();
1415	}
1416
1417	/// Check if we want (and can) handle this alloca.
1418	bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
1419	auto [It, Inserted] = ProcessedAllocas.try_emplace(Key: &AI);
1420
1421	if (!Inserted)
1422	return It ->getSecond();
1423
1424	bool IsInteresting =
1425	(AI.getAllocatedType()->isSized() &&
1426	// alloca() may be called with 0 size, ignore it.
1427	((!AI.isStaticAlloca()) \|\| !getAllocaSizeInBytes(AI).isZero()) &&
1428	// We are only interested in allocas not promotable to registers.
1429	// Promotable allocas are common under -O0.
1430	(!ClSkipPromotableAllocas \|\| !isAllocaPromotable(AI: &AI)) &&
1431	// inalloca allocas are not treated as static, and we don't want
1432	// dynamic alloca instrumentation for them as well.
1433	!AI.isUsedWithInAlloca() &&
1434	// swifterror allocas are register promoted by ISel
1435	!AI.isSwiftError() &&
1436	// safe allocas are not interesting
1437	!(SSGI && SSGI->isSafe(AI)));
1438
1439	It ->second = IsInteresting;
1440	return IsInteresting;
1441	}
1442
1443	bool AddressSanitizer::ignoreAccess(Instruction Inst, Value Ptr) {
1444	// Instrument accesses from different address spaces only for AMDGPU.
1445	Type *PtrTy = cast<PointerType>(Val: Ptr->getType()->getScalarType());
1446	if (PtrTy->getPointerAddressSpace() != `0` &&
1447	!(TargetTriple.isAMDGPU() && !isUnsupportedAMDGPUAddrspace(Addr: Ptr)))
1448	return true;
1449
1450	// Ignore swifterror addresses.
1451	// swifterror memory addresses are mem2reg promoted by instruction
1452	// selection. As such they cannot have regular uses like an instrumentation
1453	// function and it makes no sense to track them as memory.
1454	if (Ptr->isSwiftError())
1455	return true;
1456
1457	// Treat memory accesses to promotable allocas as non-interesting since they
1458	// will not cause memory violations. This greatly speeds up the instrumented
1459	// executable at -O0.
1460	if (auto AI = dyn_cast_or_null<AllocaInst>(Val: Ptr))
1461	if (ClSkipPromotableAllocas && !isInterestingAlloca(AI: *AI))
1462	return true;
1463
1464	if (SSGI != nullptr && SSGI->stackAccessIsSafe(I: *Inst) &&
1465	findAllocaForValue(V: Ptr))
1466	return true;
1467
1468	return false;
1469	}
1470
1471	void AddressSanitizer::getInterestingMemoryOperands(
1472	Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) {
1473	// Do not instrument the load fetching the dynamic shadow address.
1474	if (LocalDynamicShadow == I)
1475	return;
1476
1477	if (LoadInst *LI = dyn_cast<LoadInst>(Val: I)) {
1478	if (!ClInstrumentReads \|\| ignoreAccess(Inst: I, Ptr: LI->getPointerOperand()))
1479	return;
1480	Interesting.emplace_back(Args&: I, Args: LI->getPointerOperandIndex(), Args: false,
1481	Args: LI->getType(), Args: LI->getAlign());
1482	} else if (StoreInst *SI = dyn_cast<StoreInst>(Val: I)) {
1483	if (!ClInstrumentWrites \|\| ignoreAccess(Inst: I, Ptr: SI->getPointerOperand()))
1484	return;
1485	Interesting.emplace_back(Args&: I, Args: SI->getPointerOperandIndex(), Args: true,
1486	Args: SI->getValueOperand()->getType(), Args: SI->getAlign());
1487	} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(Val: I)) {
1488	if (!ClInstrumentAtomics \|\| ignoreAccess(Inst: I, Ptr: RMW->getPointerOperand()))
1489	return;
1490	Interesting.emplace_back(Args&: I, Args: RMW->getPointerOperandIndex(), Args: true,
1491	Args: RMW->getValOperand()->getType(), Args: std::nullopt);
1492	} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(Val: I)) {
1493	if (!ClInstrumentAtomics \|\| ignoreAccess(Inst: I, Ptr: XCHG->getPointerOperand()))
1494	return;
1495	Interesting.emplace_back(Args&: I, Args: XCHG->getPointerOperandIndex(), Args: true,
1496	Args: XCHG->getCompareOperand()->getType(),
1497	Args: std::nullopt);
1498	} else if (auto CI = dyn_cast<CallInst>(Val: I)) {
1499	switch (CI->getIntrinsicID()) {
1500	case Intrinsic::masked_load:
1501	case Intrinsic::masked_store:
1502	case Intrinsic::masked_gather:
1503	case Intrinsic::masked_scatter: {
1504	bool IsWrite = CI->getType()->isVoidTy();
1505	// Masked store has an initial operand for the value.
1506	unsigned OpOffset = IsWrite ? `1` : `0`;
1507	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1508	return;
1509
1510	auto BasePtr = CI->getOperand(i_nocapture: OpOffset);
1511	if (ignoreAccess(Inst: I, Ptr: BasePtr))
1512	return;
1513	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1514	MaybeAlign Alignment = Align (`1`);
1515	// Otherwise no alignment guarantees. We probably got Undef.
1516	if (auto *Op = dyn_cast<ConstantInt>(Val: CI->getOperand(i_nocapture: `1` + OpOffset)))
1517	Alignment = Op->getMaybeAlignValue();
1518	Value *Mask = CI->getOperand(i_nocapture: `2` + OpOffset);
1519	Interesting.emplace_back(Args&: I, Args&: OpOffset, Args&: IsWrite, Args&: Ty, Args&: Alignment, Args&: Mask);
1520	break;
1521	}
1522	case Intrinsic::masked_expandload:
1523	case Intrinsic::masked_compressstore: {
1524	bool IsWrite = CI->getIntrinsicID() == Intrinsic::masked_compressstore;
1525	unsigned OpOffset = IsWrite ? `1` : `0`;
1526	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1527	return;
1528	auto BasePtr = CI->getOperand(i_nocapture: OpOffset);
1529	if (ignoreAccess(Inst: I, Ptr: BasePtr))
1530	return;
1531	MaybeAlign Alignment = BasePtr->getPointerAlignment(DL: *DL);
1532	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1533
1534	IRBuilder IB(I);
1535	Value *Mask = CI->getOperand(i_nocapture: `1` + OpOffset);
1536	// Use the popcount of Mask as the effective vector length.
1537	Type *ExtTy = VectorType::get(ElementType: IntptrTy, Other: cast<VectorType>(Val: Ty));
1538	Value *ExtMask = IB.CreateZExt(V: Mask, DestTy: ExtTy);
1539	Value *EVL = IB.CreateAddReduce(Src: ExtMask);
1540	Value *TrueMask = ConstantInt::get(Ty: Mask->getType(), V: `1`);
1541	Interesting.emplace_back(Args&: I, Args&: OpOffset, Args&: IsWrite, Args&: Ty, Args&: Alignment, Args&: TrueMask,
1542	Args&: EVL);
1543	break;
1544	}
1545	case Intrinsic::vp_load:
1546	case Intrinsic::vp_store:
1547	case Intrinsic::experimental_vp_strided_load:
1548	case Intrinsic::experimental_vp_strided_store: {
1549	auto *VPI = cast<VPIntrinsic>(Val: CI);
1550	unsigned IID = CI->getIntrinsicID();
1551	bool IsWrite = CI->getType()->isVoidTy();
1552	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1553	return;
1554	unsigned PtrOpNo = *VPI->getMemoryPointerParamPos(IID);
1555	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1556	MaybeAlign Alignment = VPI->getOperand(i_nocapture: PtrOpNo)->getPointerAlignment(DL: *DL);
1557	Value Stride = nullptr*;
1558	if (IID == Intrinsic::experimental_vp_strided_store \|\|
1559	IID == Intrinsic::experimental_vp_strided_load) {
1560	Stride = VPI->getOperand(i_nocapture: PtrOpNo + `1`);
1561	// Use the pointer alignment as the element alignment if the stride is a
1562	// mutiple of the pointer alignment. Otherwise, the element alignment
1563	// should be Align(1).
1564	unsigned PointerAlign = Alignment.valueOrOne().value();
1565	if (!isa<ConstantInt>(Val: Stride) \|\|
1566	cast<ConstantInt>(Val: Stride)->getZExtValue() % PointerAlign != `0`)
1567	Alignment = Align (`1`);
1568	}
1569	Interesting.emplace_back(Args&: I, Args&: PtrOpNo, Args&: IsWrite, Args&: Ty, Args&: Alignment,
1570	Args: VPI->getMaskParam(), Args: VPI->getVectorLengthParam(),
1571	Args&: Stride);
1572	break;
1573	}
1574	case Intrinsic::vp_gather:
1575	case Intrinsic::vp_scatter: {
1576	auto *VPI = cast<VPIntrinsic>(Val: CI);
1577	unsigned IID = CI->getIntrinsicID();
1578	bool IsWrite = IID == Intrinsic::vp_scatter;
1579	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1580	return;
1581	unsigned PtrOpNo = *VPI->getMemoryPointerParamPos(IID);
1582	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1583	MaybeAlign Alignment = VPI->getPointerAlignment();
1584	Interesting.emplace_back(Args&: I, Args&: PtrOpNo, Args&: IsWrite, Args&: Ty, Args&: Alignment,
1585	Args: VPI->getMaskParam(),
1586	Args: VPI->getVectorLengthParam());
1587	break;
1588	}
1589	default:
1590	for (unsigned ArgNo = `0`; ArgNo < CI->arg_size(); ArgNo++) {
1591	if (!ClInstrumentByval \|\| !CI->isByValArgument(ArgNo) \|\|
1592	ignoreAccess(Inst: I, Ptr: CI->getArgOperand(i: ArgNo)))
1593	continue;
1594	Type *Ty = CI->getParamByValType(ArgNo);
1595	Interesting.emplace_back(Args&: I, Args&: ArgNo, Args: false, Args&: Ty, Args: Align (`1`));
1596	}
1597	}
1598	}
1599	}
1600
1601	static bool isPointerOperand(Value *V) {
1602	return V->getType()->isPointerTy() \|\| isa<PtrToIntInst>(Val: V);
1603	}
1604
1605	// This is a rough heuristic; it may cause both false positives and
1606	// false negatives. The proper implementation requires cooperation with
1607	// the frontend.
1608	static bool isInterestingPointerComparison(Instruction *I) {
1609	if (ICmpInst *Cmp = dyn_cast<ICmpInst>(Val: I)) {
1610	if (!Cmp->isRelational())
1611	return false;
1612	} else {
1613	return false;
1614	}
1615	return isPointerOperand(V: I->getOperand(i: `0`)) &&
1616	isPointerOperand(V: I->getOperand(i: `1`));
1617	}
1618
1619	// This is a rough heuristic; it may cause both false positives and
1620	// false negatives. The proper implementation requires cooperation with
1621	// the frontend.
1622	static bool isInterestingPointerSubtraction(Instruction *I) {
1623	if (BinaryOperator *BO = dyn_cast<BinaryOperator>(Val: I)) {
1624	if (BO->getOpcode() != Instruction::Sub)
1625	return false;
1626	} else {
1627	return false;
1628	}
1629	return isPointerOperand(V: I->getOperand(i: `0`)) &&
1630	isPointerOperand(V: I->getOperand(i: `1`));
1631	}
1632
1633	bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {
1634	// If a global variable does not have dynamic initialization we don't
1635	// have to instrument it. However, if a global does not have initializer
1636	// at all, we assume it has dynamic initializer (in other TU).
1637	if (!G->hasInitializer())
1638	return false;
1639
1640	if (G->hasSanitizerMetadata() && G->getSanitizerMetadata().IsDynInit)
1641	return false;
1642
1643	return true;
1644	}
1645
1646	void AddressSanitizer::instrumentPointerComparisonOrSubtraction(
1647	Instruction *I, RuntimeCallInserter &RTCI) {
1648	IRBuilder<> IRB(I);
1649	FunctionCallee F = isa<ICmpInst>(Val: I) ? AsanPtrCmpFunction : AsanPtrSubFunction;
1650	Value *Param[`2`] = {I->getOperand(i: `0`), I->getOperand(i: `1`)};
1651	for (Value *&i : Param) {
1652	if (i->getType()->isPointerTy())
1653	i = IRB.CreatePointerCast(V: i, DestTy: IntptrTy);
1654	}
1655	RTCI.createRuntimeCall(IRB, Callee: F, Args: Param);
1656	}
1657
1658	static void doInstrumentAddress(AddressSanitizer Pass, Instruction I,
1659	Instruction InsertBefore, Value Addr,
1660	MaybeAlign Alignment, unsigned Granularity,
1661	TypeSize TypeStoreSize, bool IsWrite,
1662	Value SizeArgument, bool* UseCalls,
1663	uint32_t Exp, RuntimeCallInserter &RTCI) {
1664	// Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check
1665	// if the data is properly aligned.
1666	if (!TypeStoreSize.isScalable()) {
1667	const auto FixedSize = TypeStoreSize.getFixedValue();
1668	switch (FixedSize) {
1669	case `8`:
1670	case `16`:
1671	case `32`:
1672	case `64`:
1673	case `128`:
1674	if (!Alignment \|\| *Alignment >= Granularity \|\|
1675	*Alignment >= FixedSize / `8`)
1676	return Pass->instrumentAddress(OrigIns: I, InsertBefore, Addr, Alignment,
1677	TypeStoreSize: FixedSize, IsWrite, SizeArgument: nullptr, UseCalls,
1678	Exp, RTCI);
1679	}
1680	}
1681	Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeStoreSize,
1682	IsWrite, SizeArgument: nullptr, UseCalls, Exp, RTCI);
1683	}
1684
1685	void AddressSanitizer::instrumentMaskedLoadOrStore(
1686	AddressSanitizer Pass, const* DataLayout &DL, Type IntptrTy, Value Mask,
1687	Value EVL, Value Stride, Instruction I, Value Addr,
1688	MaybeAlign Alignment, unsigned Granularity, Type OpType, bool* IsWrite,
1689	Value SizeArgument, bool* UseCalls, uint32_t Exp,
1690	RuntimeCallInserter &RTCI) {
1691	auto *VTy = cast<VectorType>(Val: OpType);
1692	TypeSize ElemTypeSize = DL.getTypeStoreSizeInBits(Ty: VTy->getScalarType());
1693	auto Zero = ConstantInt::get(Ty: IntptrTy, V: `0`);
1694
1695	IRBuilder IB(I);
1696	Instruction *LoopInsertBefore = I;
1697	if (EVL) {
1698	// The end argument of SplitBlockAndInsertForLane is assumed bigger
1699	// than zero, so we should check whether EVL is zero here.
1700	Type *EVLType = EVL->getType();
1701	Value *IsEVLZero = IB.CreateICmpNE(LHS: EVL, RHS: ConstantInt::get(Ty: EVLType, V: `0`));
1702	LoopInsertBefore = SplitBlockAndInsertIfThen(Cond: IsEVLZero, SplitBefore: I, Unreachable: false);
1703	IB.SetInsertPoint(LoopInsertBefore);
1704	// Cast EVL to IntptrTy.
1705	EVL = IB.CreateZExtOrTrunc(V: EVL, DestTy: IntptrTy);
1706	// To avoid undefined behavior for extracting with out of range index, use
1707	// the minimum of evl and element count as trip count.
1708	Value *EC = IB.CreateElementCount(Ty: IntptrTy, EC: VTy->getElementCount());
1709	EVL = IB.CreateBinaryIntrinsic(ID: Intrinsic::umin, LHS: EVL, RHS: EC);
1710	} else {
1711	EVL = IB.CreateElementCount(Ty: IntptrTy, EC: VTy->getElementCount());
1712	}
1713
1714	// Cast Stride to IntptrTy.
1715	if (Stride)
1716	Stride = IB.CreateZExtOrTrunc(V: Stride, DestTy: IntptrTy);
1717
1718	SplitBlockAndInsertForEachLane(End: EVL, InsertBefore: LoopInsertBefore->getIterator(),
1719	Func: [&](IRBuilderBase &IRB, Value *Index) {
1720	Value *MaskElem = IRB.CreateExtractElement(Vec: Mask, Idx: Index);
1721	if (auto *MaskElemC = dyn_cast<ConstantInt>(Val: MaskElem)) {
1722	if (MaskElemC->isZero())
1723	// No check
1724	return;
1725	// Unconditional check
1726	} else {
1727	// Conditional check
1728	Instruction *ThenTerm = SplitBlockAndInsertIfThen(
1729	Cond: MaskElem, SplitBefore: &IRB.GetInsertPoint(), Unreachable: false*);
1730	IRB.SetInsertPoint(ThenTerm);
1731	}
1732
1733	Value *InstrumentedAddress;
1734	if (isa<VectorType>(Val: Addr->getType())) {
1735	assert(
1736	cast<VectorType>(Addr->getType())->getElementType()->isPointerTy() &&
1737	"Expected vector of pointer.");
1738	InstrumentedAddress = IRB.CreateExtractElement(Vec: Addr, Idx: Index);
1739	} else if (Stride) {
1740	Index = IRB.CreateMul(LHS: Index, RHS: Stride);
1741	InstrumentedAddress = IRB.CreatePtrAdd(Ptr: Addr, Offset: Index);
1742	} else {
1743	InstrumentedAddress = IRB.CreateGEP(Ty: VTy, Ptr: Addr, IdxList: {Zero, Index});
1744	}
1745	doInstrumentAddress(Pass, I, InsertBefore: &*IRB.GetInsertPoint(), Addr: InstrumentedAddress,
1746	Alignment, Granularity, TypeStoreSize: ElemTypeSize, IsWrite,
1747	SizeArgument, UseCalls, Exp, RTCI);
1748	});
1749	}
1750
1751	void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
1752	InterestingMemoryOperand &O, bool UseCalls,
1753	const DataLayout &DL,
1754	RuntimeCallInserter &RTCI) {
1755	Value *Addr = O.getPtr();
1756
1757	// Optimization experiments.
1758	// The experiments can be used to evaluate potential optimizations that remove
1759	// instrumentation (assess false negatives). Instead of completely removing
1760	// some instrumentation, you set Exp to a non-zero value (mask of optimization
1761	// experiments that want to remove instrumentation of this instruction).
1762	// If Exp is non-zero, this pass will emit special calls into runtime
1763	// (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls
1764	// make runtime terminate the program in a special way (with a different
1765	// exit status). Then you run the new compiler on a buggy corpus, collect
1766	// the special terminations (ideally, you don't see them at all -- no false
1767	// negatives) and make the decision on the optimization.
1768	uint32_t Exp = ClForceExperiment;
1769
1770	if (ClOpt && ClOptGlobals) {
1771	// If initialization order checking is disabled, a simple access to a
1772	// dynamically initialized global is always valid.
1773	GlobalVariable *G = dyn_cast<GlobalVariable>(Val: getUnderlyingObject(V: Addr));
1774	if (G && (!ClInitializers \|\| GlobalIsLinkerInitialized(G)) &&
1775	isSafeAccess(ObjSizeVis, Addr, TypeStoreSize: O.TypeStoreSize)) {
1776	NumOptimizedAccessesToGlobalVar ++;
1777	return;
1778	}
1779	}
1780
1781	if (ClOpt && ClOptStack) {
1782	// A direct inbounds access to a stack variable is always valid.
1783	if (isa<AllocaInst>(Val: getUnderlyingObject(V: Addr)) &&
1784	isSafeAccess(ObjSizeVis, Addr, TypeStoreSize: O.TypeStoreSize)) {
1785	NumOptimizedAccessesToStackVar ++;
1786	return;
1787	}
1788	}
1789
1790	if (O.IsWrite)
1791	NumInstrumentedWrites ++;
1792	else
1793	NumInstrumentedReads ++;
1794
1795	unsigned Granularity = `1` << Mapping.Scale;
1796	if (O.MaybeMask) {
1797	instrumentMaskedLoadOrStore(Pass: this, DL, IntptrTy, Mask: O.MaybeMask, EVL: O.MaybeEVL,
1798	Stride: O.MaybeStride, I: O.getInsn(), Addr, Alignment: O.Alignment,
1799	Granularity, OpType: O.OpType, IsWrite: O.IsWrite, SizeArgument: nullptr,
1800	UseCalls, Exp, RTCI);
1801	} else {
1802	doInstrumentAddress(Pass: this, I: O.getInsn(), InsertBefore: O.getInsn(), Addr, Alignment: O.Alignment,
1803	Granularity, TypeStoreSize: O.TypeStoreSize, IsWrite: O.IsWrite, SizeArgument: nullptr,
1804	UseCalls, Exp, RTCI);
1805	}
1806	}
1807
1808	Instruction AddressSanitizer::generateCrashCode(Instruction InsertBefore,
1809	Value Addr, bool* IsWrite,
1810	size_t AccessSizeIndex,
1811	Value *SizeArgument,
1812	uint32_t Exp,
1813	RuntimeCallInserter &RTCI) {
1814	InstrumentationIRBuilder IRB(InsertBefore);
1815	Value ExpVal = Exp == `0` ? nullptr* : ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp);
1816	CallInst Call = nullptr*;
1817	if (SizeArgument) {
1818	if (Exp == `0`)
1819	Call = RTCI.createRuntimeCall(IRB, Callee: AsanErrorCallbackSized[IsWrite][`0`],
1820	Args: {Addr, SizeArgument});
1821	else
1822	Call = RTCI.createRuntimeCall(IRB, Callee: AsanErrorCallbackSized[IsWrite][`1`],
1823	Args: {Addr, SizeArgument, ExpVal});
1824	} else {
1825	if (Exp == `0`)
1826	Call = RTCI.createRuntimeCall(
1827	IRB, Callee: AsanErrorCallback[IsWrite][`0`][AccessSizeIndex], Args: Addr);
1828	else
1829	Call = RTCI.createRuntimeCall(
1830	IRB, Callee: AsanErrorCallback[IsWrite][`1`][AccessSizeIndex], Args: {Addr, ExpVal});
1831	}
1832
1833	Call->setCannotMerge();
1834	return Call;
1835	}
1836
1837	Value AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
1838	Value *ShadowValue,
1839	uint32_t TypeStoreSize) {
1840	size_t Granularity = static_cast<size_t>(`1`) << Mapping.Scale;
1841	// Addr & (Granularity - 1)
1842	Value *LastAccessedByte =
1843	IRB.CreateAnd(LHS: AddrLong, RHS: ConstantInt::get(Ty: IntptrTy, V: Granularity - `1`));
1844	// (Addr & (Granularity - 1)) + size - 1
1845	if (TypeStoreSize / `8` > `1`)
1846	LastAccessedByte = IRB.CreateAdd(
1847	LHS: LastAccessedByte, RHS: ConstantInt::get(Ty: IntptrTy, V: TypeStoreSize / `8` - `1`));
1848	// (uint8_t) ((Addr & (Granularity-1)) + size - 1)
1849	LastAccessedByte =
1850	IRB.CreateIntCast(V: LastAccessedByte, DestTy: ShadowValue->getType(), isSigned: false);
1851	// ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue
1852	return IRB.CreateICmpSGE(LHS: LastAccessedByte, RHS: ShadowValue);
1853	}
1854
1855	Instruction *AddressSanitizer::instrumentAMDGPUAddress(
1856	Instruction OrigIns, Instruction InsertBefore, Value *Addr,
1857	uint32_t TypeStoreSize, bool IsWrite, Value *SizeArgument) {
1858	// Do not instrument unsupported addrspaces.
1859	if (isUnsupportedAMDGPUAddrspace(Addr))
1860	return nullptr;
1861	Type *PtrTy = cast<PointerType>(Val: Addr->getType()->getScalarType());
1862	// Follow host instrumentation for global and constant addresses.
1863	if (PtrTy->getPointerAddressSpace() != `0`)
1864	return InsertBefore;
1865	// Instrument generic addresses in supported addressspaces.
1866	IRBuilder<> IRB(InsertBefore);
1867	Value *IsShared = IRB.CreateCall(Callee: AMDGPUAddressShared, Args: {Addr});
1868	Value *IsPrivate = IRB.CreateCall(Callee: AMDGPUAddressPrivate, Args: {Addr});
1869	Value *IsSharedOrPrivate = IRB.CreateOr(LHS: IsShared, RHS: IsPrivate);
1870	Value *Cmp = IRB.CreateNot(V: IsSharedOrPrivate);
1871	Value *AddrSpaceZeroLanding =
1872	SplitBlockAndInsertIfThen(Cond: Cmp, SplitBefore: InsertBefore, Unreachable: false);
1873	InsertBefore = cast<Instruction>(Val: AddrSpaceZeroLanding);
1874	return InsertBefore;
1875	}
1876
1877	Instruction *AddressSanitizer::genAMDGPUReportBlock(IRBuilder<> &IRB,
1878	Value Cond, bool* Recover) {
1879	Module &M = *IRB.GetInsertBlock()->getModule();
1880	Value *ReportCond = Cond;
1881	if (!Recover) {
1882	auto Ballot = M.getOrInsertFunction(Name: kAMDGPUBallotName, RetTy: IRB.getInt64Ty(),
1883	Args: IRB.getInt1Ty());
1884	ReportCond = IRB.CreateIsNotNull(Arg: IRB.CreateCall(Callee: Ballot, Args: {Cond}));
1885	}
1886
1887	auto *Trm =
1888	SplitBlockAndInsertIfThen(Cond: ReportCond, SplitBefore: &IRB.GetInsertPoint(), Unreachable: false*,
1889	BranchWeights: MDBuilder (*C).createUnlikelyBranchWeights());
1890	Trm->getParent()->setName("asan.report");
1891
1892	if (Recover)
1893	return Trm;
1894
1895	Trm = SplitBlockAndInsertIfThen(Cond, SplitBefore: Trm, Unreachable: false);
1896	IRB.SetInsertPoint(Trm);
1897	return IRB.CreateCall(
1898	Callee: M.getOrInsertFunction(Name: kAMDGPUUnreachableName, RetTy: IRB.getVoidTy()), Args: {});
1899	}
1900
1901	void AddressSanitizer::instrumentAddress(Instruction *OrigIns,
1902	Instruction InsertBefore, Value Addr,
1903	MaybeAlign Alignment,
1904	uint32_t TypeStoreSize, bool IsWrite,
1905	Value SizeArgument, bool* UseCalls,
1906	uint32_t Exp,
1907	RuntimeCallInserter &RTCI) {
1908	if (TargetTriple.isAMDGPU()) {
1909	InsertBefore = instrumentAMDGPUAddress(OrigIns, InsertBefore, Addr,
1910	TypeStoreSize, IsWrite, SizeArgument);
1911	if (!InsertBefore)
1912	return;
1913	}
1914
1915	InstrumentationIRBuilder IRB(InsertBefore);
1916	size_t AccessSizeIndex = TypeStoreSizeToSizeIndex(TypeSize: TypeStoreSize);
1917
1918	if (UseCalls && ClOptimizeCallbacks) {
1919	const ASanAccessInfo AccessInfo(IsWrite, CompileKernel, AccessSizeIndex);
1920	IRB.CreateIntrinsic(ID: Intrinsic::asan_check_memaccess, Types: {},
1921	Args: {IRB.CreatePointerCast(V: Addr, DestTy: PtrTy),
1922	ConstantInt::get(Ty: Int32Ty, V: AccessInfo.Packed)});
1923	return;
1924	}
1925
1926	Value *AddrLong = IRB.CreatePointerCast(V: Addr, DestTy: IntptrTy);
1927	if (UseCalls) {
1928	if (Exp == `0`)
1929	RTCI.createRuntimeCall(
1930	IRB, Callee: AsanMemoryAccessCallback[IsWrite][`0`][AccessSizeIndex], Args: AddrLong);
1931	else
1932	RTCI.createRuntimeCall(
1933	IRB, Callee: AsanMemoryAccessCallback[IsWrite][`1`][AccessSizeIndex],
1934	Args: {AddrLong, ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp)});
1935	return;
1936	}
1937
1938	Type *ShadowTy =
1939	IntegerType::get(C&: *C, NumBits: std::max(a: `8U`, b: TypeStoreSize >> Mapping.Scale));
1940	Type ShadowPtrTy = PointerType::get(C&: C, AddressSpace: `0`);
1941	Value *ShadowPtr = memToShadow(Shadow: AddrLong, IRB);
1942	const uint64_t ShadowAlign =
1943	std::max<uint64_t>(a: Alignment.valueOrOne().value() >> Mapping.Scale, b: `1`);
1944	Value *ShadowValue = IRB.CreateAlignedLoad(
1945	Ty: ShadowTy, Ptr: IRB.CreateIntToPtr(V: ShadowPtr, DestTy: ShadowPtrTy), Align: Align (ShadowAlign));
1946
1947	Value *Cmp = IRB.CreateIsNotNull(Arg: ShadowValue);
1948	size_t Granularity = `1ULL` << Mapping.Scale;
1949	Instruction CrashTerm = nullptr*;
1950
1951	bool GenSlowPath = (ClAlwaysSlowPath \|\| (TypeStoreSize < `8` * Granularity));
1952
1953	if (TargetTriple.isAMDGCN()) {
1954	if (GenSlowPath) {
1955	auto *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeStoreSize);
1956	Cmp = IRB.CreateAnd(LHS: Cmp, RHS: Cmp2);
1957	}
1958	CrashTerm = genAMDGPUReportBlock(IRB, Cond: Cmp, Recover);
1959	} else if (GenSlowPath) {
1960	// We use branch weights for the slow path check, to indicate that the slow
1961	// path is rarely taken. This seems to be the case for SPEC benchmarks.
1962	Instruction *CheckTerm = SplitBlockAndInsertIfThen(
1963	Cond: Cmp, SplitBefore: InsertBefore, Unreachable: false, BranchWeights: MDBuilder (*C).createUnlikelyBranchWeights());
1964	assert(cast<BranchInst>(CheckTerm)->isUnconditional());
1965	BasicBlock *NextBB = CheckTerm->getSuccessor(Idx: `0`);
1966	IRB.SetInsertPoint(CheckTerm);
1967	Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeStoreSize);
1968	if (Recover) {
1969	CrashTerm = SplitBlockAndInsertIfThen(Cond: Cmp2, SplitBefore: CheckTerm, Unreachable: false);
1970	} else {
1971	BasicBlock *CrashBlock =
1972	BasicBlock::Create(Context&: *C, Name: "", Parent: NextBB->getParent(), InsertBefore: NextBB);
1973	CrashTerm = new UnreachableInst (*C, CrashBlock);
1974	BranchInst *NewTerm = BranchInst::Create(IfTrue: CrashBlock, IfFalse: NextBB, Cond: Cmp2);
1975	ReplaceInstWithInst(From: CheckTerm, To: NewTerm);
1976	}
1977	} else {
1978	CrashTerm = SplitBlockAndInsertIfThen(Cond: Cmp, SplitBefore: InsertBefore, Unreachable: !Recover);
1979	}
1980
1981	Instruction *Crash = generateCrashCode(
1982	InsertBefore: CrashTerm, Addr: AddrLong, IsWrite, AccessSizeIndex, SizeArgument, Exp, RTCI);
1983	if (OrigIns->getDebugLoc())
1984	Crash->setDebugLoc(OrigIns->getDebugLoc());
1985	}
1986
1987	// Instrument unusual size or unusual alignment.
1988	// We can not do it with a single check, so we do 1-byte check for the first
1989	// and the last bytes. We call __asan_report__n(addr, real_size) to be able*
1990	// to report the actual access size.
1991	void AddressSanitizer::instrumentUnusualSizeOrAlignment(
1992	Instruction I, Instruction InsertBefore, Value *Addr,
1993	TypeSize TypeStoreSize, bool IsWrite, Value SizeArgument, bool* UseCalls,
1994	uint32_t Exp, RuntimeCallInserter &RTCI) {
1995	InstrumentationIRBuilder IRB(InsertBefore);
1996	Value *NumBits = IRB.CreateTypeSize(Ty: IntptrTy, Size: TypeStoreSize);
1997	Value *Size = IRB.CreateLShr(LHS: NumBits, RHS: ConstantInt::get(Ty: IntptrTy, V: `3`));
1998
1999	Value *AddrLong = IRB.CreatePointerCast(V: Addr, DestTy: IntptrTy);
2000	if (UseCalls) {
2001	if (Exp == `0`)
2002	RTCI.createRuntimeCall(IRB, Callee: AsanMemoryAccessCallbackSized[IsWrite][`0`],
2003	Args: {AddrLong, Size});
2004	else
2005	RTCI.createRuntimeCall(
2006	IRB, Callee: AsanMemoryAccessCallbackSized[IsWrite][`1`],
2007	Args: {AddrLong, Size, ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp)});
2008	} else {
2009	Value *SizeMinusOne = IRB.CreateSub(LHS: Size, RHS: ConstantInt::get(Ty: IntptrTy, V: `1`));
2010	Value *LastByte = IRB.CreateIntToPtr(
2011	V: IRB.CreateAdd(LHS: AddrLong, RHS: SizeMinusOne),
2012	DestTy: Addr->getType());
2013	instrumentAddress(OrigIns: I, InsertBefore, Addr, Alignment: {}, TypeStoreSize: `8`, IsWrite, SizeArgument: Size, UseCalls: false, Exp,
2014	RTCI);
2015	instrumentAddress(OrigIns: I, InsertBefore, Addr: LastByte, Alignment: {}, TypeStoreSize: `8`, IsWrite, SizeArgument: Size, UseCalls: false,
2016	Exp, RTCI);
2017	}
2018	}
2019
2020	void ModuleAddressSanitizer::poisonOneInitializer(Function &GlobalInit) {
2021	// Set up the arguments to our poison/unpoison functions.
2022	IRBuilder<> IRB(&GlobalInit.front(),
2023	GlobalInit.front().getFirstInsertionPt());
2024
2025	// Add a call to poison all external globals before the given function starts.
2026	Value *ModuleNameAddr =
2027	ConstantExpr::getPointerCast(C: getOrCreateModuleName(), Ty: IntptrTy);
2028	IRB.CreateCall(Callee: AsanPoisonGlobals, Args: ModuleNameAddr);
2029
2030	// Add calls to unpoison all globals before each return instruction.
2031	for (auto &BB : GlobalInit)
2032	if (ReturnInst *RI = dyn_cast<ReturnInst>(Val: BB.getTerminator()))
2033	CallInst::Create(Func: AsanUnpoisonGlobals, NameStr: "", InsertBefore: RI->getIterator());
2034	}
2035
2036	void ModuleAddressSanitizer::createInitializerPoisonCalls() {
2037	GlobalVariable *GV = M.getGlobalVariable(Name: "llvm.global_ctors");
2038	if (!GV)
2039	return;
2040
2041	ConstantArray *CA = dyn_cast<ConstantArray>(Val: GV->getInitializer());
2042	if (!CA)
2043	return;
2044
2045	for (Use &OP : CA->operands()) {
2046	if (isa<ConstantAggregateZero>(Val: OP)) continue;
2047	ConstantStruct *CS = cast<ConstantStruct>(Val&: OP);
2048
2049	// Must have a function or null ptr.
2050	if (Function *F = dyn_cast<Function>(Val: CS->getOperand(i_nocapture: `1`))) {
2051	if (F->getName() == kAsanModuleCtorName) continue;
2052	auto *Priority = cast<ConstantInt>(Val: CS->getOperand(i_nocapture: `0`));
2053	// Don't instrument CTORs that will run before asan.module_ctor.
2054	if (Priority->getLimitedValue() <= GetCtorAndDtorPriority(TargetTriple))
2055	continue;
2056	poisonOneInitializer(GlobalInit&: *F);
2057	}
2058	}
2059	}
2060
2061	const GlobalVariable *
2062	ModuleAddressSanitizer::getExcludedAliasedGlobal(const GlobalAlias &GA) const {
2063	// In case this function should be expanded to include rules that do not just
2064	// apply when CompileKernel is true, either guard all existing rules with an
2065	// 'if (CompileKernel) { ... }' or be absolutely sure that all these rules
2066	// should also apply to user space.
2067	assert(CompileKernel && "Only expecting to be called when compiling kernel");
2068
2069	const Constant *C = GA.getAliasee();
2070
2071	// When compiling the kernel, globals that are aliased by symbols prefixed
2072	// by "__" are special and cannot be padded with a redzone.
2073	if (GA.getName().starts_with(Prefix: "__"))
2074	return dyn_cast<GlobalVariable>(Val: C->stripPointerCastsAndAliases());
2075
2076	return nullptr;
2077	}
2078
2079	bool ModuleAddressSanitizer::shouldInstrumentGlobal(GlobalVariable G) const* {
2080	Type *Ty = G->getValueType();
2081	LLVM_DEBUG(dbgs() << "GLOBAL: " << *G << "\n");
2082
2083	if (G->hasSanitizerMetadata() && G->getSanitizerMetadata().NoAddress)
2084	return false;
2085	if (!Ty->isSized()) return false;
2086	if (!G->hasInitializer()) return false;
2087	// Globals in address space 1 and 4 are supported for AMDGPU.
2088	if (G->getAddressSpace() &&
2089	!(TargetTriple.isAMDGPU() && !isUnsupportedAMDGPUAddrspace(Addr: G)))
2090	return false;
2091	if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals.
2092	// Two problems with thread-locals:
2093	// - The address of the main thread's copy can't be computed at link-time.
2094	// - Need to poison all copies, not just the main thread's one.
2095	if (G->isThreadLocal()) return false;
2096	// For now, just ignore this Global if the alignment is large.
2097	if (G->getAlign() && G->getAlign() > getMinRedzoneSizeForGlobal()) return* false;
2098
2099	// For non-COFF targets, only instrument globals known to be defined by this
2100	// TU.
2101	// FIXME: We can instrument comdat globals on ELF if we are using the
2102	// GC-friendly metadata scheme.
2103	if (!TargetTriple.isOSBinFormatCOFF()) {
2104	if (!G->hasExactDefinition() \|\| G->hasComdat())
2105	return false;
2106	} else {
2107	// On COFF, don't instrument non-ODR linkages.
2108	if (G->isInterposable())
2109	return false;
2110	// If the global has AvailableExternally linkage, then it is not in this
2111	// module, which means it does not need to be instrumented.
2112	if (G->hasAvailableExternallyLinkage())
2113	return false;
2114	}
2115
2116	// If a comdat is present, it must have a selection kind that implies ODR
2117	// semantics: no duplicates, any, or exact match.
2118	if (Comdat *C = G->getComdat()) {
2119	switch (C->getSelectionKind()) {
2120	case Comdat::Any:
2121	case Comdat::ExactMatch:
2122	case Comdat::NoDeduplicate:
2123	break;
2124	case Comdat::Largest:
2125	case Comdat::SameSize:
2126	return false;
2127	}
2128	}
2129
2130	if (G->hasSection()) {
2131	// The kernel uses explicit sections for mostly special global variables
2132	// that we should not instrument. E.g. the kernel may rely on their layout
2133	// without redzones, or remove them at link time ("discard."), etc.*
2134	if (CompileKernel)
2135	return false;
2136
2137	StringRef Section = G->getSection();
2138
2139	// Globals from llvm.metadata aren't emitted, do not instrument them.
2140	if (Section == "llvm.metadata") return false;
2141	// Do not instrument globals from special LLVM sections.
2142	if (Section.contains(Other: "__llvm") \|\| Section.contains(Other: "__LLVM"))
2143	return false;
2144
2145	// Do not instrument function pointers to initialization and termination
2146	// routines: dynamic linker will not properly handle redzones.
2147	if (Section.starts_with(Prefix: ".preinit_array") \|\|
2148	Section.starts_with(Prefix: ".init_array") \|\|
2149	Section.starts_with(Prefix: ".fini_array")) {
2150	return false;
2151	}
2152
2153	// Do not instrument user-defined sections (with names resembling
2154	// valid C identifiers)
2155	if (TargetTriple.isOSBinFormatELF()) {
2156	if (llvm::all_of(Range&: Section,
2157	P: [](char c) { return llvm::isAlnum(C: c) \|\| c == `'_'`; }))
2158	return false;
2159	}
2160
2161	// On COFF, if the section name contains '$', it is highly likely that the
2162	// user is using section sorting to create an array of globals similar to
2163	// the way initialization callbacks are registered in .init_array and
2164	// .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones
2165	// to such globals is counterproductive, because the intent is that they
2166	// will form an array, and out-of-bounds accesses are expected.
2167	// See https://github.com/google/sanitizers/issues/305
2168	// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx
2169	if (TargetTriple.isOSBinFormatCOFF() && Section.contains(C: `'$'`)) {
2170	LLVM_DEBUG(dbgs() << "Ignoring global in sorted section (contains '$'): "
2171	<< *G << "\n");
2172	return false;
2173	}
2174
2175	if (TargetTriple.isOSBinFormatMachO()) {
2176	StringRef ParsedSegment, ParsedSection;
2177	unsigned TAA = `0`, StubSize = `0`;
2178	bool TAAParsed;
2179	cantFail(Err: MCSectionMachO::ParseSectionSpecifier(
2180	Spec: Section, Segment&: ParsedSegment, Section&: ParsedSection, TAA, TAAParsed, StubSize));
2181
2182	// Ignore the globals from the __OBJC section. The ObjC runtime assumes
2183	// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to
2184	// them.
2185	if (ParsedSegment == "__OBJC" \|\|
2186	(ParsedSegment == "__DATA" && ParsedSection.starts_with(Prefix: "__objc_"))) {
2187	LLVM_DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n");
2188	return false;
2189	}
2190	// See https://github.com/google/sanitizers/issues/32
2191	// Constant CFString instances are compiled in the following way:
2192	// -- the string buffer is emitted into
2193	// __TEXT,__cstring,cstring_literals
2194	// -- the constant NSConstantString structure referencing that buffer
2195	// is placed into __DATA,__cfstring
2196	// Therefore there's no point in placing redzones into __DATA,__cfstring.
2197	// Moreover, it causes the linker to crash on OS X 10.7
2198	if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") {
2199	LLVM_DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n");
2200	return false;
2201	}
2202	// The linker merges the contents of cstring_literals and removes the
2203	// trailing zeroes.
2204	if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) {
2205	LLVM_DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n");
2206	return false;
2207	}
2208	}
2209	}
2210
2211	if (CompileKernel) {
2212	// Globals that prefixed by "__" are special and cannot be padded with a
2213	// redzone.
2214	if (G->getName().starts_with(Prefix: "__"))
2215	return false;
2216	}
2217
2218	return true;
2219	}
2220
2221	// On Mach-O platforms, we emit global metadata in a separate section of the
2222	// binary in order to allow the linker to properly dead strip. This is only
2223	// supported on recent versions of ld64.
2224	bool ModuleAddressSanitizer::ShouldUseMachOGlobalsSection() const {
2225	if (!TargetTriple.isOSBinFormatMachO())
2226	return false;
2227
2228	if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(Major: `10`, Minor: `11`))
2229	return true;
2230	if (TargetTriple.isiOS() / or tvOS / && !TargetTriple.isOSVersionLT(Major: `9`))
2231	return true;
2232	if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(Major: `2`))
2233	return true;
2234	if (TargetTriple.isDriverKit())
2235	return true;
2236	if (TargetTriple.isXROS())
2237	return true;
2238
2239	return false;
2240	}
2241
2242	StringRef ModuleAddressSanitizer::getGlobalMetadataSection() const {
2243	switch (TargetTriple.getObjectFormat()) {
2244	case Triple::COFF: return ".ASAN$GL";
2245	case Triple::ELF: return "asan_globals";
2246	case Triple::MachO: return "__DATA,__asan_globals,regular";
2247	case Triple::Wasm:
2248	case Triple::GOFF:
2249	case Triple::SPIRV:
2250	case Triple::XCOFF:
2251	case Triple::DXContainer:
2252	report_fatal_error(
2253	reason: "ModuleAddressSanitizer not implemented for object file format");
2254	case Triple::UnknownObjectFormat:
2255	break;
2256	}
2257	llvm_unreachable("unsupported object format");
2258	}
2259
2260	void ModuleAddressSanitizer::initializeCallbacks() {
2261	IRBuilder<> IRB(*C);
2262
2263	// Declare our poisoning and unpoisoning functions.
2264	AsanPoisonGlobals =
2265	M.getOrInsertFunction(Name: kAsanPoisonGlobalsName, RetTy: IRB.getVoidTy(), Args: IntptrTy);
2266	AsanUnpoisonGlobals =
2267	M.getOrInsertFunction(Name: kAsanUnpoisonGlobalsName, RetTy: IRB.getVoidTy());
2268
2269	// Declare functions that register/unregister globals.
2270	AsanRegisterGlobals = M.getOrInsertFunction(
2271	Name: kAsanRegisterGlobalsName, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
2272	AsanUnregisterGlobals = M.getOrInsertFunction(
2273	Name: kAsanUnregisterGlobalsName, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
2274
2275	// Declare the functions that find globals in a shared object and then invoke
2276	// the (un)register function on them.
2277	AsanRegisterImageGlobals = M.getOrInsertFunction(
2278	Name: kAsanRegisterImageGlobalsName, RetTy: IRB.getVoidTy(), Args: IntptrTy);
2279	AsanUnregisterImageGlobals = M.getOrInsertFunction(
2280	Name: kAsanUnregisterImageGlobalsName, RetTy: IRB.getVoidTy(), Args: IntptrTy);
2281
2282	AsanRegisterElfGlobals =
2283	M.getOrInsertFunction(Name: kAsanRegisterElfGlobalsName, RetTy: IRB.getVoidTy(),
2284	Args: IntptrTy, Args: IntptrTy, Args: IntptrTy);
2285	AsanUnregisterElfGlobals =
2286	M.getOrInsertFunction(Name: kAsanUnregisterElfGlobalsName, RetTy: IRB.getVoidTy(),
2287	Args: IntptrTy, Args: IntptrTy, Args: IntptrTy);
2288	}
2289
2290	// Put the metadata and the instrumented global in the same group. This ensures
2291	// that the metadata is discarded if the instrumented global is discarded.
2292	void ModuleAddressSanitizer::SetComdatForGlobalMetadata(
2293	GlobalVariable G, GlobalVariable Metadata, StringRef InternalSuffix) {
2294	Module &M = *G->getParent();
2295	Comdat *C = G->getComdat();
2296	if (!C) {
2297	if (!G->hasName()) {
2298	// If G is unnamed, it must be internal. Give it an artificial name
2299	// so we can put it in a comdat.
2300	assert(G->hasLocalLinkage());
2301	G->setName(genName(suffix: "anon_global"));
2302	}
2303
2304	if (!InternalSuffix.empty() && G->hasLocalLinkage()) {
2305	std::string Name = std::string (G->getName());
2306	Name += InternalSuffix;
2307	C = M.getOrInsertComdat(Name);
2308	} else {
2309	C = M.getOrInsertComdat(Name: G->getName());
2310	}
2311
2312	// Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. Also upgrade private
2313	// linkage to internal linkage so that a symbol table entry is emitted. This
2314	// is necessary in order to create the comdat group.
2315	if (TargetTriple.isOSBinFormatCOFF()) {
2316	C->setSelectionKind(Comdat::NoDeduplicate);
2317	if (G->hasPrivateLinkage())
2318	G->setLinkage(GlobalValue::InternalLinkage);
2319	}
2320	G->setComdat(C);
2321	}
2322
2323	assert(G->hasComdat());
2324	Metadata->setComdat(G->getComdat());
2325	}
2326
2327	// Create a separate metadata global and put it in the appropriate ASan
2328	// global registration section.
2329	GlobalVariable *
2330	ModuleAddressSanitizer::CreateMetadataGlobal(Constant *Initializer,
2331	StringRef OriginalName) {
2332	auto Linkage = TargetTriple.isOSBinFormatMachO()
2333	? GlobalVariable::InternalLinkage
2334	: GlobalVariable::PrivateLinkage;
2335	GlobalVariable Metadata = new* GlobalVariable (
2336	M, Initializer->getType(), false, Linkage, Initializer,
2337	Twine ("__asan_global_") + GlobalValue::dropLLVMManglingEscape(Name: OriginalName));
2338	Metadata->setSection(getGlobalMetadataSection());
2339	// Place metadata in a large section for x86-64 ELF binaries to mitigate
2340	// relocation pressure.
2341	setGlobalVariableLargeSection(TargetTriple, GV&: *Metadata);
2342	return Metadata;
2343	}
2344
2345	Instruction *ModuleAddressSanitizer::CreateAsanModuleDtor() {
2346	AsanDtorFunction = Function::createWithDefaultAttr(
2347	Ty: FunctionType::get(Result: Type::getVoidTy(C&: C), isVarArg: false*),
2348	Linkage: GlobalValue::InternalLinkage, AddrSpace: `0`, N: kAsanModuleDtorName, M: &M);
2349	AsanDtorFunction->addFnAttr(Kind: Attribute::NoUnwind);
2350	// Ensure Dtor cannot be discarded, even if in a comdat.
2351	appendToUsed(M, Values: {AsanDtorFunction});
2352	BasicBlock AsanDtorBB = BasicBlock::Create(Context&: C, Name: "", Parent: AsanDtorFunction);
2353
2354	return ReturnInst::Create(C&: *C, InsertAtEnd: AsanDtorBB);
2355	}
2356
2357	void ModuleAddressSanitizer::InstrumentGlobalsCOFF(
2358	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2359	ArrayRef<Constant *> MetadataInitializers) {
2360	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2361	auto &DL = M.getDataLayout();
2362
2363	SmallVector<GlobalValue *, `16`> MetadataGlobals(ExtendedGlobals.size());
2364	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2365	Constant *Initializer = MetadataInitializers [i];
2366	GlobalVariable *G = ExtendedGlobals [i];
2367	GlobalVariable *Metadata = CreateMetadataGlobal(Initializer, OriginalName: G->getName());
2368	MDNode *MD = MDNode::get(Context&: M.getContext(), MDs: ValueAsMetadata::get(V: G));
2369	Metadata->setMetadata(KindID: LLVMContext::MD_associated, Node: MD);
2370	MetadataGlobals [i] = Metadata;
2371
2372	// The MSVC linker always inserts padding when linking incrementally. We
2373	// cope with that by aligning each struct to its size, which must be a power
2374	// of two.
2375	unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Ty: Initializer->getType());
2376	assert(isPowerOf2_32(SizeOfGlobalStruct) &&
2377	"global metadata will not be padded appropriately");
2378	Metadata->setAlignment(assumeAligned(Value: SizeOfGlobalStruct));
2379
2380	SetComdatForGlobalMetadata(G, Metadata, InternalSuffix: "");
2381	}
2382
2383	// Update llvm.compiler.used, adding the new metadata globals. This is
2384	// needed so that during LTO these variables stay alive.
2385	if (!MetadataGlobals.empty())
2386	appendToCompilerUsed(M, Values: MetadataGlobals);
2387	}
2388
2389	void ModuleAddressSanitizer::instrumentGlobalsELF(
2390	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2391	ArrayRef<Constant *> MetadataInitializers,
2392	const std::string &UniqueModuleId) {
2393	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2394
2395	// Putting globals in a comdat changes the semantic and potentially cause
2396	// false negative odr violations at link time. If odr indicators are used, we
2397	// keep the comdat sections, as link time odr violations will be dectected on
2398	// the odr indicator symbols.
2399	bool UseComdatForGlobalsGC = UseOdrIndicator && !UniqueModuleId.empty();
2400
2401	SmallVector<GlobalValue *, `16`> MetadataGlobals(ExtendedGlobals.size());
2402	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2403	GlobalVariable *G = ExtendedGlobals [i];
2404	GlobalVariable *Metadata =
2405	CreateMetadataGlobal(Initializer: MetadataInitializers [i], OriginalName: G->getName());
2406	MDNode *MD = MDNode::get(Context&: M.getContext(), MDs: ValueAsMetadata::get(V: G));
2407	Metadata->setMetadata(KindID: LLVMContext::MD_associated, Node: MD);
2408	MetadataGlobals [i] = Metadata;
2409
2410	if (UseComdatForGlobalsGC)
2411	SetComdatForGlobalMetadata(G, Metadata, InternalSuffix: UniqueModuleId);
2412	}
2413
2414	// Update llvm.compiler.used, adding the new metadata globals. This is
2415	// needed so that during LTO these variables stay alive.
2416	if (!MetadataGlobals.empty())
2417	appendToCompilerUsed(M, Values: MetadataGlobals);
2418
2419	// RegisteredFlag serves two purposes. First, we can pass it to dladdr()
2420	// to look up the loaded image that contains it. Second, we can store in it
2421	// whether registration has already occurred, to prevent duplicate
2422	// registration.
2423	//
2424	// Common linkage ensures that there is only one global per shared library.
2425	GlobalVariable RegisteredFlag = new* GlobalVariable (
2426	M, IntptrTy, false, GlobalVariable::CommonLinkage,
2427	ConstantInt::get(Ty: IntptrTy, V: `0`), kAsanGlobalsRegisteredFlagName);
2428	RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility);
2429
2430	// Create start and stop symbols.
2431	GlobalVariable StartELFMetadata = new* GlobalVariable (
2432	M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr,
2433	"__start_" + getGlobalMetadataSection());
2434	StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility);
2435	GlobalVariable StopELFMetadata = new* GlobalVariable (
2436	M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr,
2437	"__stop_" + getGlobalMetadataSection());
2438	StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility);
2439
2440	// Create a call to register the globals with the runtime.
2441	if (ConstructorKind == AsanCtorKind::Global)
2442	IRB.CreateCall(Callee: AsanRegisterElfGlobals,
2443	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy),
2444	IRB.CreatePointerCast(V: StartELFMetadata, DestTy: IntptrTy),
2445	IRB.CreatePointerCast(V: StopELFMetadata, DestTy: IntptrTy)});
2446
2447	// We also need to unregister globals at the end, e.g., when a shared library
2448	// gets closed.
2449	if (DestructorKind != AsanDtorKind::None && !MetadataGlobals.empty()) {
2450	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2451	IrbDtor.CreateCall(Callee: AsanUnregisterElfGlobals,
2452	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy),
2453	IRB.CreatePointerCast(V: StartELFMetadata, DestTy: IntptrTy),
2454	IRB.CreatePointerCast(V: StopELFMetadata, DestTy: IntptrTy)});
2455	}
2456	}
2457
2458	void ModuleAddressSanitizer::InstrumentGlobalsMachO(
2459	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2460	ArrayRef<Constant *> MetadataInitializers) {
2461	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2462
2463	// On recent Mach-O platforms, use a structure which binds the liveness of
2464	// the global variable to the metadata struct. Keep the list of "Liveness" GV
2465	// created to be added to llvm.compiler.used
2466	StructType *LivenessTy = StructType::get(elt1: IntptrTy, elts: IntptrTy);
2467	SmallVector<GlobalValue *, `16`> LivenessGlobals(ExtendedGlobals.size());
2468
2469	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2470	Constant *Initializer = MetadataInitializers [i];
2471	GlobalVariable *G = ExtendedGlobals [i];
2472	GlobalVariable *Metadata = CreateMetadataGlobal(Initializer, OriginalName: G->getName());
2473
2474	// On recent Mach-O platforms, we emit the global metadata in a way that
2475	// allows the linker to properly strip dead globals.
2476	auto LivenessBinder =
2477	ConstantStruct::get(T: LivenessTy, Vs: Initializer->getAggregateElement(Elt: `0u`),
2478	Vs: ConstantExpr::getPointerCast(C: Metadata, Ty: IntptrTy));
2479	GlobalVariable Liveness = new* GlobalVariable (
2480	M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder,
2481	Twine ("__asan_binder_") + G->getName());
2482	Liveness->setSection("__DATA,__asan_liveness,regular,live_support");
2483	LivenessGlobals [i] = Liveness;
2484	}
2485
2486	// Update llvm.compiler.used, adding the new liveness globals. This is
2487	// needed so that during LTO these variables stay alive. The alternative
2488	// would be to have the linker handling the LTO symbols, but libLTO
2489	// current API does not expose access to the section for each symbol.
2490	if (!LivenessGlobals.empty())
2491	appendToCompilerUsed(M, Values: LivenessGlobals);
2492
2493	// RegisteredFlag serves two purposes. First, we can pass it to dladdr()
2494	// to look up the loaded image that contains it. Second, we can store in it
2495	// whether registration has already occurred, to prevent duplicate
2496	// registration.
2497	//
2498	// common linkage ensures that there is only one global per shared library.
2499	GlobalVariable RegisteredFlag = new* GlobalVariable (
2500	M, IntptrTy, false, GlobalVariable::CommonLinkage,
2501	ConstantInt::get(Ty: IntptrTy, V: `0`), kAsanGlobalsRegisteredFlagName);
2502	RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility);
2503
2504	if (ConstructorKind == AsanCtorKind::Global)
2505	IRB.CreateCall(Callee: AsanRegisterImageGlobals,
2506	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy)});
2507
2508	// We also need to unregister globals at the end, e.g., when a shared library
2509	// gets closed.
2510	if (DestructorKind != AsanDtorKind::None) {
2511	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2512	IrbDtor.CreateCall(Callee: AsanUnregisterImageGlobals,
2513	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy)});
2514	}
2515	}
2516
2517	void ModuleAddressSanitizer::InstrumentGlobalsWithMetadataArray(
2518	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2519	ArrayRef<Constant *> MetadataInitializers) {
2520	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2521	unsigned N = ExtendedGlobals.size();
2522	assert(N > `0`);
2523
2524	// On platforms that don't have a custom metadata section, we emit an array
2525	// of global metadata structures.
2526	ArrayType *ArrayOfGlobalStructTy =
2527	ArrayType::get(ElementType: MetadataInitializers [`0`]->getType(), NumElements: N);
2528	auto AllGlobals = new GlobalVariable (
2529	M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage,
2530	ConstantArray::get(T: ArrayOfGlobalStructTy, V: MetadataInitializers), "");
2531	if (Mapping.Scale > `3`)
2532	AllGlobals->setAlignment(Align (`1ULL` << Mapping.Scale));
2533
2534	if (ConstructorKind == AsanCtorKind::Global)
2535	IRB.CreateCall(Callee: AsanRegisterGlobals,
2536	Args: {IRB.CreatePointerCast(V: AllGlobals, DestTy: IntptrTy),
2537	ConstantInt::get(Ty: IntptrTy, V: N)});
2538
2539	// We also need to unregister globals at the end, e.g., when a shared library
2540	// gets closed.
2541	if (DestructorKind != AsanDtorKind::None) {
2542	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2543	IrbDtor.CreateCall(Callee: AsanUnregisterGlobals,
2544	Args: {IRB.CreatePointerCast(V: AllGlobals, DestTy: IntptrTy),
2545	ConstantInt::get(Ty: IntptrTy, V: N)});
2546	}
2547	}
2548
2549	// This function replaces all global variables with new variables that have
2550	// trailing redzones. It also creates a function that poisons
2551	// redzones and inserts this function into llvm.global_ctors.
2552	// Sets CtorComdat to true if the global registration code emitted into the*
2553	// asan constructor is comdat-compatible.
2554	void ModuleAddressSanitizer::instrumentGlobals(IRBuilder<> &IRB,
2555	bool *CtorComdat) {
2556	// Build set of globals that are aliased by some GA, where
2557	// getExcludedAliasedGlobal(GA) returns the relevant GlobalVariable.
2558	SmallPtrSet<const GlobalVariable *, `16`> AliasedGlobalExclusions;
2559	if (CompileKernel) {
2560	for (auto &GA : M.aliases()) {
2561	if (const GlobalVariable *GV = getExcludedAliasedGlobal(GA))
2562	AliasedGlobalExclusions.insert(Ptr: GV);
2563	}
2564	}
2565
2566	SmallVector<GlobalVariable *, `16`> GlobalsToChange;
2567	for (auto &G : M.globals()) {
2568	if (!AliasedGlobalExclusions.count(Ptr: &G) && shouldInstrumentGlobal(G: &G))
2569	GlobalsToChange.push_back(Elt: &G);
2570	}
2571
2572	size_t n = GlobalsToChange.size();
2573	auto &DL = M.getDataLayout();
2574
2575	// A global is described by a structure
2576	// size_t beg;
2577	// size_t size;
2578	// size_t size_with_redzone;
2579	// const char name;*
2580	// const char module_name;*
2581	// size_t has_dynamic_init;
2582	// size_t padding_for_windows_msvc_incremental_link;
2583	// size_t odr_indicator;
2584	// We initialize an array of such structures and pass it to a run-time call.
2585	StructType *GlobalStructTy =
2586	StructType::get(elt1: IntptrTy, elts: IntptrTy, elts: IntptrTy, elts: IntptrTy, elts: IntptrTy,
2587	elts: IntptrTy, elts: IntptrTy, elts: IntptrTy);
2588	SmallVector<GlobalVariable *, `16`> NewGlobals(n);
2589	SmallVector<Constant *, `16`> Initializers(n);
2590
2591	for (size_t i = `0`; i < n; i++) {
2592	GlobalVariable *G = GlobalsToChange [i];
2593
2594	GlobalValue::SanitizerMetadata MD;
2595	if (G->hasSanitizerMetadata())
2596	MD = G->getSanitizerMetadata();
2597
2598	// The runtime library tries demangling symbol names in the descriptor but
2599	// functionality like __cxa_demangle may be unavailable (e.g.
2600	// -static-libstdc++). So we demangle the symbol names here.
2601	std::string NameForGlobal = G->getName().str();
2602	GlobalVariable *Name =
2603	createPrivateGlobalForString(M, Str: llvm::demangle(MangledName: NameForGlobal),
2604	/AllowMerging/ true, NamePrefix: genName(suffix: "global"));
2605
2606	Type *Ty = G->getValueType();
2607	const uint64_t SizeInBytes = DL.getTypeAllocSize(Ty);
2608	const uint64_t RightRedzoneSize = getRedzoneSizeForGlobal(SizeInBytes);
2609	Type *RightRedZoneTy = ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: RightRedzoneSize);
2610
2611	StructType *NewTy = StructType::get(elt1: Ty, elts: RightRedZoneTy);
2612	Constant *NewInitializer = ConstantStruct::get(
2613	T: NewTy, Vs: G->getInitializer(), Vs: Constant::getNullValue(Ty: RightRedZoneTy));
2614
2615	// Create a new global variable with enough space for a redzone.
2616	GlobalValue::LinkageTypes Linkage = G->getLinkage();
2617	if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage)
2618	Linkage = GlobalValue::InternalLinkage;
2619	GlobalVariable NewGlobal = new* GlobalVariable (
2620	M, NewTy, G->isConstant(), Linkage, NewInitializer, "", G,
2621	G->getThreadLocalMode(), G->getAddressSpace());
2622	NewGlobal->copyAttributesFrom(Src: G);
2623	NewGlobal->setComdat(G->getComdat());
2624	NewGlobal->setAlignment(Align (getMinRedzoneSizeForGlobal()));
2625	// Don't fold globals with redzones. ODR violation detector and redzone
2626	// poisoning implicitly creates a dependence on the global's address, so it
2627	// is no longer valid for it to be marked unnamed_addr.
2628	NewGlobal->setUnnamedAddr(GlobalValue::UnnamedAddr::None);
2629
2630	// Move null-terminated C strings to "__asan_cstring" section on Darwin.
2631	if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() &&
2632	G->isConstant()) {
2633	auto Seq = dyn_cast<ConstantDataSequential>(Val: G->getInitializer());
2634	if (Seq && Seq->isCString())
2635	NewGlobal->setSection("__TEXT,__asan_cstring,regular");
2636	}
2637
2638	// Transfer the debug info and type metadata. The payload starts at offset
2639	// zero so we can copy the metadata over as is.
2640	NewGlobal->copyMetadata(Src: G, Offset: `0`);
2641
2642	Value *Indices2[`2`];
2643	Indices2[`0`] = IRB.getInt32(C: `0`);
2644	Indices2[`1`] = IRB.getInt32(C: `0`);
2645
2646	G->replaceAllUsesWith(
2647	V: ConstantExpr::getGetElementPtr(Ty: NewTy, C: NewGlobal, IdxList: Indices2, NW: true));
2648	NewGlobal->takeName(V: G);
2649	G->eraseFromParent();
2650	NewGlobals [i] = NewGlobal;
2651
2652	Constant *ODRIndicator = ConstantPointerNull::get(T: PtrTy);
2653	GlobalValue *InstrumentedGlobal = NewGlobal;
2654
2655	bool CanUsePrivateAliases =
2656	TargetTriple.isOSBinFormatELF() \|\| TargetTriple.isOSBinFormatMachO() \|\|
2657	TargetTriple.isOSBinFormatWasm();
2658	if (CanUsePrivateAliases && UsePrivateAlias) {
2659	// Create local alias for NewGlobal to avoid crash on ODR between
2660	// instrumented and non-instrumented libraries.
2661	InstrumentedGlobal =
2662	GlobalAlias::create(Linkage: GlobalValue::PrivateLinkage, Name: "", Aliasee: NewGlobal);
2663	}
2664
2665	// ODR should not happen for local linkage.
2666	if (NewGlobal->hasLocalLinkage()) {
2667	ODRIndicator =
2668	ConstantExpr::getIntToPtr(C: ConstantInt::get(Ty: IntptrTy, V: -`1`), Ty: PtrTy);
2669	} else if (UseOdrIndicator) {
2670	// With local aliases, we need to provide another externally visible
2671	// symbol __odr_asan_XXX to detect ODR violation.
2672	auto *ODRIndicatorSym =
2673	new GlobalVariable (M, IRB.getInt8Ty(), false, Linkage,
2674	Constant::getNullValue(Ty: IRB.getInt8Ty()),
2675	kODRGenPrefix + NameForGlobal, nullptr,
2676	NewGlobal->getThreadLocalMode());
2677
2678	// Set meaningful attributes for indicator symbol.
2679	ODRIndicatorSym->setVisibility(NewGlobal->getVisibility());
2680	ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass());
2681	ODRIndicatorSym->setAlignment(Align (`1`));
2682	ODRIndicator = ODRIndicatorSym;
2683	}
2684
2685	Constant *Initializer = ConstantStruct::get(
2686	T: GlobalStructTy,
2687	Vs: ConstantExpr::getPointerCast(C: InstrumentedGlobal, Ty: IntptrTy),
2688	Vs: ConstantInt::get(Ty: IntptrTy, V: SizeInBytes),
2689	Vs: ConstantInt::get(Ty: IntptrTy, V: SizeInBytes + RightRedzoneSize),
2690	Vs: ConstantExpr::getPointerCast(C: Name, Ty: IntptrTy),
2691	Vs: ConstantExpr::getPointerCast(C: getOrCreateModuleName(), Ty: IntptrTy),
2692	Vs: ConstantInt::get(Ty: IntptrTy, V: MD.IsDynInit),
2693	Vs: Constant::getNullValue(Ty: IntptrTy),
2694	Vs: ConstantExpr::getPointerCast(C: ODRIndicator, Ty: IntptrTy));
2695
2696	LLVM_DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n");
2697
2698	Initializers [i] = Initializer;
2699	}
2700
2701	// Add instrumented globals to llvm.compiler.used list to avoid LTO from
2702	// ConstantMerge'ing them.
2703	SmallVector<GlobalValue *, `16`> GlobalsToAddToUsedList;
2704	for (size_t i = `0`; i < n; i++) {
2705	GlobalVariable *G = NewGlobals [i];
2706	if (G->getName().empty()) continue;
2707	GlobalsToAddToUsedList.push_back(Elt: G);
2708	}
2709	appendToCompilerUsed(M, Values: ArrayRef<GlobalValue *>(GlobalsToAddToUsedList));
2710
2711	if (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) {
2712	// Use COMDAT and register globals even if n == 0 to ensure that (a) the
2713	// linkage unit will only have one module constructor, and (b) the register
2714	// function will be called. The module destructor is not created when n ==
2715	// 0.
2716	CtorComdat = true*;
2717	instrumentGlobalsELF(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers, UniqueModuleId: getUniqueModuleId(M: &M));
2718	} else if (n == `0`) {
2719	// When UseGlobalsGC is false, COMDAT can still be used if n == 0, because
2720	// all compile units will have identical module constructor/destructor.
2721	*CtorComdat = TargetTriple.isOSBinFormatELF();
2722	} else {
2723	CtorComdat = false*;
2724	if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) {
2725	InstrumentGlobalsCOFF(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2726	} else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) {
2727	InstrumentGlobalsMachO(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2728	} else {
2729	InstrumentGlobalsWithMetadataArray(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2730	}
2731	}
2732
2733	// Create calls for poisoning before initializers run and unpoisoning after.
2734	if (ClInitializers)
2735	createInitializerPoisonCalls();
2736
2737	LLVM_DEBUG(dbgs() << M);
2738	}
2739
2740	uint64_t
2741	ModuleAddressSanitizer::getRedzoneSizeForGlobal(uint64_t SizeInBytes) const {
2742	constexpr uint64_t kMaxRZ = `1` << `18`;
2743	const uint64_t MinRZ = getMinRedzoneSizeForGlobal();
2744
2745	uint64_t RZ = `0`;
2746	if (SizeInBytes <= MinRZ / `2`) {
2747	// Reduce redzone size for small size objects, e.g. int, char[1]. MinRZ is
2748	// at least 32 bytes, optimize when SizeInBytes is less than or equal to
2749	// half of MinRZ.
2750	RZ = MinRZ - SizeInBytes;
2751	} else {
2752	// Calculate RZ, where MinRZ <= RZ <= MaxRZ, and RZ ~ 1/4 SizeInBytes.*
2753	RZ = std::clamp(val: (SizeInBytes / MinRZ / `4`) * MinRZ, lo: MinRZ, hi: kMaxRZ);
2754
2755	// Round up to multiple of MinRZ.
2756	if (SizeInBytes % MinRZ)
2757	RZ += MinRZ - (SizeInBytes % MinRZ);
2758	}
2759
2760	assert((RZ + SizeInBytes) % MinRZ == `0`);
2761
2762	return RZ;
2763	}
2764
2765	int ModuleAddressSanitizer::GetAsanVersion() const {
2766	int LongSize = M.getDataLayout().getPointerSizeInBits();
2767	bool isAndroid = M.getTargetTriple().isAndroid();
2768	int Version = `8`;
2769	// 32-bit Android is one version ahead because of the switch to dynamic
2770	// shadow.
2771	Version += (LongSize == `32` && isAndroid);
2772	return Version;
2773	}
2774
2775	GlobalVariable *ModuleAddressSanitizer::getOrCreateModuleName() {
2776	if (!ModuleName) {
2777	// We shouldn't merge same module names, as this string serves as unique
2778	// module ID in runtime.
2779	ModuleName =
2780	createPrivateGlobalForString(M, Str: M.getModuleIdentifier(),
2781	/AllowMerging/ false, NamePrefix: genName(suffix: "module"));
2782	}
2783	return ModuleName;
2784	}
2785
2786	bool ModuleAddressSanitizer::instrumentModule() {
2787	initializeCallbacks();
2788
2789	for (Function &F : M)
2790	removeASanIncompatibleFnAttributes(F, /ReadsArgMem=/false);
2791
2792	// Create a module constructor. A destructor is created lazily because not all
2793	// platforms, and not all modules need it.
2794	if (ConstructorKind == AsanCtorKind::Global) {
2795	if (CompileKernel) {
2796	// The kernel always builds with its own runtime, and therefore does not
2797	// need the init and version check calls.
2798	AsanCtorFunction = createSanitizerCtor(M, CtorName: kAsanModuleCtorName);
2799	} else {
2800	std::string AsanVersion = std::to_string(val: GetAsanVersion());
2801	std::string VersionCheckName =
2802	InsertVersionCheck ? (kAsanVersionCheckNamePrefix + AsanVersion) : "";
2803	std::tie(args&: AsanCtorFunction, args: std::ignore) =
2804	createSanitizerCtorAndInitFunctions(
2805	M, CtorName: kAsanModuleCtorName, InitName: kAsanInitName, /InitArgTypes=/{},
2806	/InitArgs=/{}, VersionCheckName);
2807	}
2808	}
2809
2810	bool CtorComdat = true;
2811	if (ClGlobals) {
2812	assert(AsanCtorFunction \|\| ConstructorKind == AsanCtorKind::None);
2813	if (AsanCtorFunction) {
2814	IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator());
2815	instrumentGlobals(IRB, CtorComdat: &CtorComdat);
2816	} else {
2817	IRBuilder<> IRB(*C);
2818	instrumentGlobals(IRB, CtorComdat: &CtorComdat);
2819	}
2820	}
2821
2822	const uint64_t Priority = GetCtorAndDtorPriority(TargetTriple);
2823
2824	// Put the constructor and destructor in comdat if both
2825	// (1) global instrumentation is not TU-specific
2826	// (2) target is ELF.
2827	if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) {
2828	if (AsanCtorFunction) {
2829	AsanCtorFunction->setComdat(M.getOrInsertComdat(Name: kAsanModuleCtorName));
2830	appendToGlobalCtors(M, F: AsanCtorFunction, Priority, Data: AsanCtorFunction);
2831	}
2832	if (AsanDtorFunction) {
2833	AsanDtorFunction->setComdat(M.getOrInsertComdat(Name: kAsanModuleDtorName));
2834	appendToGlobalDtors(M, F: AsanDtorFunction, Priority, Data: AsanDtorFunction);
2835	}
2836	} else {
2837	if (AsanCtorFunction)
2838	appendToGlobalCtors(M, F: AsanCtorFunction, Priority);
2839	if (AsanDtorFunction)
2840	appendToGlobalDtors(M, F: AsanDtorFunction, Priority);
2841	}
2842
2843	return true;
2844	}
2845
2846	void AddressSanitizer::initializeCallbacks(const TargetLibraryInfo *TLI) {
2847	IRBuilder<> IRB(*C);
2848	// Create __asan_report callbacks.*
2849	// IsWrite, TypeSize and Exp are encoded in the function name.
2850	for (int Exp = `0`; Exp < `2`; Exp++) {
2851	for (size_t AccessIsWrite = `0`; AccessIsWrite <= `1`; AccessIsWrite++) {
2852	const std::string TypeStr = AccessIsWrite ? "store" : "load";
2853	const std::string ExpStr = Exp ? "exp_" : "";
2854	const std::string EndingStr = Recover ? "_noabort" : "";
2855
2856	SmallVector<Type *, `3`> Args2 = {IntptrTy, IntptrTy};
2857	SmallVector<Type *, `2`> Args1{`1`, IntptrTy};
2858	AttributeList AL2;
2859	AttributeList AL1;
2860	if (Exp) {
2861	Type ExpType = Type::getInt32Ty(C&: C);
2862	Args2.push_back(Elt: ExpType);
2863	Args1.push_back(Elt: ExpType);
2864	if (auto AK = TLI->getExtAttrForI32Param(Signed: false)) {
2865	AL2 = AL2.addParamAttribute(C&: *C, ArgNo: `2`, Kind: AK);
2866	AL1 = AL1.addParamAttribute(C&: *C, ArgNo: `1`, Kind: AK);
2867	}
2868	}
2869	AsanErrorCallbackSized[AccessIsWrite][Exp] = M.getOrInsertFunction(
2870	Name: kAsanReportErrorTemplate + ExpStr + TypeStr + "_n" + EndingStr,
2871	T: FunctionType::get(Result: IRB.getVoidTy(), Params: Args2, isVarArg: false), AttributeList: AL2);
2872
2873	AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] = M.getOrInsertFunction(
2874	Name: ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr,
2875	T: FunctionType::get(Result: IRB.getVoidTy(), Params: Args2, isVarArg: false), AttributeList: AL2);
2876
2877	for (size_t AccessSizeIndex = `0`; AccessSizeIndex < kNumberOfAccessSizes;
2878	AccessSizeIndex++) {
2879	const std::string Suffix = TypeStr + itostr(X: `1ULL` << AccessSizeIndex);
2880	AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] =
2881	M.getOrInsertFunction(
2882	Name: kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr,
2883	T: FunctionType::get(Result: IRB.getVoidTy(), Params: Args1, isVarArg: false), AttributeList: AL1);
2884
2885	AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] =
2886	M.getOrInsertFunction(
2887	Name: ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr,
2888	T: FunctionType::get(Result: IRB.getVoidTy(), Params: Args1, isVarArg: false), AttributeList: AL1);
2889	}
2890	}
2891	}
2892
2893	const std::string MemIntrinCallbackPrefix =
2894	(CompileKernel && !ClKasanMemIntrinCallbackPrefix)
2895	? std::string ("")
2896	: ClMemoryAccessCallbackPrefix;
2897	AsanMemmove = M.getOrInsertFunction(Name: MemIntrinCallbackPrefix + "memmove",
2898	RetTy: PtrTy, Args: PtrTy, Args: PtrTy, Args: IntptrTy);
2899	AsanMemcpy = M.getOrInsertFunction(Name: MemIntrinCallbackPrefix + "memcpy", RetTy: PtrTy,
2900	Args: PtrTy, Args: PtrTy, Args: IntptrTy);
2901	AsanMemset = M.getOrInsertFunction(Name: MemIntrinCallbackPrefix + "memset",
2902	AttributeList: TLI->getAttrList(C, ArgNos: {`1`}, /Signed=/false),
2903	RetTy: PtrTy, Args: PtrTy, Args: IRB.getInt32Ty(), Args: IntptrTy);
2904
2905	AsanHandleNoReturnFunc =
2906	M.getOrInsertFunction(Name: kAsanHandleNoReturnName, RetTy: IRB.getVoidTy());
2907
2908	AsanPtrCmpFunction =
2909	M.getOrInsertFunction(Name: kAsanPtrCmp, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
2910	AsanPtrSubFunction =
2911	M.getOrInsertFunction(Name: kAsanPtrSub, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
2912	if (Mapping.InGlobal)
2913	AsanShadowGlobal = M.getOrInsertGlobal(Name: "__asan_shadow",
2914	Ty: ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: `0`));
2915
2916	AMDGPUAddressShared =
2917	M.getOrInsertFunction(Name: kAMDGPUAddressSharedName, RetTy: IRB.getInt1Ty(), Args: PtrTy);
2918	AMDGPUAddressPrivate =
2919	M.getOrInsertFunction(Name: kAMDGPUAddressPrivateName, RetTy: IRB.getInt1Ty(), Args: PtrTy);
2920	}
2921
2922	bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {
2923	// For each NSObject descendant having a +load method, this method is invoked
2924	// by the ObjC runtime before any of the static constructors is called.
2925	// Therefore we need to instrument such methods with a call to __asan_init
2926	// at the beginning in order to initialize our runtime before any access to
2927	// the shadow memory.
2928	// We cannot just ignore these methods, because they may call other
2929	// instrumented functions.
2930	if (F.getName().contains(Other: " load]")) {
2931	FunctionCallee AsanInitFunction =
2932	declareSanitizerInitFunction(M&: *F.getParent(), InitName: kAsanInitName, InitArgTypes: {});
2933	IRBuilder<> IRB(&F.front(), F.front().begin());
2934	IRB.CreateCall(Callee: AsanInitFunction, Args: {});
2935	return true;
2936	}
2937	return false;
2938	}
2939
2940	bool AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) {
2941	// Generate code only when dynamic addressing is needed.
2942	if (Mapping.Offset != kDynamicShadowSentinel)
2943	return false;
2944
2945	IRBuilder<> IRB(&F.front().front());
2946	if (Mapping.InGlobal) {
2947	if (ClWithIfuncSuppressRemat) {
2948	// An empty inline asm with input reg == output reg.
2949	// An opaque pointer-to-int cast, basically.
2950	InlineAsm *Asm = InlineAsm::get(
2951	Ty: FunctionType::get(Result: IntptrTy, Params: {AsanShadowGlobal->getType()}, isVarArg: false),
2952	AsmString: StringRef (""), Constraints: StringRef ("=r,0"),
2953	/hasSideEffects=/false);
2954	LocalDynamicShadow =
2955	IRB.CreateCall(Callee: Asm, Args: {AsanShadowGlobal}, Name: ".asan.shadow");
2956	} else {
2957	LocalDynamicShadow =
2958	IRB.CreatePointerCast(V: AsanShadowGlobal, DestTy: IntptrTy, Name: ".asan.shadow");
2959	}
2960	} else {
2961	Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal(
2962	Name: kAsanShadowMemoryDynamicAddress, Ty: IntptrTy);
2963	LocalDynamicShadow = IRB.CreateLoad(Ty: IntptrTy, Ptr: GlobalDynamicAddress);
2964	}
2965	return true;
2966	}
2967
2968	void AddressSanitizer::markEscapedLocalAllocas(Function &F) {
2969	// Find the one possible call to llvm.localescape and pre-mark allocas passed
2970	// to it as uninteresting. This assumes we haven't started processing allocas
2971	// yet. This check is done up front because iterating the use list in
2972	// isInterestingAlloca would be algorithmically slower.
2973	assert(ProcessedAllocas.empty() && "must process localescape before allocas");
2974
2975	// Try to get the declaration of llvm.localescape. If it's not in the module,
2976	// we can exit early.
2977	if (!F.getParent()->getFunction(Name: "llvm.localescape")) return;
2978
2979	// Look for a call to llvm.localescape call in the entry block. It can't be in
2980	// any other block.
2981	for (Instruction &I : F.getEntryBlock()) {
2982	IntrinsicInst *II = dyn_cast<IntrinsicInst>(Val: &I);
2983	if (II && II->getIntrinsicID() == Intrinsic::localescape) {
2984	// We found a call. Mark all the allocas passed in as uninteresting.
2985	for (Value *Arg : II->args()) {
2986	AllocaInst *AI = dyn_cast<AllocaInst>(Val: Arg->stripPointerCasts());
2987	assert(AI && AI->isStaticAlloca() &&
2988	"non-static alloca arg to localescape");
2989	ProcessedAllocas [AI] = false;
2990	}
2991	break;
2992	}
2993	}
2994	}
2995
2996	bool AddressSanitizer::suppressInstrumentationSiteForDebug(int &Instrumented) {
2997	bool ShouldInstrument =
2998	ClDebugMin < `0` \|\| ClDebugMax < `0` \|\|
2999	(Instrumented >= ClDebugMin && Instrumented <= ClDebugMax);
3000	Instrumented++;
3001	return !ShouldInstrument;
3002	}
3003
3004	bool AddressSanitizer::instrumentFunction(Function &F,
3005	const TargetLibraryInfo *TLI) {
3006	bool FunctionModified = false;
3007
3008	// Do not apply any instrumentation for naked functions.
3009	if (F.hasFnAttribute(Kind: Attribute::Naked))
3010	return FunctionModified;
3011
3012	// If needed, insert __asan_init before checking for SanitizeAddress attr.
3013	// This function needs to be called even if the function body is not
3014	// instrumented.
3015	if (maybeInsertAsanInitAtFunctionEntry(F))
3016	FunctionModified = true;
3017
3018	// Leave if the function doesn't need instrumentation.
3019	if (!F.hasFnAttribute(Kind: Attribute::SanitizeAddress)) return FunctionModified;
3020
3021	if (F.hasFnAttribute(Kind: Attribute::DisableSanitizerInstrumentation))
3022	return FunctionModified;
3023
3024	LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
3025
3026	initializeCallbacks(TLI);
3027
3028	FunctionStateRAII CleanupObj(this);
3029
3030	RuntimeCallInserter RTCI(F);
3031
3032	FunctionModified \|= maybeInsertDynamicShadowAtFunctionEntry(F);
3033
3034	// We can't instrument allocas used with llvm.localescape. Only static allocas
3035	// can be passed to that intrinsic.
3036	markEscapedLocalAllocas(F);
3037
3038	// We want to instrument every address only once per basic block (unless there
3039	// are calls between uses).
3040	SmallPtrSet<Value *, `16`> TempsToInstrument;
3041	SmallVector<InterestingMemoryOperand, `16`> OperandsToInstrument;
3042	SmallVector<MemIntrinsic *, `16`> IntrinToInstrument;
3043	SmallVector<Instruction *, `8`> NoReturnCalls;
3044	SmallVector<BasicBlock *, `16`> AllBlocks;
3045	SmallVector<Instruction *, `16`> PointerComparisonsOrSubtracts;
3046
3047	// Fill the set of memory operations to instrument.
3048	for (auto &BB : F) {
3049	AllBlocks.push_back(Elt: &BB);
3050	TempsToInstrument.clear();
3051	int NumInsnsPerBB = `0`;
3052	for (auto &Inst : BB) {
3053	if (LooksLikeCodeInBug11395(I: &Inst)) return false;
3054	// Skip instructions inserted by another instrumentation.
3055	if (Inst.hasMetadata(KindID: LLVMContext::MD_nosanitize))
3056	continue;
3057	SmallVector<InterestingMemoryOperand, `1`> InterestingOperands;
3058	getInterestingMemoryOperands(I: &Inst, Interesting&: InterestingOperands);
3059
3060	if (!InterestingOperands.empty()) {
3061	for (auto &Operand : InterestingOperands) {
3062	if (ClOpt && ClOptSameTemp) {
3063	Value *Ptr = Operand.getPtr();
3064	// If we have a mask, skip instrumentation if we've already
3065	// instrumented the full object. But don't add to TempsToInstrument
3066	// because we might get another load/store with a different mask.
3067	if (Operand.MaybeMask) {
3068	if (TempsToInstrument.count(Ptr))
3069	continue; // We've seen this (whole) temp in the current BB.
3070	} else {
3071	if (!TempsToInstrument.insert(Ptr).second)
3072	continue; // We've seen this temp in the current BB.
3073	}
3074	}
3075	OperandsToInstrument.push_back(Elt: Operand);
3076	NumInsnsPerBB++;
3077	}
3078	} else if (((ClInvalidPointerPairs \|\| ClInvalidPointerCmp) &&
3079	isInterestingPointerComparison(I: &Inst)) \|\|
3080	((ClInvalidPointerPairs \|\| ClInvalidPointerSub) &&
3081	isInterestingPointerSubtraction(I: &Inst))) {
3082	PointerComparisonsOrSubtracts.push_back(Elt: &Inst);
3083	} else if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(Val: &Inst)) {
3084	// ok, take it.
3085	IntrinToInstrument.push_back(Elt: MI);
3086	NumInsnsPerBB++;
3087	} else {
3088	if (auto *CB = dyn_cast<CallBase>(Val: &Inst)) {
3089	// A call inside BB.
3090	TempsToInstrument.clear();
3091	if (CB->doesNotReturn())
3092	NoReturnCalls.push_back(Elt: CB);
3093	}
3094	if (CallInst *CI = dyn_cast<CallInst>(Val: &Inst))
3095	maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI);
3096	}
3097	if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break;
3098	}
3099	}
3100
3101	bool UseCalls = (InstrumentationWithCallsThreshold >= `0` &&
3102	OperandsToInstrument.size() + IntrinToInstrument.size() >
3103	(unsigned)InstrumentationWithCallsThreshold);
3104	const DataLayout &DL = F.getDataLayout();
3105	ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext());
3106
3107	// Instrument.
3108	int NumInstrumented = `0`;
3109	for (auto &Operand : OperandsToInstrument) {
3110	if (!suppressInstrumentationSiteForDebug(Instrumented&: NumInstrumented))
3111	instrumentMop(ObjSizeVis, O&: Operand, UseCalls,
3112	DL: F.getDataLayout(), RTCI);
3113	FunctionModified = true;
3114	}
3115	for (auto *Inst : IntrinToInstrument) {
3116	if (!suppressInstrumentationSiteForDebug(Instrumented&: NumInstrumented))
3117	instrumentMemIntrinsic(MI: Inst, RTCI);
3118	FunctionModified = true;
3119	}
3120
3121	FunctionStackPoisoner FSP(F, *this, RTCI);
3122	bool ChangedStack = FSP.runOnFunction();
3123
3124	// We must unpoison the stack before NoReturn calls (throw, _exit, etc).
3125	// See e.g. https://github.com/google/sanitizers/issues/37
3126	for (auto *CI : NoReturnCalls) {
3127	IRBuilder<> IRB(CI);
3128	RTCI.createRuntimeCall(IRB, Callee: AsanHandleNoReturnFunc, Args: {});
3129	}
3130
3131	for (auto *Inst : PointerComparisonsOrSubtracts) {
3132	instrumentPointerComparisonOrSubtraction(I: Inst, RTCI);
3133	FunctionModified = true;
3134	}
3135
3136	if (ChangedStack \|\| !NoReturnCalls.empty())
3137	FunctionModified = true;
3138
3139	LLVM_DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " "
3140	<< F << "\n");
3141
3142	return FunctionModified;
3143	}
3144
3145	// Workaround for bug 11395: we don't want to instrument stack in functions
3146	// with large assembly blobs (32-bit only), otherwise reg alloc may crash.
3147	// FIXME: remove once the bug 11395 is fixed.
3148	bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {
3149	if (LongSize != `32`) return false;
3150	CallInst *CI = dyn_cast<CallInst>(Val: I);
3151	if (!CI \|\| !CI->isInlineAsm()) return false;
3152	if (CI->arg_size() <= `5`)
3153	return false;
3154	// We have inline assembly with quite a few arguments.
3155	return true;
3156	}
3157
3158	void FunctionStackPoisoner::initializeCallbacks(Module &M) {
3159	IRBuilder<> IRB(*C);
3160	if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always \|\|
3161	ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) {
3162	const char *MallocNameTemplate =
3163	ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always
3164	? kAsanStackMallocAlwaysNameTemplate
3165	: kAsanStackMallocNameTemplate;
3166	for (int Index = `0`; Index <= kMaxAsanStackMallocSizeClass; Index++) {
3167	std::string Suffix = itostr(X: Index);
3168	AsanStackMallocFunc[Index] = M.getOrInsertFunction(
3169	Name: MallocNameTemplate + Suffix, RetTy: IntptrTy, Args: IntptrTy);
3170	AsanStackFreeFunc[Index] =
3171	M.getOrInsertFunction(Name: kAsanStackFreeNameTemplate + Suffix,
3172	RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3173	}
3174	}
3175	if (ASan.UseAfterScope) {
3176	AsanPoisonStackMemoryFunc = M.getOrInsertFunction(
3177	Name: kAsanPoisonStackMemoryName, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3178	AsanUnpoisonStackMemoryFunc = M.getOrInsertFunction(
3179	Name: kAsanUnpoisonStackMemoryName, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3180	}
3181
3182	for (size_t Val : {`0x00`, `0x01`, `0x02`, `0x03`, `0x04`, `0x05`, `0x06`, `0x07`, `0xf1`, `0xf2`,
3183	`0xf3`, `0xf5`, `0xf8`}) {
3184	std::ostringstream Name;
3185	Name << kAsanSetShadowPrefix;
3186	Name << std::setw(`2`) << std::setfill(`'0'`) << std::hex << Val;
3187	AsanSetShadowFunc[Val] =
3188	M.getOrInsertFunction(Name: Name.str(), RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3189	}
3190
3191	AsanAllocaPoisonFunc = M.getOrInsertFunction(
3192	Name: kAsanAllocaPoison, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3193	AsanAllocasUnpoisonFunc = M.getOrInsertFunction(
3194	Name: kAsanAllocasUnpoison, RetTy: IRB.getVoidTy(), Args: IntptrTy, Args: IntptrTy);
3195	}
3196
3197	void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask,
3198	ArrayRef<uint8_t> ShadowBytes,
3199	size_t Begin, size_t End,
3200	IRBuilder<> &IRB,
3201	Value *ShadowBase) {
3202	if (Begin >= End)
3203	return;
3204
3205	const size_t LargestStoreSizeInBytes =
3206	std::min<size_t>(a: sizeof(uint64_t), b: ASan.LongSize / `8`);
3207
3208	const bool IsLittleEndian = F.getDataLayout().isLittleEndian();
3209
3210	// Poison given range in shadow using larges store size with out leading and
3211	// trailing zeros in ShadowMask. Zeros never change, so they need neither
3212	// poisoning nor up-poisoning. Still we don't mind if some of them get into a
3213	// middle of a store.
3214	for (size_t i = Begin; i < End;) {
3215	if (!ShadowMask [i]) {
3216	assert(!ShadowBytes[i]);
3217	++i;
3218	continue;
3219	}
3220
3221	size_t StoreSizeInBytes = LargestStoreSizeInBytes;
3222	// Fit store size into the range.
3223	while (StoreSizeInBytes > End - i)
3224	StoreSizeInBytes /= `2`;
3225
3226	// Minimize store size by trimming trailing zeros.
3227	for (size_t j = StoreSizeInBytes - `1`; j && !ShadowMask [i + j]; --j) {
3228	while (j <= StoreSizeInBytes / `2`)
3229	StoreSizeInBytes /= `2`;
3230	}
3231
3232	uint64_t Val = `0`;
3233	for (size_t j = `0`; j < StoreSizeInBytes; j++) {
3234	if (IsLittleEndian)
3235	Val \|= (uint64_t)ShadowBytes [i + j] << (`8` * j);
3236	else
3237	Val = (Val << `8`) \| ShadowBytes [i + j];
3238	}
3239
3240	Value *Ptr = IRB.CreateAdd(LHS: ShadowBase, RHS: ConstantInt::get(Ty: IntptrTy, V: i));
3241	Value Poison = IRB.getIntN(N: StoreSizeInBytes `8`, C: Val);
3242	IRB.CreateAlignedStore(
3243	Val: Poison, Ptr: IRB.CreateIntToPtr(V: Ptr, DestTy: PointerType::getUnqual(C&: Poison->getContext())),
3244	Align: Align (`1`));
3245
3246	i += StoreSizeInBytes;
3247	}
3248	}
3249
3250	void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask,
3251	ArrayRef<uint8_t> ShadowBytes,
3252	IRBuilder<> &IRB, Value *ShadowBase) {
3253	copyToShadow(ShadowMask, ShadowBytes, Begin: `0`, End: ShadowMask.size(), IRB, ShadowBase);
3254	}
3255
3256	void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask,
3257	ArrayRef<uint8_t> ShadowBytes,
3258	size_t Begin, size_t End,
3259	IRBuilder<> &IRB, Value *ShadowBase) {
3260	assert(ShadowMask.size() == ShadowBytes.size());
3261	size_t Done = Begin;
3262	for (size_t i = Begin, j = Begin + `1`; i < End; i = j++) {
3263	if (!ShadowMask [i]) {
3264	assert(!ShadowBytes[i]);
3265	continue;
3266	}
3267	uint8_t Val = ShadowBytes [i];
3268	if (!AsanSetShadowFunc[Val])
3269	continue;
3270
3271	// Skip same values.
3272	for (; j < End && ShadowMask [j] && Val == ShadowBytes [j]; ++j) {
3273	}
3274
3275	if (j - i >= ASan.MaxInlinePoisoningSize) {
3276	copyToShadowInline(ShadowMask, ShadowBytes, Begin: Done, End: i, IRB, ShadowBase);
3277	RTCI.createRuntimeCall(
3278	IRB, Callee: AsanSetShadowFunc[Val],
3279	Args: {IRB.CreateAdd(LHS: ShadowBase, RHS: ConstantInt::get(Ty: IntptrTy, V: i)),
3280	ConstantInt::get(Ty: IntptrTy, V: j - i)});
3281	Done = j;
3282	}
3283	}
3284
3285	copyToShadowInline(ShadowMask, ShadowBytes, Begin: Done, End, IRB, ShadowBase);
3286	}
3287
3288	// Fake stack allocator (asan_fake_stack.h) has 11 size classes
3289	// for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass
3290	static int StackMallocSizeClass(uint64_t LocalStackSize) {
3291	assert(LocalStackSize <= kMaxStackMallocSize);
3292	uint64_t MaxSize = kMinStackMallocSize;
3293	for (int i = `0`;; i++, MaxSize *= `2`)
3294	if (LocalStackSize <= MaxSize) return i;
3295	llvm_unreachable("impossible LocalStackSize");
3296	}
3297
3298	void FunctionStackPoisoner::copyArgsPassedByValToAllocas() {
3299	Instruction *CopyInsertPoint = &F.front().front();
3300	if (CopyInsertPoint == ASan.LocalDynamicShadow) {
3301	// Insert after the dynamic shadow location is determined
3302	CopyInsertPoint = CopyInsertPoint->getNextNode();
3303	assert(CopyInsertPoint);
3304	}
3305	IRBuilder<> IRB(CopyInsertPoint);
3306	const DataLayout &DL = F.getDataLayout();
3307	for (Argument &Arg : F.args()) {
3308	if (Arg.hasByValAttr()) {
3309	Type *Ty = Arg.getParamByValType();
3310	const Align Alignment =
3311	DL.getValueOrABITypeAlignment(Alignment: Arg.getParamAlign(), Ty);
3312
3313	AllocaInst *AI = IRB.CreateAlloca(
3314	Ty, ArraySize: nullptr,
3315	Name: (Arg.hasName() ? Arg.getName() : "Arg" + Twine (Arg.getArgNo())) +
3316	".byval");
3317	AI->setAlignment(Alignment);
3318	Arg.replaceAllUsesWith(V: AI);
3319
3320	uint64_t AllocSize = DL.getTypeAllocSize(Ty);
3321	IRB.CreateMemCpy(Dst: AI, DstAlign: Alignment, Src: &Arg, SrcAlign: Alignment, Size: AllocSize);
3322	}
3323	}
3324	}
3325
3326	PHINode FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value Cond,
3327	Value *ValueIfTrue,
3328	Instruction *ThenTerm,
3329	Value *ValueIfFalse) {
3330	PHINode *PHI = IRB.CreatePHI(Ty: IntptrTy, NumReservedValues: `2`);
3331	BasicBlock *CondBlock = cast<Instruction>(Val: Cond)->getParent();
3332	PHI->addIncoming(V: ValueIfFalse, BB: CondBlock);
3333	BasicBlock *ThenBlock = ThenTerm->getParent();
3334	PHI->addIncoming(V: ValueIfTrue, BB: ThenBlock);
3335	return PHI;
3336	}
3337
3338	Value *FunctionStackPoisoner::createAllocaForLayout(
3339	IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) {
3340	AllocaInst *Alloca;
3341	if (Dynamic) {
3342	Alloca = IRB.CreateAlloca(Ty: IRB.getInt8Ty(),
3343	ArraySize: ConstantInt::get(Ty: IRB.getInt64Ty(), V: L.FrameSize),
3344	Name: "MyAlloca");
3345	} else {
3346	Alloca = IRB.CreateAlloca(Ty: ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: L.FrameSize),
3347	ArraySize: nullptr, Name: "MyAlloca");
3348	assert(Alloca->isStaticAlloca());
3349	}
3350	assert((ClRealignStack & (ClRealignStack - `1`)) == `0`);
3351	uint64_t FrameAlignment = std::max(a: L.FrameAlignment, b: uint64_t(ClRealignStack));
3352	Alloca->setAlignment(Align (FrameAlignment));
3353	return IRB.CreatePointerCast(V: Alloca, DestTy: IntptrTy);
3354	}
3355
3356	void FunctionStackPoisoner::createDynamicAllocasInitStorage() {
3357	BasicBlock &FirstBB = *F.begin();
3358	IRBuilder<> IRB(dyn_cast<Instruction>(Val: FirstBB.begin()));
3359	DynamicAllocaLayout = IRB.CreateAlloca(Ty: IntptrTy, ArraySize: nullptr);
3360	IRB.CreateStore(Val: Constant::getNullValue(Ty: IntptrTy), Ptr: DynamicAllocaLayout);
3361	DynamicAllocaLayout->setAlignment(Align (`32`));
3362	}
3363
3364	void FunctionStackPoisoner::processDynamicAllocas() {
3365	if (!ClInstrumentDynamicAllocas \|\| DynamicAllocaVec.empty()) {
3366	assert(DynamicAllocaPoisonCallVec.empty());
3367	return;
3368	}
3369
3370	// Insert poison calls for lifetime intrinsics for dynamic allocas.
3371	for (const auto &APC : DynamicAllocaPoisonCallVec) {
3372	assert(APC.InsBefore);
3373	assert(APC.AI);
3374	assert(ASan.isInterestingAlloca(*APC.AI));
3375	assert(!APC.AI->isStaticAlloca());
3376
3377	IRBuilder<> IRB(APC.InsBefore);
3378	poisonAlloca(V: APC.AI, Size: APC.Size, IRB, DoPoison: APC.DoPoison);
3379	// Dynamic allocas will be unpoisoned unconditionally below in
3380	// unpoisonDynamicAllocas.
3381	// Flag that we need unpoison static allocas.
3382	}
3383
3384	// Handle dynamic allocas.
3385	createDynamicAllocasInitStorage();
3386	for (auto &AI : DynamicAllocaVec)
3387	handleDynamicAllocaCall(AI);
3388	unpoisonDynamicAllocas();
3389	}
3390
3391	/// Collect instructions in the entry block after \p InsBefore which initialize
3392	/// permanent storage for a function argument. These instructions must remain in
3393	/// the entry block so that uninitialized values do not appear in backtraces. An
3394	/// added benefit is that this conserves spill slots. This does not move stores
3395	/// before instrumented / "interesting" allocas.
3396	static void findStoresToUninstrumentedArgAllocas(
3397	AddressSanitizer &ASan, Instruction &InsBefore,
3398	SmallVectorImpl<Instruction *> &InitInsts) {
3399	Instruction *Start = InsBefore.getNextNonDebugInstruction();
3400	for (Instruction *It = Start; It; It = It->getNextNonDebugInstruction()) {
3401	// Argument initialization looks like:
3402	// 1) store <Argument>, <Alloca> OR
3403	// 2) <CastArgument> = cast <Argument> to ...
3404	// store <CastArgument> to <Alloca>
3405	// Do not consider any other kind of instruction.
3406	//
3407	// Note: This covers all known cases, but may not be exhaustive. An
3408	// alternative to pattern-matching stores is to DFS over all Argument uses:
3409	// this might be more general, but is probably much more complicated.
3410	if (isa<AllocaInst>(Val: It) \|\| isa<CastInst>(Val: It))
3411	continue;
3412	if (auto *Store = dyn_cast<StoreInst>(Val: It)) {
3413	// The store destination must be an alloca that isn't interesting for
3414	// ASan to instrument. These are moved up before InsBefore, and they're
3415	// not interesting because allocas for arguments can be mem2reg'd.
3416	auto *Alloca = dyn_cast<AllocaInst>(Val: Store->getPointerOperand());
3417	if (!Alloca \|\| ASan.isInterestingAlloca(AI: *Alloca))
3418	continue;
3419
3420	Value *Val = Store->getValueOperand();
3421	bool IsDirectArgInit = isa<Argument>(Val);
3422	bool IsArgInitViaCast =
3423	isa<CastInst>(Val) &&
3424	isa<Argument>(Val: cast<CastInst>(Val)->getOperand(i_nocapture: `0`)) &&
3425	// Check that the cast appears directly before the store. Otherwise
3426	// moving the cast before InsBefore may break the IR.
3427	Val == It->getPrevNonDebugInstruction();
3428	bool IsArgInit = IsDirectArgInit \|\| IsArgInitViaCast;
3429	if (!IsArgInit)
3430	continue;
3431
3432	if (IsArgInitViaCast)
3433	InitInsts.push_back(Elt: cast<Instruction>(Val));
3434	InitInsts.push_back(Elt: Store);
3435	continue;
3436	}
3437
3438	// Do not reorder past unknown instructions: argument initialization should
3439	// only involve casts and stores.
3440	return;
3441	}
3442	}
3443
3444	static StringRef getAllocaName(AllocaInst *AI) {
3445	// Alloca could have been renamed for uniqueness. Its true name will have been
3446	// recorded as an annotation.
3447	if (AI->hasMetadata(KindID: LLVMContext::MD_annotation)) {
3448	MDTuple *AllocaAnnotations =
3449	cast<MDTuple>(Val: AI->getMetadata(KindID: LLVMContext::MD_annotation));
3450	for (auto &Annotation : AllocaAnnotations->operands()) {
3451	if (!isa<MDTuple>(Val: Annotation))
3452	continue;
3453	auto AnnotationTuple = cast<MDTuple>(Val: Annotation);
3454	for (unsigned Index = `0`; Index < AnnotationTuple->getNumOperands();
3455	Index++) {
3456	// All annotations are strings
3457	auto MetadataString =
3458	cast<MDString>(Val: AnnotationTuple->getOperand(I: Index));
3459	if (MetadataString->getString() == "alloca_name_altered")
3460	return cast<MDString>(Val: AnnotationTuple->getOperand(I: Index + `1`))
3461	->getString();
3462	}
3463	}
3464	}
3465	return AI->getName();
3466	}
3467
3468	void FunctionStackPoisoner::processStaticAllocas() {
3469	if (AllocaVec.empty()) {
3470	assert(StaticAllocaPoisonCallVec.empty());
3471	return;
3472	}
3473
3474	int StackMallocIdx = -`1`;
3475	DebugLoc EntryDebugLocation;
3476	if (auto SP = F.getSubprogram())
3477	EntryDebugLocation =
3478	DILocation::get(Context&: SP->getContext(), Line: SP->getScopeLine(), Column: `0`, Scope: SP);
3479
3480	Instruction *InsBefore = AllocaVec [`0`];
3481	IRBuilder<> IRB(InsBefore);
3482
3483	// Make sure non-instrumented allocas stay in the entry block. Otherwise,
3484	// debug info is broken, because only entry-block allocas are treated as
3485	// regular stack slots.
3486	auto InsBeforeB = InsBefore->getParent();
3487	assert(InsBeforeB == &F.getEntryBlock());
3488	for (auto *AI : StaticAllocasToMoveUp)
3489	if (AI->getParent() == InsBeforeB)
3490	AI->moveBefore(InsertPos: InsBefore->getIterator());
3491
3492	// Move stores of arguments into entry-block allocas as well. This prevents
3493	// extra stack slots from being generated (to house the argument values until
3494	// they can be stored into the allocas). This also prevents uninitialized
3495	// values from being shown in backtraces.
3496	SmallVector<Instruction *, `8`> ArgInitInsts;
3497	findStoresToUninstrumentedArgAllocas(ASan, InsBefore&: *InsBefore, InitInsts&: ArgInitInsts);
3498	for (Instruction *ArgInitInst : ArgInitInsts)
3499	ArgInitInst->moveBefore(InsertPos: InsBefore->getIterator());
3500
3501	// If we have a call to llvm.localescape, keep it in the entry block.
3502	if (LocalEscapeCall)
3503	LocalEscapeCall->moveBefore(InsertPos: InsBefore->getIterator());
3504
3505	SmallVector<ASanStackVariableDescription, `16`> SVD;
3506	SVD.reserve(N: AllocaVec.size());
3507	for (AllocaInst *AI : AllocaVec) {
3508	StringRef Name = getAllocaName(AI);
3509	ASanStackVariableDescription D = {.Name: Name.data(),
3510	.Size: ASan.getAllocaSizeInBytes(AI: *AI),
3511	.LifetimeSize: `0`,
3512	.Alignment: AI->getAlign().value(),
3513	.AI: AI,
3514	.Offset: `0`,
3515	.Line: `0`};
3516	SVD.push_back(Elt: D);
3517	}
3518
3519	// Minimal header size (left redzone) is 4 pointers,
3520	// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
3521	uint64_t Granularity = `1ULL` << Mapping.Scale;
3522	uint64_t MinHeaderSize = std::max(a: (uint64_t)ASan.LongSize / `2`, b: Granularity);
3523	const ASanStackFrameLayout &L =
3524	ComputeASanStackFrameLayout(Vars&: SVD, Granularity, MinHeaderSize);
3525
3526	// Build AllocaToSVDMap for ASanStackVariableDescription lookup.
3527	DenseMap<const AllocaInst , ASanStackVariableDescription > AllocaToSVDMap;
3528	for (auto &Desc : SVD)
3529	AllocaToSVDMap [Desc.AI] = &Desc;
3530
3531	// Update SVD with information from lifetime intrinsics.
3532	for (const auto &APC : StaticAllocaPoisonCallVec) {
3533	assert(APC.InsBefore);
3534	assert(APC.AI);
3535	assert(ASan.isInterestingAlloca(*APC.AI));
3536	assert(APC.AI->isStaticAlloca());
3537
3538	ASanStackVariableDescription &Desc = *AllocaToSVDMap [APC.AI];
3539	Desc.LifetimeSize = Desc.Size;
3540	if (const DILocation *FnLoc = EntryDebugLocation.get()) {
3541	if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) {
3542	if (LifetimeLoc->getFile() == FnLoc->getFile())
3543	if (unsigned Line = LifetimeLoc->getLine())
3544	Desc.Line = std::min(a: Desc.Line ? Desc.Line : Line, b: Line);
3545	}
3546	}
3547	}
3548
3549	auto DescriptionString = ComputeASanStackFrameDescription(Vars: SVD);
3550	LLVM_DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n");
3551	uint64_t LocalStackSize = L.FrameSize;
3552	bool DoStackMalloc =
3553	ASan.UseAfterReturn != AsanDetectStackUseAfterReturnMode::Never &&
3554	!ASan.CompileKernel && LocalStackSize <= kMaxStackMallocSize;
3555	bool DoDynamicAlloca = ClDynamicAllocaStack;
3556	// Don't do dynamic alloca or stack malloc if:
3557	// 1) There is inline asm: too often it makes assumptions on which registers
3558	// are available.
3559	// 2) There is a returns_twice call (typically setjmp), which is
3560	// optimization-hostile, and doesn't play well with introduced indirect
3561	// register-relative calculation of local variable addresses.
3562	DoDynamicAlloca &= !HasInlineAsm && !HasReturnsTwiceCall;
3563	DoStackMalloc &= !HasInlineAsm && !HasReturnsTwiceCall;
3564
3565	Value *StaticAlloca =
3566	DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, Dynamic: false);
3567
3568	Value *FakeStack;
3569	Value *LocalStackBase;
3570	Value *LocalStackBaseAlloca;
3571	uint8_t DIExprFlags = DIExpression::ApplyOffset;
3572
3573	if (DoStackMalloc) {
3574	LocalStackBaseAlloca =
3575	IRB.CreateAlloca(Ty: IntptrTy, ArraySize: nullptr, Name: "asan_local_stack_base");
3576	if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) {
3577	// void FakeStack = __asan_option_detect_stack_use_after_return*
3578	// ? __asan_stack_malloc_N(LocalStackSize)
3579	// : nullptr;
3580	// void LocalStackBase = (FakeStack) ? FakeStack :*
3581	// alloca(LocalStackSize);
3582	Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal(
3583	Name: kAsanOptionDetectUseAfterReturn, Ty: IRB.getInt32Ty());
3584	Value *UseAfterReturnIsEnabled = IRB.CreateICmpNE(
3585	LHS: IRB.CreateLoad(Ty: IRB.getInt32Ty(), Ptr: OptionDetectUseAfterReturn),
3586	RHS: Constant::getNullValue(Ty: IRB.getInt32Ty()));
3587	Instruction *Term =
3588	SplitBlockAndInsertIfThen(Cond: UseAfterReturnIsEnabled, SplitBefore: InsBefore, Unreachable: false);
3589	IRBuilder<> IRBIf(Term);
3590	StackMallocIdx = StackMallocSizeClass(LocalStackSize);
3591	assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass);
3592	Value *FakeStackValue =
3593	RTCI.createRuntimeCall(IRB&: IRBIf, Callee: AsanStackMallocFunc[StackMallocIdx],
3594	Args: ConstantInt::get(Ty: IntptrTy, V: LocalStackSize));
3595	IRB.SetInsertPoint(InsBefore);
3596	FakeStack = createPHI(IRB, Cond: UseAfterReturnIsEnabled, ValueIfTrue: FakeStackValue, ThenTerm: Term,
3597	ValueIfFalse: ConstantInt::get(Ty: IntptrTy, V: `0`));
3598	} else {
3599	// assert(ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode:Always)
3600	// void FakeStack = __asan_stack_malloc_N(LocalStackSize);*
3601	// void LocalStackBase = (FakeStack) ? FakeStack :*
3602	// alloca(LocalStackSize);
3603	StackMallocIdx = StackMallocSizeClass(LocalStackSize);
3604	FakeStack =
3605	RTCI.createRuntimeCall(IRB, Callee: AsanStackMallocFunc[StackMallocIdx],
3606	Args: ConstantInt::get(Ty: IntptrTy, V: LocalStackSize));
3607	}
3608	Value *NoFakeStack =
3609	IRB.CreateICmpEQ(LHS: FakeStack, RHS: Constant::getNullValue(Ty: IntptrTy));
3610	Instruction *Term =
3611	SplitBlockAndInsertIfThen(Cond: NoFakeStack, SplitBefore: InsBefore, Unreachable: false);
3612	IRBuilder<> IRBIf(Term);
3613	Value *AllocaValue =
3614	DoDynamicAlloca ? createAllocaForLayout(IRB&: IRBIf, L, Dynamic: true) : StaticAlloca;
3615
3616	IRB.SetInsertPoint(InsBefore);
3617	LocalStackBase = createPHI(IRB, Cond: NoFakeStack, ValueIfTrue: AllocaValue, ThenTerm: Term, ValueIfFalse: FakeStack);
3618	IRB.CreateStore(Val: LocalStackBase, Ptr: LocalStackBaseAlloca);
3619	DIExprFlags \|= DIExpression::DerefBefore;
3620	} else {
3621	// void FakeStack = nullptr;*
3622	// void LocalStackBase = alloca(LocalStackSize);*
3623	FakeStack = ConstantInt::get(Ty: IntptrTy, V: `0`);
3624	LocalStackBase =
3625	DoDynamicAlloca ? createAllocaForLayout(IRB, L, Dynamic: true) : StaticAlloca;
3626	LocalStackBaseAlloca = LocalStackBase;
3627	}
3628
3629	// It shouldn't matter whether we pass an `alloca` or a `ptrtoint` as the
3630	// dbg.declare address opereand, but passing a `ptrtoint` seems to confuse
3631	// later passes and can result in dropped variable coverage in debug info.
3632	Value *LocalStackBaseAllocaPtr =
3633	isa<PtrToIntInst>(Val: LocalStackBaseAlloca)
3634	? cast<PtrToIntInst>(Val: LocalStackBaseAlloca)->getPointerOperand()
3635	: LocalStackBaseAlloca;
3636	assert(isa<AllocaInst>(LocalStackBaseAllocaPtr) &&
3637	"Variable descriptions relative to ASan stack base will be dropped");
3638
3639	// Replace Alloca instructions with base+offset.
3640	for (const auto &Desc : SVD) {
3641	AllocaInst *AI = Desc.AI;
3642	replaceDbgDeclare(Address: AI, NewAddress: LocalStackBaseAllocaPtr, Builder&: DIB, DIExprFlags,
3643	Offset: Desc.Offset);
3644	Value *NewAllocaPtr = IRB.CreateIntToPtr(
3645	V: IRB.CreateAdd(LHS: LocalStackBase, RHS: ConstantInt::get(Ty: IntptrTy, V: Desc.Offset)),
3646	DestTy: AI->getType());
3647	AI->replaceAllUsesWith(V: NewAllocaPtr);
3648	}
3649
3650	// The left-most redzone has enough space for at least 4 pointers.
3651	// Write the Magic value to redzone[0].
3652	Value *BasePlus0 = IRB.CreateIntToPtr(V: LocalStackBase, DestTy: IntptrPtrTy);
3653	IRB.CreateStore(Val: ConstantInt::get(Ty: IntptrTy, V: kCurrentStackFrameMagic),
3654	Ptr: BasePlus0);
3655	// Write the frame description constant to redzone[1].
3656	Value *BasePlus1 = IRB.CreateIntToPtr(
3657	V: IRB.CreateAdd(LHS: LocalStackBase,
3658	RHS: ConstantInt::get(Ty: IntptrTy, V: ASan.LongSize / `8`)),
3659	DestTy: IntptrPtrTy);
3660	GlobalVariable *StackDescriptionGlobal =
3661	createPrivateGlobalForString(M&: *F.getParent(), Str: DescriptionString,
3662	/AllowMerging/ true, NamePrefix: genName(suffix: "stack"));
3663	Value *Description = IRB.CreatePointerCast(V: StackDescriptionGlobal, DestTy: IntptrTy);
3664	IRB.CreateStore(Val: Description, Ptr: BasePlus1);
3665	// Write the PC to redzone[2].
3666	Value *BasePlus2 = IRB.CreateIntToPtr(
3667	V: IRB.CreateAdd(LHS: LocalStackBase,
3668	RHS: ConstantInt::get(Ty: IntptrTy, V: `2` * ASan.LongSize / `8`)),
3669	DestTy: IntptrPtrTy);
3670	IRB.CreateStore(Val: IRB.CreatePointerCast(V: &F, DestTy: IntptrTy), Ptr: BasePlus2);
3671
3672	const auto &ShadowAfterScope = GetShadowBytesAfterScope(Vars: SVD, Layout: L);
3673
3674	// Poison the stack red zones at the entry.
3675	Value *ShadowBase = ASan.memToShadow(Shadow: LocalStackBase, IRB);
3676	// As mask we must use most poisoned case: red zones and after scope.
3677	// As bytes we can use either the same or just red zones only.
3678	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowAfterScope, IRB, ShadowBase);
3679
3680	if (!StaticAllocaPoisonCallVec.empty()) {
3681	const auto &ShadowInScope = GetShadowBytes(Vars: SVD, Layout: L);
3682
3683	// Poison static allocas near lifetime intrinsics.
3684	for (const auto &APC : StaticAllocaPoisonCallVec) {
3685	const ASanStackVariableDescription &Desc = *AllocaToSVDMap [APC.AI];
3686	assert(Desc.Offset % L.Granularity == `0`);
3687	size_t Begin = Desc.Offset / L.Granularity;
3688	size_t End = Begin + (APC.Size + L.Granularity - `1`) / L.Granularity;
3689
3690	IRBuilder<> IRB(APC.InsBefore);
3691	copyToShadow(ShadowMask: ShadowAfterScope,
3692	ShadowBytes: APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End,
3693	IRB, ShadowBase);
3694	}
3695	}
3696
3697	SmallVector<uint8_t, `64`> ShadowClean(ShadowAfterScope.size(), `0`);
3698	SmallVector<uint8_t, `64`> ShadowAfterReturn;
3699
3700	// (Un)poison the stack before all ret instructions.
3701	for (Instruction *Ret : RetVec) {
3702	IRBuilder<> IRBRet(Ret);
3703	// Mark the current frame as retired.
3704	IRBRet.CreateStore(Val: ConstantInt::get(Ty: IntptrTy, V: kRetiredStackFrameMagic),
3705	Ptr: BasePlus0);
3706	if (DoStackMalloc) {
3707	assert(StackMallocIdx >= `0`);
3708	// if FakeStack != 0 // LocalStackBase == FakeStack
3709	// // In use-after-return mode, poison the whole stack frame.
3710	// if StackMallocIdx <= 4
3711	// // For small sizes inline the whole thing:
3712	// memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
3713	// SavedFlagPtr(FakeStack) = 0
3714	// else
3715	// __asan_stack_free_N(FakeStack, LocalStackSize)
3716	// else
3717	// <This is not a fake stack; unpoison the redzones>
3718	Value *Cmp =
3719	IRBRet.CreateICmpNE(LHS: FakeStack, RHS: Constant::getNullValue(Ty: IntptrTy));
3720	Instruction ThenTerm, ElseTerm;
3721	SplitBlockAndInsertIfThenElse(Cond: Cmp, SplitBefore: Ret, ThenTerm: &ThenTerm, ElseTerm: &ElseTerm);
3722
3723	IRBuilder<> IRBPoison(ThenTerm);
3724	if (ASan.MaxInlinePoisoningSize != `0` && StackMallocIdx <= `4`) {
3725	int ClassSize = kMinStackMallocSize << StackMallocIdx;
3726	ShadowAfterReturn.resize(N: ClassSize / L.Granularity,
3727	NV: kAsanStackUseAfterReturnMagic);
3728	copyToShadow(ShadowMask: ShadowAfterReturn, ShadowBytes: ShadowAfterReturn, IRB&: IRBPoison,
3729	ShadowBase);
3730	Value *SavedFlagPtrPtr = IRBPoison.CreateAdd(
3731	LHS: FakeStack,
3732	RHS: ConstantInt::get(Ty: IntptrTy, V: ClassSize - ASan.LongSize / `8`));
3733	Value *SavedFlagPtr = IRBPoison.CreateLoad(
3734	Ty: IntptrTy, Ptr: IRBPoison.CreateIntToPtr(V: SavedFlagPtrPtr, DestTy: IntptrPtrTy));
3735	IRBPoison.CreateStore(
3736	Val: Constant::getNullValue(Ty: IRBPoison.getInt8Ty()),
3737	Ptr: IRBPoison.CreateIntToPtr(V: SavedFlagPtr, DestTy: IRBPoison.getPtrTy()));
3738	} else {
3739	// For larger frames call __asan_stack_free_.*
3740	RTCI.createRuntimeCall(
3741	IRB&: IRBPoison, Callee: AsanStackFreeFunc[StackMallocIdx],
3742	Args: {FakeStack, ConstantInt::get(Ty: IntptrTy, V: LocalStackSize)});
3743	}
3744
3745	IRBuilder<> IRBElse(ElseTerm);
3746	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowClean, IRB&: IRBElse, ShadowBase);
3747	} else {
3748	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowClean, IRB&: IRBRet, ShadowBase);
3749	}
3750	}
3751
3752	// We are done. Remove the old unused alloca instructions.
3753	for (auto *AI : AllocaVec)
3754	AI->eraseFromParent();
3755	}
3756
3757	void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size,
3758	IRBuilder<> &IRB, bool DoPoison) {
3759	// For now just insert the call to ASan runtime.
3760	Value *AddrArg = IRB.CreatePointerCast(V, DestTy: IntptrTy);
3761	Value *SizeArg = ConstantInt::get(Ty: IntptrTy, V: Size);
3762	RTCI.createRuntimeCall(
3763	IRB, Callee: DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc,
3764	Args: {AddrArg, SizeArg});
3765	}
3766
3767	// Handling llvm.lifetime intrinsics for a given %alloca:
3768	// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca.
3769	// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect
3770	// invalid accesses) and unpoison it for llvm.lifetime.start (the memory
3771	// could be poisoned by previous llvm.lifetime.end instruction, as the
3772	// variable may go in and out of scope several times, e.g. in loops).
3773	// (3) if we poisoned at least one %alloca in a function,
3774	// unpoison the whole stack frame at function exit.
3775	void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) {
3776	IRBuilder<> IRB(AI);
3777
3778	const Align Alignment = std::max(a: Align (kAllocaRzSize), b: AI->getAlign());
3779	const uint64_t AllocaRedzoneMask = kAllocaRzSize - `1`;
3780
3781	Value *Zero = Constant::getNullValue(Ty: IntptrTy);
3782	Value *AllocaRzSize = ConstantInt::get(Ty: IntptrTy, V: kAllocaRzSize);
3783	Value *AllocaRzMask = ConstantInt::get(Ty: IntptrTy, V: AllocaRedzoneMask);
3784
3785	// Since we need to extend alloca with additional memory to locate
3786	// redzones, and OldSize is number of allocated blocks with
3787	// ElementSize size, get allocated memory size in bytes by
3788	// OldSize ElementSize.*
3789	const unsigned ElementSize =
3790	F.getDataLayout().getTypeAllocSize(Ty: AI->getAllocatedType());
3791	Value *OldSize =
3792	IRB.CreateMul(LHS: IRB.CreateIntCast(V: AI->getArraySize(), DestTy: IntptrTy, isSigned: false),
3793	RHS: ConstantInt::get(Ty: IntptrTy, V: ElementSize));
3794
3795	// PartialSize = OldSize % 32
3796	Value *PartialSize = IRB.CreateAnd(LHS: OldSize, RHS: AllocaRzMask);
3797
3798	// Misalign = kAllocaRzSize - PartialSize;
3799	Value *Misalign = IRB.CreateSub(LHS: AllocaRzSize, RHS: PartialSize);
3800
3801	// PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0;
3802	Value *Cond = IRB.CreateICmpNE(LHS: Misalign, RHS: AllocaRzSize);
3803	Value *PartialPadding = IRB.CreateSelect(C: Cond, True: Misalign, False: Zero);
3804
3805	// AdditionalChunkSize = Alignment + PartialPadding + kAllocaRzSize
3806	// Alignment is added to locate left redzone, PartialPadding for possible
3807	// partial redzone and kAllocaRzSize for right redzone respectively.
3808	Value *AdditionalChunkSize = IRB.CreateAdd(
3809	LHS: ConstantInt::get(Ty: IntptrTy, V: Alignment.value() + kAllocaRzSize),
3810	RHS: PartialPadding);
3811
3812	Value *NewSize = IRB.CreateAdd(LHS: OldSize, RHS: AdditionalChunkSize);
3813
3814	// Insert new alloca with new NewSize and Alignment params.
3815	AllocaInst *NewAlloca = IRB.CreateAlloca(Ty: IRB.getInt8Ty(), ArraySize: NewSize);
3816	NewAlloca->setAlignment(Alignment);
3817
3818	// NewAddress = Address + Alignment
3819	Value *NewAddress =
3820	IRB.CreateAdd(LHS: IRB.CreatePtrToInt(V: NewAlloca, DestTy: IntptrTy),
3821	RHS: ConstantInt::get(Ty: IntptrTy, V: Alignment.value()));
3822
3823	// Insert __asan_alloca_poison call for new created alloca.
3824	RTCI.createRuntimeCall(IRB, Callee: AsanAllocaPoisonFunc, Args: {NewAddress, OldSize});
3825
3826	// Store the last alloca's address to DynamicAllocaLayout. We'll need this
3827	// for unpoisoning stuff.
3828	IRB.CreateStore(Val: IRB.CreatePtrToInt(V: NewAlloca, DestTy: IntptrTy), Ptr: DynamicAllocaLayout);
3829
3830	Value *NewAddressPtr = IRB.CreateIntToPtr(V: NewAddress, DestTy: AI->getType());
3831
3832	// Replace all uses of AddessReturnedByAlloca with NewAddressPtr.
3833	AI->replaceAllUsesWith(V: NewAddressPtr);
3834
3835	// We are done. Erase old alloca from parent.
3836	AI->eraseFromParent();
3837	}
3838
3839	// isSafeAccess returns true if Addr is always inbounds with respect to its
3840	// base object. For example, it is a field access or an array access with
3841	// constant inbounds index.
3842	bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis,
3843	Value Addr, TypeSize TypeStoreSize) const* {
3844	if (TypeStoreSize.isScalable())
3845	// TODO: We can use vscale_range to convert a scalable value to an
3846	// upper bound on the access size.
3847	return false;
3848
3849	SizeOffsetAPInt SizeOffset = ObjSizeVis.compute(V: Addr);
3850	if (!SizeOffset.bothKnown())
3851	return false;
3852
3853	uint64_t Size = SizeOffset.Size.getZExtValue();
3854	int64_t Offset = SizeOffset.Offset.getSExtValue();
3855
3856	// Three checks are required to ensure safety:
3857	// . Offset >= 0 (since the offset is given from the base ptr)
3858	// . Size >= Offset (unsigned)
3859	// . Size - Offset >= NeededSize (unsigned)
3860	return Offset >= `0` && Size >= uint64_t(Offset) &&
3861	Size - uint64_t(Offset) >= TypeStoreSize / `8`;
3862	}
3863

Browse the source code of llvm_projects/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp