| 1 | //===- StackProtector.cpp - Stack Protector Insertion ---------------------===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // This pass inserts stack protectors into functions which need them. A variable |
| 10 | // with a random value in it is stored onto the stack before the local variables |
| 11 | // are allocated. Upon exiting the block, the stored value is checked. If it's |
| 12 | // changed, then there was some sort of violation and the program aborts. |
| 13 | // |
| 14 | //===----------------------------------------------------------------------===// |
| 15 | |
| 16 | #include "llvm/CodeGen/StackProtector.h" |
| 17 | #include "llvm/ADT/SmallVector.h" |
| 18 | #include "llvm/ADT/Statistic.h" |
| 19 | #include "llvm/Analysis/BranchProbabilityInfo.h" |
| 20 | #include "llvm/Analysis/MemoryLocation.h" |
| 21 | #include "llvm/Analysis/OptimizationRemarkEmitter.h" |
| 22 | #include "llvm/CodeGen/Analysis.h" |
| 23 | #include "llvm/CodeGen/Passes.h" |
| 24 | #include "llvm/CodeGen/TargetLowering.h" |
| 25 | #include "llvm/CodeGen/TargetPassConfig.h" |
| 26 | #include "llvm/CodeGen/TargetSubtargetInfo.h" |
| 27 | #include "llvm/IR/Attributes.h" |
| 28 | #include "llvm/IR/BasicBlock.h" |
| 29 | #include "llvm/IR/Constants.h" |
| 30 | #include "llvm/IR/DataLayout.h" |
| 31 | #include "llvm/IR/DerivedTypes.h" |
| 32 | #include "llvm/IR/Dominators.h" |
| 33 | #include "llvm/IR/EHPersonalities.h" |
| 34 | #include "llvm/IR/Function.h" |
| 35 | #include "llvm/IR/IRBuilder.h" |
| 36 | #include "llvm/IR/Instruction.h" |
| 37 | #include "llvm/IR/Instructions.h" |
| 38 | #include "llvm/IR/IntrinsicInst.h" |
| 39 | #include "llvm/IR/Intrinsics.h" |
| 40 | #include "llvm/IR/MDBuilder.h" |
| 41 | #include "llvm/IR/Module.h" |
| 42 | #include "llvm/IR/Type.h" |
| 43 | #include "llvm/IR/User.h" |
| 44 | #include "llvm/InitializePasses.h" |
| 45 | #include "llvm/Pass.h" |
| 46 | #include "llvm/Support/Casting.h" |
| 47 | #include "llvm/Support/CommandLine.h" |
| 48 | #include "llvm/Target/TargetMachine.h" |
| 49 | #include "llvm/Target/TargetOptions.h" |
| 50 | #include "llvm/Transforms/Utils/BasicBlockUtils.h" |
| 51 | #include <optional> |
| 52 | |
| 53 | using namespace llvm; |
| 54 | |
| 55 | #define DEBUG_TYPE "stack-protector" |
| 56 | |
| 57 | STATISTIC(NumFunProtected, "Number of functions protected"); |
| 58 | STATISTIC(NumAddrTaken, "Number of local variables that have their address" |
| 59 | " taken."); |
| 60 | |
| 61 | static cl::opt<bool> EnableSelectionDAGSP("enable-selectiondag-sp", |
| 62 | cl::init(Val: true), cl::Hidden); |
| 63 | static cl::opt<bool> DisableCheckNoReturn("disable-check-noreturn-call", |
| 64 | cl::init(Val: false), cl::Hidden); |
| 65 | |
| 66 | /// InsertStackProtectors - Insert code into the prologue and epilogue of the |
| 67 | /// function. |
| 68 | /// |
| 69 | /// - The prologue code loads and stores the stack guard onto the stack. |
| 70 | /// - The epilogue checks the value stored in the prologue against the original |
| 71 | /// value. It calls __stack_chk_fail if they differ. |
| 72 | static bool InsertStackProtectors(const TargetLowering &TLI, |
| 73 | const LibcallLoweringInfo &Libcalls, |
| 74 | Function *F, DomTreeUpdater *DTU, |
| 75 | bool &HasPrologue, bool &HasIRCheck); |
| 76 | |
| 77 | /// CreateFailBB - Create a basic block to jump to when the stack protector |
| 78 | /// check fails. |
| 79 | static BasicBlock *CreateFailBB(Function *F, |
| 80 | const LibcallLoweringInfo &Libcalls); |
| 81 | |
| 82 | bool SSPLayoutInfo::shouldEmitSDCheck(const BasicBlock &BB) const { |
| 83 | return HasPrologue && !HasIRCheck && isa<ReturnInst>(Val: BB.getTerminator()); |
| 84 | } |
| 85 | |
| 86 | void SSPLayoutInfo::copyToMachineFrameInfo(MachineFrameInfo &MFI) const { |
| 87 | if (Layout.empty()) |
| 88 | return; |
| 89 | |
| 90 | for (int I = 0, E = MFI.getObjectIndexEnd(); I != E; ++I) { |
| 91 | if (MFI.isDeadObjectIndex(ObjectIdx: I)) |
| 92 | continue; |
| 93 | |
| 94 | const AllocaInst *AI = MFI.getObjectAllocation(ObjectIdx: I); |
| 95 | if (!AI) |
| 96 | continue; |
| 97 | |
| 98 | SSPLayoutMap::const_iterator LI = Layout.find(Val: AI); |
| 99 | if (LI == Layout.end()) |
| 100 | continue; |
| 101 | |
| 102 | MFI.setObjectSSPLayout(ObjectIdx: I, Kind: LI->second); |
| 103 | } |
| 104 | } |
| 105 | |
| 106 | SSPLayoutInfo SSPLayoutAnalysis::run(Function &F, |
| 107 | FunctionAnalysisManager &FAM) { |
| 108 | |
| 109 | SSPLayoutInfo Info; |
| 110 | Info.RequireStackProtector = |
| 111 | SSPLayoutAnalysis::requiresStackProtector(F: &F, Layout: &Info.Layout); |
| 112 | Info.SSPBufferSize = F.getFnAttributeAsParsedInteger( |
| 113 | Kind: "stack-protector-buffer-size", Default: SSPLayoutInfo::DefaultSSPBufferSize); |
| 114 | return Info; |
| 115 | } |
| 116 | |
| 117 | AnalysisKey SSPLayoutAnalysis::Key; |
| 118 | |
| 119 | PreservedAnalyses StackProtectorPass::run(Function &F, |
| 120 | FunctionAnalysisManager &FAM) { |
| 121 | auto &Info = FAM.getResult<SSPLayoutAnalysis>(IR&: F); |
| 122 | auto *DT = FAM.getCachedResult<DominatorTreeAnalysis>(IR&: F); |
| 123 | DomTreeUpdater DTU(DT, DomTreeUpdater::UpdateStrategy::Lazy); |
| 124 | |
| 125 | if (!Info.RequireStackProtector) |
| 126 | return PreservedAnalyses::all(); |
| 127 | |
| 128 | // TODO(etienneb): Functions with funclets are not correctly supported now. |
| 129 | // Do nothing if this is funclet-based personality. |
| 130 | if (F.hasPersonalityFn()) { |
| 131 | EHPersonality Personality = classifyEHPersonality(Pers: F.getPersonalityFn()); |
| 132 | if (isFuncletEHPersonality(Pers: Personality)) |
| 133 | return PreservedAnalyses::all(); |
| 134 | } |
| 135 | |
| 136 | auto &MAMProxy = FAM.getResult<ModuleAnalysisManagerFunctionProxy>(IR&: F); |
| 137 | const LibcallLoweringModuleAnalysisResult *LibcallLowering = |
| 138 | MAMProxy.getCachedResult<LibcallLoweringModuleAnalysis>(IR&: *F.getParent()); |
| 139 | |
| 140 | if (!LibcallLowering) { |
| 141 | F.getContext().emitError(ErrorStr: "'"+ LibcallLoweringModuleAnalysis::name() + |
| 142 | "' analysis required"); |
| 143 | return PreservedAnalyses::all(); |
| 144 | } |
| 145 | |
| 146 | const TargetSubtargetInfo *STI = TM->getSubtargetImpl(F); |
| 147 | const TargetLowering *TLI = STI->getTargetLowering(); |
| 148 | const LibcallLoweringInfo &Libcalls = |
| 149 | LibcallLowering->getLibcallLowering(Subtarget: *STI); |
| 150 | |
| 151 | ++NumFunProtected; |
| 152 | bool Changed = InsertStackProtectors(TLI: *TLI, Libcalls, F: &F, DTU: DT ? &DTU : nullptr, |
| 153 | HasPrologue&: Info.HasPrologue, HasIRCheck&: Info.HasIRCheck); |
| 154 | #ifdef EXPENSIVE_CHECKS |
| 155 | assert((!DT || |
| 156 | DTU.getDomTree().verify(DominatorTree::VerificationLevel::Full)) && |
| 157 | "Failed to maintain validity of domtree!"); |
| 158 | #endif |
| 159 | |
| 160 | if (!Changed) |
| 161 | return PreservedAnalyses::all(); |
| 162 | PreservedAnalyses PA; |
| 163 | PA.preserve<SSPLayoutAnalysis>(); |
| 164 | PA.preserve<DominatorTreeAnalysis>(); |
| 165 | return PA; |
| 166 | } |
| 167 | |
| 168 | char StackProtector::ID = 0; |
| 169 | |
| 170 | StackProtector::StackProtector() : FunctionPass(ID) {} |
| 171 | |
| 172 | INITIALIZE_PASS_BEGIN(StackProtector, DEBUG_TYPE, |
| 173 | "Insert stack protectors", false, true) |
| 174 | INITIALIZE_PASS_DEPENDENCY(LibcallLoweringInfoWrapper) |
| 175 | INITIALIZE_PASS_DEPENDENCY(TargetPassConfig) |
| 176 | INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass) |
| 177 | INITIALIZE_PASS_END(StackProtector, DEBUG_TYPE, |
| 178 | "Insert stack protectors", false, true) |
| 179 | |
| 180 | FunctionPass *llvm::createStackProtectorPass() { return new StackProtector(); } |
| 181 | |
| 182 | void StackProtector::getAnalysisUsage(AnalysisUsage &AU) const { |
| 183 | AU.addRequired<LibcallLoweringInfoWrapper>(); |
| 184 | AU.addRequired<TargetPassConfig>(); |
| 185 | AU.addPreserved<DominatorTreeWrapperPass>(); |
| 186 | } |
| 187 | |
| 188 | bool StackProtector::runOnFunction(Function &Fn) { |
| 189 | F = &Fn; |
| 190 | M = F->getParent(); |
| 191 | if (auto *DTWP = getAnalysisIfAvailable<DominatorTreeWrapperPass>()) |
| 192 | DTU.emplace(args&: DTWP->getDomTree(), args: DomTreeUpdater::UpdateStrategy::Lazy); |
| 193 | TM = &getAnalysis<TargetPassConfig>().getTM<TargetMachine>(); |
| 194 | LayoutInfo.HasPrologue = false; |
| 195 | LayoutInfo.HasIRCheck = false; |
| 196 | |
| 197 | LayoutInfo.SSPBufferSize = Fn.getFnAttributeAsParsedInteger( |
| 198 | Kind: "stack-protector-buffer-size", Default: SSPLayoutInfo::DefaultSSPBufferSize); |
| 199 | if (!requiresStackProtector(F, Layout: &LayoutInfo.Layout)) |
| 200 | return false; |
| 201 | |
| 202 | // TODO(etienneb): Functions with funclets are not correctly supported now. |
| 203 | // Do nothing if this is funclet-based personality. |
| 204 | if (Fn.hasPersonalityFn()) { |
| 205 | EHPersonality Personality = classifyEHPersonality(Pers: Fn.getPersonalityFn()); |
| 206 | if (isFuncletEHPersonality(Pers: Personality)) |
| 207 | return false; |
| 208 | } |
| 209 | |
| 210 | const TargetSubtargetInfo *Subtarget = TM->getSubtargetImpl(Fn); |
| 211 | const LibcallLoweringInfo &Libcalls = |
| 212 | getAnalysis<LibcallLoweringInfoWrapper>().getLibcallLowering(M: *M, |
| 213 | Subtarget: *Subtarget); |
| 214 | |
| 215 | const TargetLowering *TLI = Subtarget->getTargetLowering(); |
| 216 | |
| 217 | ++NumFunProtected; |
| 218 | bool Changed = |
| 219 | InsertStackProtectors(TLI: *TLI, Libcalls, F, DTU: DTU ? &*DTU : nullptr, |
| 220 | HasPrologue&: LayoutInfo.HasPrologue, HasIRCheck&: LayoutInfo.HasIRCheck); |
| 221 | #ifdef EXPENSIVE_CHECKS |
| 222 | assert((!DTU || |
| 223 | DTU->getDomTree().verify(DominatorTree::VerificationLevel::Full)) && |
| 224 | "Failed to maintain validity of domtree!"); |
| 225 | #endif |
| 226 | DTU.reset(); |
| 227 | return Changed; |
| 228 | } |
| 229 | |
| 230 | /// \param [out] IsLarge is set to true if a protectable array is found and |
| 231 | /// it is "large" ( >= ssp-buffer-size). In the case of a structure with |
| 232 | /// multiple arrays, this gets set if any of them is large. |
| 233 | static bool ContainsProtectableArray(Type *Ty, Module *M, unsigned SSPBufferSize, |
| 234 | bool &IsLarge, bool Strong, |
| 235 | bool InStruct) { |
| 236 | if (!Ty) |
| 237 | return false; |
| 238 | if (ArrayType *AT = dyn_cast<ArrayType>(Val: Ty)) { |
| 239 | if (!AT->getElementType()->isIntegerTy(Bitwidth: 8)) { |
| 240 | // If we're on a non-Darwin platform or we're inside of a structure, don't |
| 241 | // add stack protectors unless the array is a character array. |
| 242 | // However, in strong mode any array, regardless of type and size, |
| 243 | // triggers a protector. |
| 244 | if (!Strong && (InStruct || !M->getTargetTriple().isOSDarwin())) |
| 245 | return false; |
| 246 | } |
| 247 | |
| 248 | // If an array has more than SSPBufferSize bytes of allocated space, then we |
| 249 | // emit stack protectors. |
| 250 | if (SSPBufferSize <= M->getDataLayout().getTypeAllocSize(Ty: AT)) { |
| 251 | IsLarge = true; |
| 252 | return true; |
| 253 | } |
| 254 | |
| 255 | if (Strong) |
| 256 | // Require a protector for all arrays in strong mode |
| 257 | return true; |
| 258 | } |
| 259 | |
| 260 | const StructType *ST = dyn_cast<StructType>(Val: Ty); |
| 261 | if (!ST) |
| 262 | return false; |
| 263 | |
| 264 | bool NeedsProtector = false; |
| 265 | for (Type *ET : ST->elements()) |
| 266 | if (ContainsProtectableArray(Ty: ET, M, SSPBufferSize, IsLarge, Strong, InStruct: true)) { |
| 267 | // If the element is a protectable array and is large (>= SSPBufferSize) |
| 268 | // then we are done. If the protectable array is not large, then |
| 269 | // keep looking in case a subsequent element is a large array. |
| 270 | if (IsLarge) |
| 271 | return true; |
| 272 | NeedsProtector = true; |
| 273 | } |
| 274 | |
| 275 | return NeedsProtector; |
| 276 | } |
| 277 | |
| 278 | /// Maximum remaining allocation size observed for a phi node, and how often |
| 279 | /// the allocation size has already been decreased. We only allow a limited |
| 280 | /// number of decreases. |
| 281 | struct PhiInfo { |
| 282 | TypeSize AllocSize; |
| 283 | unsigned NumDecreased = 0; |
| 284 | static constexpr unsigned MaxNumDecreased = 3; |
| 285 | PhiInfo(TypeSize AllocSize) : AllocSize(AllocSize) {} |
| 286 | }; |
| 287 | using PhiMap = SmallDenseMap<const PHINode *, PhiInfo, 16>; |
| 288 | |
| 289 | /// Check whether a stack allocation has its address taken. |
| 290 | static bool HasAddressTaken(const Instruction *AI, TypeSize AllocSize, |
| 291 | Module *M, |
| 292 | PhiMap &VisitedPHIs) { |
| 293 | const DataLayout &DL = M->getDataLayout(); |
| 294 | for (const User *U : AI->users()) { |
| 295 | const auto *I = cast<Instruction>(Val: U); |
| 296 | // If this instruction accesses memory make sure it doesn't access beyond |
| 297 | // the bounds of the allocated object. |
| 298 | std::optional<MemoryLocation> MemLoc = MemoryLocation::getOrNone(Inst: I); |
| 299 | if (MemLoc && MemLoc->Size.hasValue() && |
| 300 | !TypeSize::isKnownGE(LHS: AllocSize, RHS: MemLoc->Size.getValue())) |
| 301 | return true; |
| 302 | switch (I->getOpcode()) { |
| 303 | case Instruction::Store: |
| 304 | if (AI == cast<StoreInst>(Val: I)->getValueOperand()) |
| 305 | return true; |
| 306 | break; |
| 307 | case Instruction::AtomicCmpXchg: |
| 308 | // cmpxchg conceptually includes both a load and store from the same |
| 309 | // location. So, like store, the value being stored is what matters. |
| 310 | if (AI == cast<AtomicCmpXchgInst>(Val: I)->getNewValOperand()) |
| 311 | return true; |
| 312 | break; |
| 313 | case Instruction::AtomicRMW: |
| 314 | if (AI == cast<AtomicRMWInst>(Val: I)->getValOperand()) |
| 315 | return true; |
| 316 | break; |
| 317 | case Instruction::PtrToInt: |
| 318 | if (AI == cast<PtrToIntInst>(Val: I)->getOperand(i_nocapture: 0)) |
| 319 | return true; |
| 320 | break; |
| 321 | case Instruction::Call: { |
| 322 | // Ignore intrinsics that do not become real instructions. |
| 323 | // TODO: Narrow this to intrinsics that have store-like effects. |
| 324 | const auto *CI = cast<CallInst>(Val: I); |
| 325 | if (!CI->isDebugOrPseudoInst() && !CI->isLifetimeStartOrEnd()) |
| 326 | return true; |
| 327 | break; |
| 328 | } |
| 329 | case Instruction::Invoke: |
| 330 | return true; |
| 331 | case Instruction::GetElementPtr: { |
| 332 | // If the GEP offset is out-of-bounds, or is non-constant and so has to be |
| 333 | // assumed to be potentially out-of-bounds, then any memory access that |
| 334 | // would use it could also be out-of-bounds meaning stack protection is |
| 335 | // required. |
| 336 | const GetElementPtrInst *GEP = cast<GetElementPtrInst>(Val: I); |
| 337 | unsigned IndexSize = DL.getIndexTypeSizeInBits(Ty: I->getType()); |
| 338 | APInt Offset(IndexSize, 0); |
| 339 | if (!GEP->accumulateConstantOffset(DL, Offset)) |
| 340 | return true; |
| 341 | TypeSize OffsetSize = TypeSize::getFixed(ExactSize: Offset.getLimitedValue()); |
| 342 | if (!TypeSize::isKnownGT(LHS: AllocSize, RHS: OffsetSize)) |
| 343 | return true; |
| 344 | // Adjust AllocSize to be the space remaining after this offset. |
| 345 | // We can't subtract a fixed size from a scalable one, so in that case |
| 346 | // assume the scalable value is of minimum size. |
| 347 | TypeSize NewAllocSize = |
| 348 | TypeSize::getFixed(ExactSize: AllocSize.getKnownMinValue()) - OffsetSize; |
| 349 | if (HasAddressTaken(AI: I, AllocSize: NewAllocSize, M, VisitedPHIs)) |
| 350 | return true; |
| 351 | break; |
| 352 | } |
| 353 | case Instruction::BitCast: |
| 354 | case Instruction::Select: |
| 355 | case Instruction::AddrSpaceCast: |
| 356 | if (HasAddressTaken(AI: I, AllocSize, M, VisitedPHIs)) |
| 357 | return true; |
| 358 | break; |
| 359 | case Instruction::PHI: { |
| 360 | // Keep track of what PHI nodes we have already visited to ensure |
| 361 | // they are only visited once. |
| 362 | const auto *PN = cast<PHINode>(Val: I); |
| 363 | auto [It, Inserted] = VisitedPHIs.try_emplace(Key: PN, Args&: AllocSize); |
| 364 | if (!Inserted) { |
| 365 | if (TypeSize::isKnownGE(LHS: AllocSize, RHS: It->second.AllocSize)) |
| 366 | break; |
| 367 | |
| 368 | // Check again with smaller size. |
| 369 | if (It->second.NumDecreased == PhiInfo::MaxNumDecreased) |
| 370 | return true; |
| 371 | |
| 372 | It->second.AllocSize = AllocSize; |
| 373 | ++It->second.NumDecreased; |
| 374 | } |
| 375 | if (HasAddressTaken(AI: PN, AllocSize, M, VisitedPHIs)) |
| 376 | return true; |
| 377 | break; |
| 378 | } |
| 379 | case Instruction::Load: |
| 380 | case Instruction::Ret: |
| 381 | // These instructions take an address operand, but have load-like or |
| 382 | // other innocuous behavior that should not trigger a stack protector. |
| 383 | break; |
| 384 | default: |
| 385 | // Conservatively return true for any instruction that takes an address |
| 386 | // operand, but is not handled above. |
| 387 | return true; |
| 388 | } |
| 389 | } |
| 390 | return false; |
| 391 | } |
| 392 | |
| 393 | /// Search for the first call to the llvm.stackprotector intrinsic and return it |
| 394 | /// if present. |
| 395 | static const CallInst *findStackProtectorIntrinsic(Function &F) { |
| 396 | for (const BasicBlock &BB : F) |
| 397 | for (const Instruction &I : BB) |
| 398 | if (const auto *II = dyn_cast<IntrinsicInst>(Val: &I)) |
| 399 | if (II->getIntrinsicID() == Intrinsic::stackprotector) |
| 400 | return II; |
| 401 | return nullptr; |
| 402 | } |
| 403 | |
| 404 | /// Check whether or not this function needs a stack protector based |
| 405 | /// upon the stack protector level. |
| 406 | /// |
| 407 | /// We use two heuristics: a standard (ssp) and strong (sspstrong). |
| 408 | /// The standard heuristic which will add a guard variable to functions that |
| 409 | /// call alloca with a either a variable size or a size >= SSPBufferSize, |
| 410 | /// functions with character buffers larger than SSPBufferSize, and functions |
| 411 | /// with aggregates containing character buffers larger than SSPBufferSize. The |
| 412 | /// strong heuristic will add a guard variables to functions that call alloca |
| 413 | /// regardless of size, functions with any buffer regardless of type and size, |
| 414 | /// functions with aggregates that contain any buffer regardless of type and |
| 415 | /// size, and functions that contain stack-based variables that have had their |
| 416 | /// address taken. |
| 417 | bool SSPLayoutAnalysis::requiresStackProtector(Function *F, |
| 418 | SSPLayoutMap *Layout) { |
| 419 | Module *M = F->getParent(); |
| 420 | bool Strong = false; |
| 421 | bool NeedsProtector = false; |
| 422 | |
| 423 | // The set of PHI nodes visited when determining if a variable's reference has |
| 424 | // been taken. This set is maintained to ensure we don't visit the same PHI |
| 425 | // node multiple times. |
| 426 | PhiMap VisitedPHIs; |
| 427 | |
| 428 | unsigned SSPBufferSize = F->getFnAttributeAsParsedInteger( |
| 429 | Kind: "stack-protector-buffer-size", Default: SSPLayoutInfo::DefaultSSPBufferSize); |
| 430 | |
| 431 | if (F->hasFnAttribute(Kind: Attribute::SafeStack)) |
| 432 | return false; |
| 433 | |
| 434 | // We are constructing the OptimizationRemarkEmitter on the fly rather than |
| 435 | // using the analysis pass to avoid building DominatorTree and LoopInfo which |
| 436 | // are not available this late in the IR pipeline. |
| 437 | OptimizationRemarkEmitter ORE(F); |
| 438 | |
| 439 | if (F->hasFnAttribute(Kind: Attribute::StackProtectReq)) { |
| 440 | if (!Layout) |
| 441 | return true; |
| 442 | ORE.emit(RemarkBuilder: [&]() { |
| 443 | return OptimizationRemark(DEBUG_TYPE, "StackProtectorRequested", F) |
| 444 | << "Stack protection applied to function " |
| 445 | << ore::NV("Function", F) |
| 446 | << " due to a function attribute or command-line switch"; |
| 447 | }); |
| 448 | NeedsProtector = true; |
| 449 | Strong = true; // Use the same heuristic as strong to determine SSPLayout |
| 450 | } else if (F->hasFnAttribute(Kind: Attribute::StackProtectStrong)) |
| 451 | Strong = true; |
| 452 | else if (!F->hasFnAttribute(Kind: Attribute::StackProtect)) |
| 453 | return false; |
| 454 | |
| 455 | for (const BasicBlock &BB : *F) { |
| 456 | for (const Instruction &I : BB) { |
| 457 | if (const AllocaInst *AI = dyn_cast<AllocaInst>(Val: &I)) { |
| 458 | if (const MDNode *MD = AI->getMetadata(Kind: "stack-protector")) { |
| 459 | const auto *CI = mdconst::dyn_extract<ConstantInt>(MD: MD->getOperand(I: 0)); |
| 460 | if (CI->isZero()) |
| 461 | continue; |
| 462 | } |
| 463 | if (AI->isArrayAllocation()) { |
| 464 | auto RemarkBuilder = [&]() { |
| 465 | return OptimizationRemark(DEBUG_TYPE, "StackProtectorAllocaOrArray", |
| 466 | &I) |
| 467 | << "Stack protection applied to function " |
| 468 | << ore::NV("Function", F) |
| 469 | << " due to a call to alloca or use of a variable length " |
| 470 | "array"; |
| 471 | }; |
| 472 | if (const auto *CI = dyn_cast<ConstantInt>(Val: AI->getArraySize())) { |
| 473 | if (CI->getLimitedValue(Limit: SSPBufferSize) >= SSPBufferSize) { |
| 474 | // A call to alloca with size >= SSPBufferSize requires |
| 475 | // stack protectors. |
| 476 | if (!Layout) |
| 477 | return true; |
| 478 | Layout->insert( |
| 479 | KV: std::make_pair(x&: AI, y: MachineFrameInfo::SSPLK_LargeArray)); |
| 480 | ORE.emit(RemarkBuilder); |
| 481 | NeedsProtector = true; |
| 482 | } else if (Strong) { |
| 483 | // Require protectors for all alloca calls in strong mode. |
| 484 | if (!Layout) |
| 485 | return true; |
| 486 | Layout->insert( |
| 487 | KV: std::make_pair(x&: AI, y: MachineFrameInfo::SSPLK_SmallArray)); |
| 488 | ORE.emit(RemarkBuilder); |
| 489 | NeedsProtector = true; |
| 490 | } |
| 491 | } else { |
| 492 | // A call to alloca with a variable size requires protectors. |
| 493 | if (!Layout) |
| 494 | return true; |
| 495 | Layout->insert( |
| 496 | KV: std::make_pair(x&: AI, y: MachineFrameInfo::SSPLK_LargeArray)); |
| 497 | ORE.emit(RemarkBuilder); |
| 498 | NeedsProtector = true; |
| 499 | } |
| 500 | continue; |
| 501 | } |
| 502 | |
| 503 | bool IsLarge = false; |
| 504 | if (ContainsProtectableArray(Ty: AI->getAllocatedType(), M, SSPBufferSize, |
| 505 | IsLarge, Strong, InStruct: false)) { |
| 506 | if (!Layout) |
| 507 | return true; |
| 508 | Layout->insert(KV: std::make_pair( |
| 509 | x&: AI, y: IsLarge ? MachineFrameInfo::SSPLK_LargeArray |
| 510 | : MachineFrameInfo::SSPLK_SmallArray)); |
| 511 | ORE.emit(RemarkBuilder: [&]() { |
| 512 | return OptimizationRemark(DEBUG_TYPE, "StackProtectorBuffer", &I) |
| 513 | << "Stack protection applied to function " |
| 514 | << ore::NV("Function", F) |
| 515 | << " due to a stack allocated buffer or struct containing a " |
| 516 | "buffer"; |
| 517 | }); |
| 518 | NeedsProtector = true; |
| 519 | continue; |
| 520 | } |
| 521 | |
| 522 | if (Strong) { |
| 523 | std::optional<TypeSize> AllocSize = |
| 524 | AI->getAllocationSize(DL: M->getDataLayout()); |
| 525 | if (!AllocSize || HasAddressTaken(AI, AllocSize: *AllocSize, M, VisitedPHIs)) { |
| 526 | ++NumAddrTaken; |
| 527 | if (!Layout) |
| 528 | return true; |
| 529 | Layout->insert(KV: std::make_pair(x&: AI, y: MachineFrameInfo::SSPLK_AddrOf)); |
| 530 | ORE.emit(RemarkBuilder: [&]() { |
| 531 | return OptimizationRemark(DEBUG_TYPE, |
| 532 | "StackProtectorAddressTaken", &I) |
| 533 | << "Stack protection applied to function " |
| 534 | << ore::NV("Function", F) |
| 535 | << " due to the address of a local variable being taken"; |
| 536 | }); |
| 537 | NeedsProtector = true; |
| 538 | } |
| 539 | } |
| 540 | // Clear any PHIs that we visited, to make sure we examine all uses of |
| 541 | // any subsequent allocas that we look at. |
| 542 | VisitedPHIs.clear(); |
| 543 | } |
| 544 | } |
| 545 | } |
| 546 | |
| 547 | return NeedsProtector; |
| 548 | } |
| 549 | |
| 550 | /// Create a stack guard loading and populate whether SelectionDAG SSP is |
| 551 | /// supported. |
| 552 | static Value *getStackGuard(const TargetLoweringBase &TLI, |
| 553 | const LibcallLoweringInfo &Libcalls, Module *M, |
| 554 | IRBuilder<> &B, |
| 555 | bool *SupportsSelectionDAGSP = nullptr) { |
| 556 | Value *Guard = TLI.getIRStackGuard(IRB&: B, Libcalls); |
| 557 | StringRef GuardMode = M->getStackProtectorGuard(); |
| 558 | if ((GuardMode == "tls"|| GuardMode.empty()) && Guard) |
| 559 | return B.CreateLoad(Ty: B.getPtrTy(), Ptr: Guard, isVolatile: true, Name: "StackGuard"); |
| 560 | |
| 561 | // Use SelectionDAG SSP handling, since there isn't an IR guard. |
| 562 | // |
| 563 | // This is more or less weird, since we optionally output whether we |
| 564 | // should perform a SelectionDAG SP here. The reason is that it's strictly |
| 565 | // defined as !TLI->getIRStackGuard(B), where getIRStackGuard is also |
| 566 | // mutating. There is no way to get this bit without mutating the IR, so |
| 567 | // getting this bit has to happen in this right time. |
| 568 | // |
| 569 | // We could have define a new function TLI::supportsSelectionDAGSP(), but that |
| 570 | // will put more burden on the backends' overriding work, especially when it |
| 571 | // actually conveys the same information getIRStackGuard() already gives. |
| 572 | if (SupportsSelectionDAGSP) |
| 573 | *SupportsSelectionDAGSP = true; |
| 574 | TLI.insertSSPDeclarations(M&: *M, Libcalls); |
| 575 | return B.CreateIntrinsic(ID: Intrinsic::stackguard, Args: {}); |
| 576 | } |
| 577 | |
| 578 | /// Insert code into the entry block that stores the stack guard |
| 579 | /// variable onto the stack: |
| 580 | /// |
| 581 | /// entry: |
| 582 | /// StackGuardSlot = alloca i8* |
| 583 | /// StackGuard = <stack guard> |
| 584 | /// call void @llvm.stackprotector(StackGuard, StackGuardSlot) |
| 585 | /// |
| 586 | /// Returns true if the platform/triple supports the stackprotectorcreate pseudo |
| 587 | /// node. |
| 588 | static bool CreatePrologue(Function *F, Module *M, Instruction *CheckLoc, |
| 589 | const TargetLoweringBase *TLI, |
| 590 | const LibcallLoweringInfo &Libcalls, |
| 591 | AllocaInst *&AI) { |
| 592 | bool SupportsSelectionDAGSP = false; |
| 593 | IRBuilder<> B(&F->getEntryBlock().front()); |
| 594 | PointerType *PtrTy = PointerType::getUnqual(C&: CheckLoc->getContext()); |
| 595 | AI = B.CreateAlloca(Ty: PtrTy, ArraySize: nullptr, Name: "StackGuardSlot"); |
| 596 | |
| 597 | Value *GuardSlot = |
| 598 | getStackGuard(TLI: *TLI, Libcalls, M, B, SupportsSelectionDAGSP: &SupportsSelectionDAGSP); |
| 599 | B.CreateIntrinsic(ID: Intrinsic::stackprotector, Args: {GuardSlot, AI}); |
| 600 | return SupportsSelectionDAGSP; |
| 601 | } |
| 602 | |
| 603 | bool InsertStackProtectors(const TargetLowering &TLI, |
| 604 | const LibcallLoweringInfo &Libcalls, Function *F, |
| 605 | DomTreeUpdater *DTU, bool &HasPrologue, |
| 606 | bool &HasIRCheck) { |
| 607 | auto *M = F->getParent(); |
| 608 | |
| 609 | // If the target wants to XOR the frame pointer into the guard value, it's |
| 610 | // impossible to emit the check in IR, so the target *must* support stack |
| 611 | // protection in SDAG. |
| 612 | bool SupportsSelectionDAGSP = |
| 613 | TLI.useStackGuardXorFP() || |
| 614 | (EnableSelectionDAGSP && !TLI.getTargetMachine().Options.EnableFastISel); |
| 615 | AllocaInst *AI = nullptr; // Place on stack that stores the stack guard. |
| 616 | BasicBlock *FailBB = nullptr; |
| 617 | |
| 618 | for (BasicBlock &BB : llvm::make_early_inc_range(Range&: *F)) { |
| 619 | // This is stack protector auto generated check BB, skip it. |
| 620 | if (&BB == FailBB) |
| 621 | continue; |
| 622 | Instruction *CheckLoc = dyn_cast<ReturnInst>(Val: BB.getTerminator()); |
| 623 | if (!CheckLoc && !DisableCheckNoReturn) |
| 624 | for (auto &Inst : BB) { |
| 625 | if (IntrinsicInst *IB = dyn_cast<IntrinsicInst>(Val: &Inst); |
| 626 | IB && (IB->getIntrinsicID() == Intrinsic::eh_sjlj_callsite)) { |
| 627 | // eh_sjlj_callsite has to be in same BB as the |
| 628 | // bb terminator. Don't insert within this range. |
| 629 | CheckLoc = IB; |
| 630 | break; |
| 631 | } |
| 632 | if (auto *CB = dyn_cast<CallBase>(Val: &Inst)) |
| 633 | // Do stack check before noreturn calls that aren't nounwind (e.g: |
| 634 | // __cxa_throw). |
| 635 | if (CB->doesNotReturn() && !CB->doesNotThrow()) { |
| 636 | CheckLoc = CB; |
| 637 | break; |
| 638 | } |
| 639 | } |
| 640 | |
| 641 | if (!CheckLoc) |
| 642 | continue; |
| 643 | |
| 644 | // Generate prologue instrumentation if not already generated. |
| 645 | if (!HasPrologue) { |
| 646 | HasPrologue = true; |
| 647 | SupportsSelectionDAGSP &= |
| 648 | CreatePrologue(F, M, CheckLoc, TLI: &TLI, Libcalls, AI); |
| 649 | } |
| 650 | |
| 651 | // SelectionDAG based code generation. Nothing else needs to be done here. |
| 652 | // The epilogue instrumentation is postponed to SelectionDAG. |
| 653 | if (SupportsSelectionDAGSP) |
| 654 | break; |
| 655 | |
| 656 | // Find the stack guard slot if the prologue was not created by this pass |
| 657 | // itself via a previous call to CreatePrologue(). |
| 658 | if (!AI) { |
| 659 | const CallInst *SPCall = findStackProtectorIntrinsic(F&: *F); |
| 660 | assert(SPCall && "Call to llvm.stackprotector is missing"); |
| 661 | AI = cast<AllocaInst>(Val: SPCall->getArgOperand(i: 1)); |
| 662 | } |
| 663 | |
| 664 | // Set HasIRCheck to true, so that SelectionDAG will not generate its own |
| 665 | // version. SelectionDAG called 'shouldEmitSDCheck' to check whether |
| 666 | // instrumentation has already been generated. |
| 667 | HasIRCheck = true; |
| 668 | |
| 669 | // If we're instrumenting a block with a tail call, the check has to be |
| 670 | // inserted before the call rather than between it and the return. |
| 671 | Instruction *Prev = CheckLoc->getPrevNode(); |
| 672 | if (auto *CI = dyn_cast_if_present<CallInst>(Val: Prev)) |
| 673 | if (CI->isTailCall() && isInTailCallPosition(Call: *CI, TM: TLI.getTargetMachine())) |
| 674 | CheckLoc = Prev; |
| 675 | |
| 676 | // Generate epilogue instrumentation. The epilogue intrumentation can be |
| 677 | // function-based or inlined depending on which mechanism the target is |
| 678 | // providing. |
| 679 | if (Function *GuardCheck = TLI.getSSPStackGuardCheck(M: *M, Libcalls)) { |
| 680 | // Generate the function-based epilogue instrumentation. |
| 681 | // The target provides a guard check function, generate a call to it. |
| 682 | IRBuilder<> B(CheckLoc); |
| 683 | LoadInst *Guard = B.CreateLoad(Ty: B.getPtrTy(), Ptr: AI, isVolatile: true, Name: "Guard"); |
| 684 | CallInst *Call = B.CreateCall(Callee: GuardCheck, Args: {Guard}); |
| 685 | Call->setAttributes(GuardCheck->getAttributes()); |
| 686 | Call->setCallingConv(GuardCheck->getCallingConv()); |
| 687 | } else { |
| 688 | // Generate the epilogue with inline instrumentation. |
| 689 | // If we do not support SelectionDAG based calls, generate IR level |
| 690 | // calls. |
| 691 | // |
| 692 | // For each block with a return instruction, convert this: |
| 693 | // |
| 694 | // return: |
| 695 | // ... |
| 696 | // ret ... |
| 697 | // |
| 698 | // into this: |
| 699 | // |
| 700 | // return: |
| 701 | // ... |
| 702 | // %1 = <stack guard> |
| 703 | // %2 = load StackGuardSlot |
| 704 | // %3 = icmp ne i1 %1, %2 |
| 705 | // br i1 %3, label %CallStackCheckFailBlk, label %SP_return |
| 706 | // |
| 707 | // SP_return: |
| 708 | // ret ... |
| 709 | // |
| 710 | // CallStackCheckFailBlk: |
| 711 | // call void @__stack_chk_fail() |
| 712 | // unreachable |
| 713 | |
| 714 | // Create the FailBB. We duplicate the BB every time since the MI tail |
| 715 | // merge pass will merge together all of the various BB into one including |
| 716 | // fail BB generated by the stack protector pseudo instruction. |
| 717 | if (!FailBB) |
| 718 | FailBB = CreateFailBB(F, Libcalls); |
| 719 | |
| 720 | IRBuilder<> B(CheckLoc); |
| 721 | Value *Guard = getStackGuard(TLI, Libcalls, M, B); |
| 722 | LoadInst *LI2 = B.CreateLoad(Ty: B.getPtrTy(), Ptr: AI, isVolatile: true); |
| 723 | auto *Cmp = cast<ICmpInst>(Val: B.CreateICmpNE(LHS: Guard, RHS: LI2)); |
| 724 | auto SuccessProb = |
| 725 | BranchProbabilityInfo::getBranchProbStackProtector(IsLikely: true); |
| 726 | auto FailureProb = |
| 727 | BranchProbabilityInfo::getBranchProbStackProtector(IsLikely: false); |
| 728 | MDNode *Weights = MDBuilder(F->getContext()) |
| 729 | .createBranchWeights(TrueWeight: FailureProb.getNumerator(), |
| 730 | FalseWeight: SuccessProb.getNumerator()); |
| 731 | |
| 732 | SplitBlockAndInsertIfThen(Cond: Cmp, SplitBefore: CheckLoc, |
| 733 | /*Unreachable=*/false, BranchWeights: Weights, DTU, |
| 734 | /*LI=*/nullptr, /*ThenBlock=*/FailBB); |
| 735 | |
| 736 | auto *BI = cast<BranchInst>(Val: Cmp->getParent()->getTerminator()); |
| 737 | BasicBlock *NewBB = BI->getSuccessor(i: 1); |
| 738 | NewBB->setName("SP_return"); |
| 739 | NewBB->moveAfter(MovePos: &BB); |
| 740 | |
| 741 | Cmp->setPredicate(Cmp->getInversePredicate()); |
| 742 | BI->swapSuccessors(); |
| 743 | } |
| 744 | } |
| 745 | |
| 746 | // Return if we didn't modify any basic blocks. i.e., there are no return |
| 747 | // statements in the function. |
| 748 | return HasPrologue; |
| 749 | } |
| 750 | |
| 751 | BasicBlock *CreateFailBB(Function *F, const LibcallLoweringInfo &Libcalls) { |
| 752 | auto *M = F->getParent(); |
| 753 | LLVMContext &Context = F->getContext(); |
| 754 | BasicBlock *FailBB = BasicBlock::Create(Context, Name: "CallStackCheckFailBlk", Parent: F); |
| 755 | IRBuilder<> B(FailBB); |
| 756 | if (F->getSubprogram()) |
| 757 | B.SetCurrentDebugLocation( |
| 758 | DILocation::get(Context, Line: 0, Column: 0, Scope: F->getSubprogram())); |
| 759 | FunctionCallee StackChkFail; |
| 760 | SmallVector<Value *, 1> Args; |
| 761 | |
| 762 | if (RTLIB::LibcallImpl ChkFailImpl = |
| 763 | Libcalls.getLibcallImpl(Call: RTLIB::STACKPROTECTOR_CHECK_FAIL)) { |
| 764 | StackChkFail = M->getOrInsertFunction( |
| 765 | Name: RTLIB::RuntimeLibcallsInfo::getLibcallImplName(CallImpl: ChkFailImpl), |
| 766 | RetTy: Type::getVoidTy(C&: Context)); |
| 767 | } else if (RTLIB::LibcallImpl SSHImpl = |
| 768 | Libcalls.getLibcallImpl(Call: RTLIB::STACK_SMASH_HANDLER)) { |
| 769 | StackChkFail = M->getOrInsertFunction( |
| 770 | Name: RTLIB::RuntimeLibcallsInfo::getLibcallImplName(CallImpl: SSHImpl), |
| 771 | RetTy: Type::getVoidTy(C&: Context), Args: PointerType::getUnqual(C&: Context)); |
| 772 | Args.push_back(Elt: B.CreateGlobalString(Str: F->getName(), Name: "SSH")); |
| 773 | } else { |
| 774 | Context.emitError(ErrorStr: "no libcall available for stack protector"); |
| 775 | } |
| 776 | |
| 777 | if (StackChkFail) { |
| 778 | CallInst *Call = B.CreateCall(Callee: StackChkFail, Args); |
| 779 | Call->addFnAttr(Kind: Attribute::NoReturn); |
| 780 | } |
| 781 | |
| 782 | B.CreateUnreachable(); |
| 783 | return FailBB; |
| 784 | } |
| 785 |
Generated on 2026-Feb-03 from project llvm_projects revision abdf66d60
Powered by 
Code Browser 2.1
Generator usage only permitted with license.