AddressSanitizer.cpp source code [llvm_projects/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp]

1	//===- AddressSanitizer.cpp - memory error detector -----------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file is a part of AddressSanitizer, an address basic correctness
10	// checker.
11	// Details of the algorithm:
12	// https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm
13	//
14	// FIXME: This sanitizer does not yet handle scalable vectors
15	//
16	//===----------------------------------------------------------------------===//
17
18	#include "llvm/Transforms/Instrumentation/AddressSanitizer.h"
19	#include "llvm/ADT/ArrayRef.h"
20	#include "llvm/ADT/DenseMap.h"
21	#include "llvm/ADT/DepthFirstIterator.h"
22	#include "llvm/ADT/SmallPtrSet.h"
23	#include "llvm/ADT/SmallSet.h"
24	#include "llvm/ADT/SmallVector.h"
25	#include "llvm/ADT/Statistic.h"
26	#include "llvm/ADT/StringExtras.h"
27	#include "llvm/ADT/StringRef.h"
28	#include "llvm/ADT/Twine.h"
29	#include "llvm/Analysis/GlobalsModRef.h"
30	#include "llvm/Analysis/MemoryBuiltins.h"
31	#include "llvm/Analysis/StackSafetyAnalysis.h"
32	#include "llvm/Analysis/TargetLibraryInfo.h"
33	#include "llvm/Analysis/TargetTransformInfo.h"
34	#include "llvm/Analysis/ValueTracking.h"
35	#include "llvm/BinaryFormat/MachO.h"
36	#include "llvm/Demangle/Demangle.h"
37	#include "llvm/IR/Argument.h"
38	#include "llvm/IR/Attributes.h"
39	#include "llvm/IR/BasicBlock.h"
40	#include "llvm/IR/Comdat.h"
41	#include "llvm/IR/Constant.h"
42	#include "llvm/IR/Constants.h"
43	#include "llvm/IR/DIBuilder.h"
44	#include "llvm/IR/DataLayout.h"
45	#include "llvm/IR/DebugInfoMetadata.h"
46	#include "llvm/IR/DebugLoc.h"
47	#include "llvm/IR/DerivedTypes.h"
48	#include "llvm/IR/EHPersonalities.h"
49	#include "llvm/IR/Function.h"
50	#include "llvm/IR/GlobalAlias.h"
51	#include "llvm/IR/GlobalValue.h"
52	#include "llvm/IR/GlobalVariable.h"
53	#include "llvm/IR/IRBuilder.h"
54	#include "llvm/IR/InlineAsm.h"
55	#include "llvm/IR/InstVisitor.h"
56	#include "llvm/IR/InstrTypes.h"
57	#include "llvm/IR/Instruction.h"
58	#include "llvm/IR/Instructions.h"
59	#include "llvm/IR/IntrinsicInst.h"
60	#include "llvm/IR/Intrinsics.h"
61	#include "llvm/IR/LLVMContext.h"
62	#include "llvm/IR/MDBuilder.h"
63	#include "llvm/IR/Metadata.h"
64	#include "llvm/IR/Module.h"
65	#include "llvm/IR/Type.h"
66	#include "llvm/IR/Use.h"
67	#include "llvm/IR/Value.h"
68	#include "llvm/MC/MCSectionMachO.h"
69	#include "llvm/Support/Casting.h"
70	#include "llvm/Support/CommandLine.h"
71	#include "llvm/Support/Debug.h"
72	#include "llvm/Support/ErrorHandling.h"
73	#include "llvm/Support/MathExtras.h"
74	#include "llvm/Support/ModRef.h"
75	#include "llvm/Support/raw_ostream.h"
76	#include "llvm/TargetParser/Triple.h"
77	#include "llvm/Transforms/Instrumentation/AddressSanitizerCommon.h"
78	#include "llvm/Transforms/Instrumentation/AddressSanitizerOptions.h"
79	#include "llvm/Transforms/Utils/ASanStackFrameLayout.h"
80	#include "llvm/Transforms/Utils/BasicBlockUtils.h"
81	#include "llvm/Transforms/Utils/Instrumentation.h"
82	#include "llvm/Transforms/Utils/Local.h"
83	#include "llvm/Transforms/Utils/ModuleUtils.h"
84	#include "llvm/Transforms/Utils/PromoteMemToReg.h"
85	#include <algorithm>
86	#include <cassert>
87	#include <cstddef>
88	#include <cstdint>
89	#include <iomanip>
90	#include <limits>
91	#include <sstream>
92	#include <string>
93	#include <tuple>
94	#include <utility>
95
96	using namespace llvm;
97
98	#define DEBUG_TYPE "asan"
99
100	static const uint64_t kDefaultShadowScale = `3`;
101	static const uint64_t kDefaultShadowOffset32 = `1ULL` << `29`;
102	static const uint64_t kDefaultShadowOffset64 = `1ULL` << `44`;
103	static const uint64_t kDynamicShadowSentinel =
104	std::numeric_limits<uint64_t>::max();
105	static const uint64_t kSmallX86_64ShadowOffsetBase = `0x7FFFFFFF`; // < 2G.
106	static const uint64_t kSmallX86_64ShadowOffsetAlignMask = ~`0xFFFULL`;
107	static const uint64_t kLinuxKasan_ShadowOffset64 = `0xdffffc0000000000`;
108	static const uint64_t kPPC64_ShadowOffset64 = `1ULL` << `44`;
109	static const uint64_t kSystemZ_ShadowOffset64 = `1ULL` << `52`;
110	static const uint64_t kMIPS_ShadowOffsetN32 = `1ULL` << `29`;
111	static const uint64_t kMIPS32_ShadowOffset32 = `0x0aaa0000`;
112	static const uint64_t kMIPS64_ShadowOffset64 = `1ULL` << `37`;
113	static const uint64_t kAArch64_ShadowOffset64 = `1ULL` << `36`;
114	static const uint64_t kLoongArch64_ShadowOffset64 = `1ULL` << `46`;
115	static const uint64_t kRISCV64_ShadowOffset64 = kDynamicShadowSentinel;
116	static const uint64_t kFreeBSD_ShadowOffset32 = `1ULL` << `30`;
117	static const uint64_t kFreeBSD_ShadowOffset64 = `1ULL` << `46`;
118	static const uint64_t kFreeBSDAArch64_ShadowOffset64 = `1ULL` << `47`;
119	static const uint64_t kFreeBSDKasan_ShadowOffset64 = `0xdffff7c000000000`;
120	static const uint64_t kNetBSD_ShadowOffset32 = `1ULL` << `30`;
121	static const uint64_t kNetBSD_ShadowOffset64 = `1ULL` << `46`;
122	static const uint64_t kNetBSDKasan_ShadowOffset64 = `0xdfff900000000000`;
123	static const uint64_t kPS_ShadowOffset64 = `1ULL` << `40`;
124	static const uint64_t kWindowsShadowOffset32 = `3ULL` << `28`;
125	static const uint64_t kWebAssemblyShadowOffset = `0`;
126
127	// The shadow memory space is dynamically allocated.
128	static const uint64_t kWindowsShadowOffset64 = kDynamicShadowSentinel;
129
130	static const size_t kMinStackMallocSize = `1` << `6`; // 64B
131	static const size_t kMaxStackMallocSize = `1` << `16`; // 64K
132	static const uintptr_t kCurrentStackFrameMagic = `0x41B58AB3`;
133	static const uintptr_t kRetiredStackFrameMagic = `0x45E0360E`;
134
135	const char kAsanModuleCtorName[] = "asan.module_ctor";
136	const char kAsanModuleDtorName[] = "asan.module_dtor";
137	static const uint64_t kAsanCtorAndDtorPriority = `1`;
138	// On Emscripten, the system needs more than one priorities for constructors.
139	static const uint64_t kAsanEmscriptenCtorAndDtorPriority = `50`;
140	const char kAsanReportErrorTemplate[] = "__asan_report_";
141	const char kAsanRegisterGlobalsName[] = "__asan_register_globals";
142	const char kAsanUnregisterGlobalsName[] = "__asan_unregister_globals";
143	const char kAsanRegisterImageGlobalsName[] = "__asan_register_image_globals";
144	const char kAsanUnregisterImageGlobalsName[] =
145	"__asan_unregister_image_globals";
146	const char kAsanRegisterElfGlobalsName[] = "__asan_register_elf_globals";
147	const char kAsanUnregisterElfGlobalsName[] = "__asan_unregister_elf_globals";
148	const char kAsanPoisonGlobalsName[] = "__asan_before_dynamic_init";
149	const char kAsanUnpoisonGlobalsName[] = "__asan_after_dynamic_init";
150	const char kAsanInitName[] = "__asan_init";
151	const char kAsanVersionCheckNamePrefix[] = "__asan_version_mismatch_check_v";
152	const char kAsanPtrCmp[] = "__sanitizer_ptr_cmp";
153	const char kAsanPtrSub[] = "__sanitizer_ptr_sub";
154	const char kAsanHandleNoReturnName[] = "__asan_handle_no_return";
155	static const int kMaxAsanStackMallocSizeClass = `10`;
156	const char kAsanStackMallocNameTemplate[] = "__asan_stack_malloc_";
157	const char kAsanStackMallocAlwaysNameTemplate[] =
158	"__asan_stack_malloc_always_";
159	const char kAsanStackFreeNameTemplate[] = "__asan_stack_free_";
160	const char kAsanGenPrefix[] = "___asan_gen_";
161	const char kODRGenPrefix[] = "__odr_asan_gen_";
162	const char kSanCovGenPrefix[] = "__sancov_gen_";
163	const char kAsanSetShadowPrefix[] = "__asan_set_shadow_";
164	const char kAsanPoisonStackMemoryName[] = "__asan_poison_stack_memory";
165	const char kAsanUnpoisonStackMemoryName[] = "__asan_unpoison_stack_memory";
166
167	// ASan version script has __asan_ wildcard. Triple underscore prevents a*
168	// linker (gold) warning about attempting to export a local symbol.
169	const char kAsanGlobalsRegisteredFlagName[] = "___asan_globals_registered";
170
171	const char kAsanOptionDetectUseAfterReturn[] =
172	"__asan_option_detect_stack_use_after_return";
173
174	const char kAsanShadowMemoryDynamicAddress[] =
175	"__asan_shadow_memory_dynamic_address";
176
177	const char kAsanAllocaPoison[] = "__asan_alloca_poison";
178	const char kAsanAllocasUnpoison[] = "__asan_allocas_unpoison";
179
180	const char kAMDGPUAddressSharedName[] = "llvm.amdgcn.is.shared";
181	const char kAMDGPUAddressPrivateName[] = "llvm.amdgcn.is.private";
182	const char kAMDGPUBallotName[] = "llvm.amdgcn.ballot.i64";
183	const char kAMDGPUUnreachableName[] = "llvm.amdgcn.unreachable";
184
185	// Accesses sizes are powers of two: 1, 2, 4, 8, 16.
186	static const size_t kNumberOfAccessSizes = `5`;
187
188	static const uint64_t kAllocaRzSize = `32`;
189
190	// ASanAccessInfo implementation constants.
191	constexpr size_t kCompileKernelShift = `0`;
192	constexpr size_t kCompileKernelMask = `0x1`;
193	constexpr size_t kAccessSizeIndexShift = `1`;
194	constexpr size_t kAccessSizeIndexMask = `0xf`;
195	constexpr size_t kIsWriteShift = `5`;
196	constexpr size_t kIsWriteMask = `0x1`;
197
198	// Command-line flags.
199
200	static cl::opt<bool> ClEnableKasan(
201	"asan-kernel", cl::desc("Enable KernelAddressSanitizer instrumentation"),
202	cl::Hidden, cl::init(Val: false));
203
204	static cl::opt<bool> ClRecover(
205	"asan-recover",
206	cl::desc("Enable recovery mode (continue-after-error)."),
207	cl::Hidden, cl::init(Val: false));
208
209	static cl::opt<bool> ClInsertVersionCheck(
210	"asan-guard-against-version-mismatch",
211	cl::desc("Guard against compiler/runtime version mismatch."), cl::Hidden,
212	cl::init(Val: true));
213
214	// This flag may need to be replaced with -f[no-]asan-reads.
215	static cl::opt<bool> ClInstrumentReads("asan-instrument-reads",
216	cl::desc("instrument read instructions"),
217	cl::Hidden, cl::init(Val: true));
218
219	static cl::opt<bool> ClInstrumentWrites(
220	"asan-instrument-writes", cl::desc("instrument write instructions"),
221	cl::Hidden, cl::init(Val: true));
222
223	static cl::opt<bool>
224	ClUseStackSafety("asan-use-stack-safety", cl::Hidden, cl::init(Val: true),
225	cl::Hidden, cl::desc("Use Stack Safety analysis results"),
226	cl::Optional);
227
228	static cl::opt<bool> ClInstrumentAtomics(
229	"asan-instrument-atomics",
230	cl::desc("instrument atomic instructions (rmw, cmpxchg)"), cl::Hidden,
231	cl::init(Val: true));
232
233	static cl::opt<bool>
234	ClInstrumentByval("asan-instrument-byval",
235	cl::desc("instrument byval call arguments"), cl::Hidden,
236	cl::init(Val: true));
237
238	static cl::opt<bool> ClAlwaysSlowPath(
239	"asan-always-slow-path",
240	cl::desc("use instrumentation with slow path for all accesses"), cl::Hidden,
241	cl::init(Val: false));
242
243	static cl::opt<bool> ClForceDynamicShadow(
244	"asan-force-dynamic-shadow",
245	cl::desc("Load shadow address into a local variable for each function"),
246	cl::Hidden, cl::init(Val: false));
247
248	static cl::opt<bool>
249	ClWithIfunc("asan-with-ifunc",
250	cl::desc("Access dynamic shadow through an ifunc global on "
251	"platforms that support this"),
252	cl::Hidden, cl::init(Val: true));
253
254	static cl::opt<int>
255	ClShadowAddrSpace("asan-shadow-addr-space",
256	cl::desc("Address space for pointers to the shadow map"),
257	cl::Hidden, cl::init(Val: `0`));
258
259	static cl::opt<bool> ClWithIfuncSuppressRemat(
260	"asan-with-ifunc-suppress-remat",
261	cl::desc("Suppress rematerialization of dynamic shadow address by passing "
262	"it through inline asm in prologue."),
263	cl::Hidden, cl::init(Val: true));
264
265	// This flag limits the number of instructions to be instrumented
266	// in any given BB. Normally, this should be set to unlimited (INT_MAX),
267	// but due to http://llvm.org/bugs/show_bug.cgi?id=12652 we temporary
268	// set it to 10000.
269	static cl::opt<int> ClMaxInsnsToInstrumentPerBB(
270	"asan-max-ins-per-bb", cl::init(Val: `10000`),
271	cl::desc("maximal number of instructions to instrument in any given BB"),
272	cl::Hidden);
273
274	// This flag may need to be replaced with -f[no]asan-stack.
275	static cl::opt<bool> ClStack("asan-stack", cl::desc("Handle stack memory"),
276	cl::Hidden, cl::init(Val: true));
277	static cl::opt<uint32_t> ClMaxInlinePoisoningSize(
278	"asan-max-inline-poisoning-size",
279	cl::desc(
280	"Inline shadow poisoning for blocks up to the given size in bytes."),
281	cl::Hidden, cl::init(Val: `64`));
282
283	static cl::opt<AsanDetectStackUseAfterReturnMode> ClUseAfterReturn(
284	"asan-use-after-return",
285	cl::desc("Sets the mode of detection for stack-use-after-return."),
286	cl::values(
287	clEnumValN(AsanDetectStackUseAfterReturnMode::Never, "never",
288	"Never detect stack use after return."),
289	clEnumValN(
290	AsanDetectStackUseAfterReturnMode::Runtime, "runtime",
291	"Detect stack use after return if "
292	"binary flag 'ASAN_OPTIONS=detect_stack_use_after_return' is set."),
293	clEnumValN(AsanDetectStackUseAfterReturnMode::Always, "always",
294	"Always detect stack use after return.")),
295	cl::Hidden, cl::init(Val: AsanDetectStackUseAfterReturnMode::Runtime));
296
297	static cl::opt<bool> ClRedzoneByvalArgs("asan-redzone-byval-args",
298	cl::desc("Create redzones for byval "
299	"arguments (extra copy "
300	"required)"), cl::Hidden,
301	cl::init(Val: true));
302
303	static cl::opt<bool> ClUseAfterScope("asan-use-after-scope",
304	cl::desc("Check stack-use-after-scope"),
305	cl::Hidden, cl::init(Val: false));
306
307	// This flag may need to be replaced with -f[no]asan-globals.
308	static cl::opt<bool> ClGlobals("asan-globals",
309	cl::desc("Handle global objects"), cl::Hidden,
310	cl::init(Val: true));
311
312	static cl::opt<bool> ClInitializers("asan-initialization-order",
313	cl::desc("Handle C++ initializer order"),
314	cl::Hidden, cl::init(Val: true));
315
316	static cl::opt<bool> ClInvalidPointerPairs(
317	"asan-detect-invalid-pointer-pair",
318	cl::desc("Instrument <, <=, >, >=, - with pointer operands"), cl::Hidden,
319	cl::init(Val: false));
320
321	static cl::opt<bool> ClInvalidPointerCmp(
322	"asan-detect-invalid-pointer-cmp",
323	cl::desc("Instrument <, <=, >, >= with pointer operands"), cl::Hidden,
324	cl::init(Val: false));
325
326	static cl::opt<bool> ClInvalidPointerSub(
327	"asan-detect-invalid-pointer-sub",
328	cl::desc("Instrument - operations with pointer operands"), cl::Hidden,
329	cl::init(Val: false));
330
331	static cl::opt<unsigned> ClRealignStack(
332	"asan-realign-stack",
333	cl::desc("Realign stack to the value of this flag (power of two)"),
334	cl::Hidden, cl::init(Val: `32`));
335
336	static cl::opt<int> ClInstrumentationWithCallsThreshold(
337	"asan-instrumentation-with-call-threshold",
338	cl::desc("If the function being instrumented contains more than "
339	"this number of memory accesses, use callbacks instead of "
340	"inline checks (-1 means never use callbacks)."),
341	cl::Hidden, cl::init(Val: `7000`));
342
343	static cl::opt<std::string> ClMemoryAccessCallbackPrefix(
344	"asan-memory-access-callback-prefix",
345	cl::desc("Prefix for memory access callbacks"), cl::Hidden,
346	cl::init(Val: "__asan_"));
347
348	static cl::opt<bool> ClKasanMemIntrinCallbackPrefix(
349	"asan-kernel-mem-intrinsic-prefix",
350	cl::desc("Use prefix for memory intrinsics in KASAN mode"), cl::Hidden,
351	cl::init(Val: false));
352
353	static cl::opt<bool>
354	ClInstrumentDynamicAllocas("asan-instrument-dynamic-allocas",
355	cl::desc("instrument dynamic allocas"),
356	cl::Hidden, cl::init(Val: true));
357
358	static cl::opt<bool> ClSkipPromotableAllocas(
359	"asan-skip-promotable-allocas",
360	cl::desc("Do not instrument promotable allocas"), cl::Hidden,
361	cl::init(Val: true));
362
363	static cl::opt<AsanCtorKind> ClConstructorKind(
364	"asan-constructor-kind",
365	cl::desc("Sets the ASan constructor kind"),
366	cl::values(clEnumValN(AsanCtorKind::None, "none", "No constructors"),
367	clEnumValN(AsanCtorKind::Global, "global",
368	"Use global constructors")),
369	cl::init(Val: AsanCtorKind::Global), cl::Hidden);
370	// These flags allow to change the shadow mapping.
371	// The shadow mapping looks like
372	// Shadow = (Mem >> scale) + offset
373
374	static cl::opt<int> ClMappingScale("asan-mapping-scale",
375	cl::desc("scale of asan shadow mapping"),
376	cl::Hidden, cl::init(Val: `0`));
377
378	static cl::opt<uint64_t>
379	ClMappingOffset("asan-mapping-offset",
380	cl::desc("offset of asan shadow mapping [EXPERIMENTAL]"),
381	cl::Hidden, cl::init(Val: `0`));
382
383	// Optimization flags. Not user visible, used mostly for testing
384	// and benchmarking the tool.
385
386	static cl::opt<bool> ClOpt("asan-opt", cl::desc("Optimize instrumentation"),
387	cl::Hidden, cl::init(Val: true));
388
389	static cl::opt<bool> ClOptimizeCallbacks("asan-optimize-callbacks",
390	cl::desc("Optimize callbacks"),
391	cl::Hidden, cl::init(Val: false));
392
393	static cl::opt<bool> ClOptSameTemp(
394	"asan-opt-same-temp", cl::desc("Instrument the same temp just once"),
395	cl::Hidden, cl::init(Val: true));
396
397	static cl::opt<bool> ClOptGlobals("asan-opt-globals",
398	cl::desc("Don't instrument scalar globals"),
399	cl::Hidden, cl::init(Val: true));
400
401	static cl::opt<bool> ClOptStack(
402	"asan-opt-stack", cl::desc("Don't instrument scalar stack variables"),
403	cl::Hidden, cl::init(Val: false));
404
405	static cl::opt<bool> ClDynamicAllocaStack(
406	"asan-stack-dynamic-alloca",
407	cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,
408	cl::init(Val: true));
409
410	static cl::opt<uint32_t> ClForceExperiment(
411	"asan-force-experiment",
412	cl::desc("Force optimization experiment (for testing)"), cl::Hidden,
413	cl::init(Val: `0`));
414
415	static cl::opt<bool>
416	ClUsePrivateAlias("asan-use-private-alias",
417	cl::desc("Use private aliases for global variables"),
418	cl::Hidden, cl::init(Val: true));
419
420	static cl::opt<bool>
421	ClUseOdrIndicator("asan-use-odr-indicator",
422	cl::desc("Use odr indicators to improve ODR reporting"),
423	cl::Hidden, cl::init(Val: true));
424
425	static cl::opt<bool>
426	ClUseGlobalsGC("asan-globals-live-support",
427	cl::desc("Use linker features to support dead "
428	"code stripping of globals"),
429	cl::Hidden, cl::init(Val: true));
430
431	// This is on by default even though there is a bug in gold:
432	// https://sourceware.org/bugzilla/show_bug.cgi?id=19002
433	static cl::opt<bool>
434	ClWithComdat("asan-with-comdat",
435	cl::desc("Place ASan constructors in comdat sections"),
436	cl::Hidden, cl::init(Val: true));
437
438	static cl::opt<AsanDtorKind> ClOverrideDestructorKind(
439	"asan-destructor-kind",
440	cl::desc("Sets the ASan destructor kind. The default is to use the value "
441	"provided to the pass constructor"),
442	cl::values(clEnumValN(AsanDtorKind::None, "none", "No destructors"),
443	clEnumValN(AsanDtorKind::Global, "global",
444	"Use global destructors")),
445	cl::init(Val: AsanDtorKind::Invalid), cl::Hidden);
446
447	static SmallSet<unsigned, `8`> SrcAddrSpaces;
448	static cl::list<unsigned> ClAddrSpaces(
449	"asan-instrument-address-spaces",
450	cl::desc("Only instrument variables in the specified address spaces."),
451	cl::Hidden, cl::CommaSeparated, cl::callback(CB: [](const unsigned &AddrSpace) {
452	SrcAddrSpaces.insert(V: AddrSpace);
453	}));
454
455	// Debug flags.
456
457	static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,
458	cl::init(Val: `0`));
459
460	static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),
461	cl::Hidden, cl::init(Val: `0`));
462
463	static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden,
464	cl::desc("Debug func"));
465
466	static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),
467	cl::Hidden, cl::init(Val: -`1`));
468
469	static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug max inst"),
470	cl::Hidden, cl::init(Val: -`1`));
471
472	STATISTIC(NumInstrumentedReads, "Number of instrumented reads");
473	STATISTIC(NumInstrumentedWrites, "Number of instrumented writes");
474	STATISTIC(NumOptimizedAccessesToGlobalVar,
475	"Number of optimized accesses to global vars");
476	STATISTIC(NumOptimizedAccessesToStackVar,
477	"Number of optimized accesses to stack vars");
478
479	namespace {
480
481	/// This struct defines the shadow mapping using the rule:
482	/// shadow = (mem >> Scale) ADD-or-OR Offset.
483	/// If InGlobal is true, then
484	/// extern char __asan_shadow[];
485	/// shadow = (mem >> Scale) + &__asan_shadow
486	struct ShadowMapping {
487	int Scale;
488	uint64_t Offset;
489	bool OrShadowOffset;
490	bool InGlobal;
491	};
492
493	} // end anonymous namespace
494
495	static ShadowMapping getShadowMapping(const Triple &TargetTriple, int LongSize,
496	bool IsKasan) {
497	bool IsAndroid = TargetTriple.isAndroid();
498	bool IsIOS = TargetTriple.isiOS() \|\| TargetTriple.isWatchOS() \|\|
499	TargetTriple.isDriverKit();
500	bool IsMacOS = TargetTriple.isMacOSX();
501	bool IsFreeBSD = TargetTriple.isOSFreeBSD();
502	bool IsNetBSD = TargetTriple.isOSNetBSD();
503	bool IsPS = TargetTriple.isPS();
504	bool IsLinux = TargetTriple.isOSLinux();
505	bool IsPPC64 = TargetTriple.getArch() == Triple::ppc64 \|\|
506	TargetTriple.getArch() == Triple::ppc64le;
507	bool IsSystemZ = TargetTriple.getArch() == Triple::systemz;
508	bool IsX86_64 = TargetTriple.getArch() == Triple::x86_64;
509	bool IsMIPSN32ABI = TargetTriple.isABIN32();
510	bool IsMIPS32 = TargetTriple.isMIPS32();
511	bool IsMIPS64 = TargetTriple.isMIPS64();
512	bool IsArmOrThumb = TargetTriple.isARM() \|\| TargetTriple.isThumb();
513	bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64 \|\|
514	TargetTriple.getArch() == Triple::aarch64_be;
515	bool IsLoongArch64 = TargetTriple.isLoongArch64();
516	bool IsRISCV64 = TargetTriple.getArch() == Triple::riscv64;
517	bool IsWindows = TargetTriple.isOSWindows();
518	bool IsFuchsia = TargetTriple.isOSFuchsia();
519	bool IsAMDGPU = TargetTriple.isAMDGPU();
520	bool IsHaiku = TargetTriple.isOSHaiku();
521	bool IsWasm = TargetTriple.isWasm();
522	bool IsBPF = TargetTriple.isBPF();
523
524	ShadowMapping Mapping;
525
526	Mapping.Scale = kDefaultShadowScale;
527	if (ClMappingScale.getNumOccurrences() > `0`) {
528	Mapping.Scale = ClMappingScale;
529	}
530
531	if (LongSize == `32`) {
532	if (IsAndroid)
533	Mapping.Offset = kDynamicShadowSentinel;
534	else if (IsMIPSN32ABI)
535	Mapping.Offset = kMIPS_ShadowOffsetN32;
536	else if (IsMIPS32)
537	Mapping.Offset = kMIPS32_ShadowOffset32;
538	else if (IsFreeBSD)
539	Mapping.Offset = kFreeBSD_ShadowOffset32;
540	else if (IsNetBSD)
541	Mapping.Offset = kNetBSD_ShadowOffset32;
542	else if (IsIOS)
543	Mapping.Offset = kDynamicShadowSentinel;
544	else if (IsWindows)
545	Mapping.Offset = kWindowsShadowOffset32;
546	else if (IsWasm)
547	Mapping.Offset = kWebAssemblyShadowOffset;
548	else
549	Mapping.Offset = kDefaultShadowOffset32;
550	} else { // LongSize == 64
551	// Fuchsia is always PIE, which means that the beginning of the address
552	// space is always available.
553	if (IsFuchsia) {
554	// kDynamicShadowSentinel tells instrumentation to use the dynamic shadow.
555	Mapping.Offset = kDynamicShadowSentinel;
556	} else if (IsPPC64)
557	Mapping.Offset = kPPC64_ShadowOffset64;
558	else if (IsSystemZ)
559	Mapping.Offset = kSystemZ_ShadowOffset64;
560	else if (IsFreeBSD && IsAArch64)
561	Mapping.Offset = kFreeBSDAArch64_ShadowOffset64;
562	else if (IsFreeBSD && !IsMIPS64) {
563	if (IsKasan)
564	Mapping.Offset = kFreeBSDKasan_ShadowOffset64;
565	else
566	Mapping.Offset = kFreeBSD_ShadowOffset64;
567	} else if (IsNetBSD) {
568	if (IsKasan)
569	Mapping.Offset = kNetBSDKasan_ShadowOffset64;
570	else
571	Mapping.Offset = kNetBSD_ShadowOffset64;
572	} else if (IsPS)
573	Mapping.Offset = kPS_ShadowOffset64;
574	else if (IsLinux && IsX86_64) {
575	if (IsKasan)
576	Mapping.Offset = kLinuxKasan_ShadowOffset64;
577	else
578	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
579	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
580	} else if (IsWindows && (IsX86_64 \|\| IsAArch64)) {
581	Mapping.Offset = kWindowsShadowOffset64;
582	} else if (IsMIPS64)
583	Mapping.Offset = kMIPS64_ShadowOffset64;
584	else if (IsIOS)
585	Mapping.Offset = kDynamicShadowSentinel;
586	else if (IsMacOS && IsAArch64)
587	Mapping.Offset = kDynamicShadowSentinel;
588	else if (IsAArch64)
589	Mapping.Offset = kAArch64_ShadowOffset64;
590	else if (IsLoongArch64)
591	Mapping.Offset = kLoongArch64_ShadowOffset64;
592	else if (IsRISCV64)
593	Mapping.Offset = kRISCV64_ShadowOffset64;
594	else if (IsAMDGPU)
595	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
596	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
597	else if (IsHaiku && IsX86_64)
598	Mapping.Offset = (kSmallX86_64ShadowOffsetBase &
599	(kSmallX86_64ShadowOffsetAlignMask << Mapping.Scale));
600	else if (IsBPF)
601	Mapping.Offset = kDynamicShadowSentinel;
602	else if (IsWasm)
603	Mapping.Offset = kWebAssemblyShadowOffset;
604	else
605	Mapping.Offset = kDefaultShadowOffset64;
606	}
607
608	if (ClForceDynamicShadow) {
609	Mapping.Offset = kDynamicShadowSentinel;
610	}
611
612	if (ClMappingOffset.getNumOccurrences() > `0`) {
613	Mapping.Offset = ClMappingOffset;
614	}
615
616	// OR-ing shadow offset if more efficient (at least on x86) if the offset
617	// is a power of two, but on ppc64 and loongarch64 we have to use add since
618	// the shadow offset is not necessarily 1/8-th of the address space. On
619	// SystemZ, we could OR the constant in a single instruction, but it's more
620	// efficient to load it once and use indexed addressing.
621	Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS &&
622	!IsRISCV64 && !IsLoongArch64 &&
623	!(Mapping.Offset & (Mapping.Offset - `1`)) &&
624	Mapping.Offset != kDynamicShadowSentinel;
625	Mapping.InGlobal = ClWithIfunc && IsAndroid && IsArmOrThumb;
626
627	return Mapping;
628	}
629
630	void llvm::getAddressSanitizerParams(const Triple &TargetTriple, int LongSize,
631	bool IsKasan, uint64_t *ShadowBase,
632	int MappingScale, bool* *OrShadowOffset) {
633	auto Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan);
634	*ShadowBase = Mapping.Offset;
635	*MappingScale = Mapping.Scale;
636	*OrShadowOffset = Mapping.OrShadowOffset;
637	}
638
639	void llvm::removeASanIncompatibleFnAttributes(Function &F, bool ReadsArgMem) {
640	// Adding sanitizer checks invalidates previously inferred memory attributes.
641	//
642	// This is not only true for sanitized functions, because AttrInfer can
643	// infer those attributes on libc functions, which is not true if those
644	// are instrumented (Android) or intercepted.
645	//
646	// We might want to model ASan shadow memory more opaquely to get rid of
647	// this problem altogether, by hiding the shadow memory write in an
648	// intrinsic, essentially like in the AArch64StackTagging pass. But that's
649	// for another day.
650
651	bool Changed = false;
652	// We add memory(readwrite) to functions that don't already have that set and
653	// can access any non-inaccessible memory. Sanitizer instrumentation can
654	// read/write shadow memory, which is IRMemLocation::Other. Sanitizer
655	// instrumentation can instrument any memory accesses to non-inaccessible
656	// memory.
657	if (!F.getMemoryEffects()
658	.getWithoutLoc(Loc: IRMemLocation::InaccessibleMem)
659	.doesNotAccessMemory() &&
660	!isModAndRefSet(MRI: F.getMemoryEffects().getModRef(Loc: IRMemLocation::Other))) {
661	F.setMemoryEffects(F.getMemoryEffects() \|
662	MemoryEffects::otherMemOnly(MR: ModRefInfo::ModRef));
663	Changed = true;
664	}
665	// HWASan reads from argument memory even for previously write-only accesses.
666	if (ReadsArgMem) {
667	if (F.getMemoryEffects().getModRef(Loc: IRMemLocation::ArgMem) ==
668	ModRefInfo::Mod) {
669	F.setMemoryEffects(F.getMemoryEffects() \|
670	MemoryEffects::argMemOnly(MR: ModRefInfo::Ref));
671	Changed = true;
672	}
673	for (Argument &A : F.args()) {
674	if (A.hasAttribute(Kind: Attribute::WriteOnly)) {
675	A.removeAttr(Kind: Attribute::WriteOnly);
676	Changed = true;
677	}
678	}
679	}
680	if (Changed) {
681	// nobuiltin makes sure later passes don't restore assumptions about
682	// the function.
683	F.addFnAttr(Kind: Attribute::NoBuiltin);
684	}
685	}
686
687	ASanAccessInfo::ASanAccessInfo(int32_t Packed)
688	: Packed(Packed),
689	AccessSizeIndex((Packed >> kAccessSizeIndexShift) & kAccessSizeIndexMask),
690	IsWrite((Packed >> kIsWriteShift) & kIsWriteMask),
691	CompileKernel((Packed >> kCompileKernelShift) & kCompileKernelMask) {}
692
693	ASanAccessInfo::ASanAccessInfo(bool IsWrite, bool CompileKernel,
694	uint8_t AccessSizeIndex)
695	: Packed((IsWrite << kIsWriteShift) +
696	(CompileKernel << kCompileKernelShift) +
697	(AccessSizeIndex << kAccessSizeIndexShift)),
698	AccessSizeIndex(AccessSizeIndex), IsWrite(IsWrite),
699	CompileKernel(CompileKernel) {}
700
701	static uint64_t getRedzoneSizeForScale(int MappingScale) {
702	// Redzone used for stack and globals is at least 32 bytes.
703	// For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively.
704	return std::max(a: `32U`, b: `1U` << MappingScale);
705	}
706
707	static uint64_t GetCtorAndDtorPriority(Triple &TargetTriple) {
708	if (TargetTriple.isOSEmscripten())
709	return kAsanEmscriptenCtorAndDtorPriority;
710	else
711	return kAsanCtorAndDtorPriority;
712	}
713
714	static Twine genName(StringRef suffix) {
715	return Twine (kAsanGenPrefix) + suffix;
716	}
717
718	namespace {
719
720	class AsanFunctionInserter {
721	public:
722	AsanFunctionInserter(Module &M) : M(M) {}
723
724	template <typename... ArgTypes>
725	FunctionCallee insertFunction(StringRef Name, ArgTypes &&...Args) {
726	return M.getOrInsertFunction(Name, std::forward<ArgTypes>(Args)...);
727	}
728
729	private:
730	Module &M;
731	};
732
733	} // end anonymous namespace
734
735	namespace {
736	/// Helper RAII class to post-process inserted asan runtime calls during a
737	/// pass on a single Function. Upon end of scope, detects and applies the
738	/// required funclet OpBundle.
739	class RuntimeCallInserter {
740	Function OwnerFn = nullptr*;
741	bool TrackInsertedCalls = false;
742	SmallVector<CallInst *> InsertedCalls;
743
744	public:
745	RuntimeCallInserter(Function &Fn) : OwnerFn(&Fn) {
746	if (Fn.hasPersonalityFn()) {
747	auto Personality = classifyEHPersonality(Pers: Fn.getPersonalityFn());
748	if (isScopedEHPersonality(Pers: Personality))
749	TrackInsertedCalls = true;
750	}
751	}
752
753	~RuntimeCallInserter() {
754	if (InsertedCalls.empty())
755	return;
756	assert(TrackInsertedCalls && "Calls were wrongly tracked");
757
758	DenseMap<BasicBlock , ColorVector> BlockColors = colorEHFunclets(F&: OwnerFn);
759	for (CallInst *CI : InsertedCalls) {
760	BasicBlock *BB = CI->getParent();
761	assert(BB && "Instruction doesn't belong to a BasicBlock");
762	assert(BB->getParent() == OwnerFn &&
763	"Instruction doesn't belong to the expected Function!");
764
765	ColorVector &Colors = BlockColors [BB];
766	// funclet opbundles are only valid in monochromatic BBs.
767	// Note that unreachable BBs are seen as colorless by colorEHFunclets()
768	// and will be DCE'ed later.
769	if (Colors.empty())
770	continue;
771	if (Colors.size() != `1`) {
772	OwnerFn->getContext().emitError(
773	ErrorStr: "Instruction's BasicBlock is not monochromatic");
774	continue;
775	}
776
777	BasicBlock *Color = Colors.front();
778	BasicBlock::iterator EHPadIt = Color->getFirstNonPHIIt();
779
780	if (EHPadIt != Color->end() && EHPadIt ->isEHPad()) {
781	// Replace CI with a clone with an added funclet OperandBundle
782	OperandBundleDef OB("funclet", &*EHPadIt);
783	auto *NewCall = CallBase::addOperandBundle(CB: CI, ID: LLVMContext::OB_funclet,
784	OB, InsertPt: CI->getIterator());
785	NewCall->copyMetadata(SrcInst: *CI);
786	CI->replaceAllUsesWith(V: NewCall);
787	CI->eraseFromParent();
788	}
789	}
790	}
791
792	CallInst *createRuntimeCall(IRBuilder<> &IRB, FunctionCallee Callee,
793	ArrayRef<Value *> Args = {},
794	const Twine &Name = "") {
795	assert(IRB.GetInsertBlock()->getParent() == OwnerFn);
796
797	CallInst Inst = IRB.CreateCall(Callee, Args, Name, FPMathTag: nullptr*);
798	if (TrackInsertedCalls)
799	InsertedCalls.push_back(Elt: Inst);
800	return Inst;
801	}
802	};
803
804	/// AddressSanitizer: instrument the code in module to find memory bugs.
805	struct AddressSanitizer {
806	AddressSanitizer(Module &M, const StackSafetyGlobalInfo *SSGI,
807	int InstrumentationWithCallsThreshold,
808	uint32_t MaxInlinePoisoningSize, bool CompileKernel = false,
809	bool Recover = false, bool UseAfterScope = false,
810	AsanDetectStackUseAfterReturnMode UseAfterReturn =
811	AsanDetectStackUseAfterReturnMode::Runtime)
812	: M(M), Inserter (M),
813	CompileKernel(ClEnableKasan.getNumOccurrences() > `0` ? ClEnableKasan
814	: CompileKernel),
815	Recover(ClRecover.getNumOccurrences() > `0` ? ClRecover : Recover),
816	UseAfterScope(UseAfterScope \|\| ClUseAfterScope),
817	UseAfterReturn(ClUseAfterReturn.getNumOccurrences() ? ClUseAfterReturn
818	: UseAfterReturn),
819	SSGI(SSGI),
820	InstrumentationWithCallsThreshold(
821	ClInstrumentationWithCallsThreshold.getNumOccurrences() > `0`
822	? ClInstrumentationWithCallsThreshold
823	: InstrumentationWithCallsThreshold),
824	MaxInlinePoisoningSize(ClMaxInlinePoisoningSize.getNumOccurrences() > `0`
825	? ClMaxInlinePoisoningSize
826	: MaxInlinePoisoningSize) {
827	C = &(M.getContext());
828	DL = &M.getDataLayout();
829	LongSize = M.getDataLayout().getPointerSizeInBits();
830	IntptrTy = Type::getIntNTy(C&: *C, N: LongSize);
831	PtrTy = PointerType::getUnqual(C&: *C);
832	Int32Ty = Type::getInt32Ty(C&: *C);
833	TargetTriple = M.getTargetTriple();
834
835	Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan: this->CompileKernel);
836
837	assert(this->UseAfterReturn != AsanDetectStackUseAfterReturnMode::Invalid);
838	}
839
840	TypeSize getAllocaSizeInBytes(const AllocaInst &AI) const {
841	return *AI.getAllocationSize(DL: AI.getDataLayout());
842	}
843
844	/// Check if we want (and can) handle this alloca.
845	bool isInterestingAlloca(const AllocaInst &AI);
846
847	bool ignoreAccess(Instruction Inst, Value Ptr);
848	void getInterestingMemoryOperands(
849	Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting,
850	const TargetTransformInfo *TTI);
851
852	void instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
853	InterestingMemoryOperand &O, bool UseCalls,
854	const DataLayout &DL, RuntimeCallInserter &RTCI);
855	void instrumentPointerComparisonOrSubtraction(Instruction *I,
856	RuntimeCallInserter &RTCI);
857	void instrumentAddress(Instruction OrigIns, Instruction InsertBefore,
858	Value *Addr, MaybeAlign Alignment,
859	uint32_t TypeStoreSize, bool IsWrite,
860	Value SizeArgument, bool* UseCalls, uint32_t Exp,
861	RuntimeCallInserter &RTCI);
862	Instruction instrumentAMDGPUAddress(Instruction OrigIns,
863	Instruction InsertBefore, Value Addr,
864	uint32_t TypeStoreSize, bool IsWrite,
865	Value *SizeArgument);
866	Instruction genAMDGPUReportBlock(IRBuilder<> &IRB, Value Cond,
867	bool Recover);
868	void instrumentUnusualSizeOrAlignment(Instruction *I,
869	Instruction InsertBefore, Value Addr,
870	TypeSize TypeStoreSize, bool IsWrite,
871	Value SizeArgument, bool* UseCalls,
872	uint32_t Exp,
873	RuntimeCallInserter &RTCI);
874	void instrumentMaskedLoadOrStore(AddressSanitizer Pass, const* DataLayout &DL,
875	Type IntptrTy, Value Mask, Value *EVL,
876	Value Stride, Instruction I, Value *Addr,
877	MaybeAlign Alignment, unsigned Granularity,
878	Type OpType, bool* IsWrite,
879	Value SizeArgument, bool* UseCalls,
880	uint32_t Exp, RuntimeCallInserter &RTCI);
881	Value createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
882	Value *ShadowValue, uint32_t TypeStoreSize);
883	Instruction generateCrashCode(Instruction InsertBefore, Value *Addr,
884	bool IsWrite, size_t AccessSizeIndex,
885	Value *SizeArgument, uint32_t Exp,
886	RuntimeCallInserter &RTCI);
887	void instrumentMemIntrinsic(MemIntrinsic *MI, RuntimeCallInserter &RTCI);
888	Value memToShadow(Value Shadow, IRBuilder<> &IRB);
889	bool suppressInstrumentationSiteForDebug(int &Instrumented);
890	bool instrumentFunction(Function &F, const TargetLibraryInfo *TLI,
891	const TargetTransformInfo *TTI);
892	bool maybeInsertAsanInitAtFunctionEntry(Function &F);
893	bool maybeInsertDynamicShadowAtFunctionEntry(Function &F);
894	void markEscapedLocalAllocas(Function &F);
895	void markCatchParametersAsUninteresting(Function &F);
896
897	private:
898	friend struct FunctionStackPoisoner;
899
900	void initializeCallbacks(const TargetLibraryInfo *TLI);
901
902	bool LooksLikeCodeInBug11395(Instruction *I);
903	bool GlobalIsLinkerInitialized(GlobalVariable *G);
904	bool isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, Value *Addr,
905	TypeSize TypeStoreSize) const;
906
907	/// Helper to cleanup per-function state.
908	struct FunctionStateRAII {
909	AddressSanitizer *Pass;
910
911	FunctionStateRAII(AddressSanitizer *Pass) : Pass(Pass) {
912	assert(Pass->ProcessedAllocas.empty() &&
913	"last pass forgot to clear cache");
914	assert(!Pass->LocalDynamicShadow);
915	}
916
917	~FunctionStateRAII() {
918	Pass->LocalDynamicShadow = nullptr;
919	Pass->ProcessedAllocas.clear();
920	}
921	};
922
923	Module &M;
924	AsanFunctionInserter Inserter;
925	LLVMContext *C;
926	const DataLayout *DL;
927	Triple TargetTriple;
928	int LongSize;
929	bool CompileKernel;
930	bool Recover;
931	bool UseAfterScope;
932	AsanDetectStackUseAfterReturnMode UseAfterReturn;
933	Type *IntptrTy;
934	Type *Int32Ty;
935	PointerType *PtrTy;
936	ShadowMapping Mapping;
937	FunctionCallee AsanHandleNoReturnFunc;
938	FunctionCallee AsanPtrCmpFunction, AsanPtrSubFunction;
939	Constant *AsanShadowGlobal;
940
941	// These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize).
942	FunctionCallee AsanErrorCallback[`2`][`2`][kNumberOfAccessSizes];
943	FunctionCallee AsanMemoryAccessCallback[`2`][`2`][kNumberOfAccessSizes];
944
945	// These arrays is indexed by AccessIsWrite and Experiment.
946	FunctionCallee AsanErrorCallbackSized[`2`][`2`];
947	FunctionCallee AsanMemoryAccessCallbackSized[`2`][`2`];
948
949	FunctionCallee AsanMemmove, AsanMemcpy, AsanMemset;
950	Value LocalDynamicShadow = nullptr*;
951	const StackSafetyGlobalInfo *SSGI;
952	DenseMap<const AllocaInst , bool*> ProcessedAllocas;
953
954	FunctionCallee AMDGPUAddressShared;
955	FunctionCallee AMDGPUAddressPrivate;
956	int InstrumentationWithCallsThreshold;
957	uint32_t MaxInlinePoisoningSize;
958	};
959
960	class ModuleAddressSanitizer {
961	public:
962	ModuleAddressSanitizer(Module &M, bool InsertVersionCheck,
963	bool CompileKernel = false, bool Recover = false,
964	bool UseGlobalsGC = true, bool UseOdrIndicator = true,
965	AsanDtorKind DestructorKind = AsanDtorKind::Global,
966	AsanCtorKind ConstructorKind = AsanCtorKind::Global)
967	: M(M), Inserter (M),
968	CompileKernel(ClEnableKasan.getNumOccurrences() > `0` ? ClEnableKasan
969	: CompileKernel),
970	InsertVersionCheck(ClInsertVersionCheck.getNumOccurrences() > `0`
971	? ClInsertVersionCheck
972	: InsertVersionCheck),
973	Recover(ClRecover.getNumOccurrences() > `0` ? ClRecover : Recover),
974	UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC && !this->CompileKernel),
975	// Enable aliases as they should have no downside with ODR indicators.
976	UsePrivateAlias(ClUsePrivateAlias.getNumOccurrences() > `0`
977	? ClUsePrivateAlias
978	: UseOdrIndicator),
979	UseOdrIndicator(ClUseOdrIndicator.getNumOccurrences() > `0`
980	? ClUseOdrIndicator
981	: UseOdrIndicator),
982	// Not a typo: ClWithComdat is almost completely pointless without
983	// ClUseGlobalsGC (because then it only works on modules without
984	// globals, which are rare); it is a prerequisite for ClUseGlobalsGC;
985	// and both suffer from gold PR19002 for which UseGlobalsGC constructor
986	// argument is designed as workaround. Therefore, disable both
987	// ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to
988	// do globals-gc.
989	UseCtorComdat(UseGlobalsGC && ClWithComdat && !this->CompileKernel),
990	DestructorKind(DestructorKind),
991	ConstructorKind(ClConstructorKind.getNumOccurrences() > `0`
992	? ClConstructorKind
993	: ConstructorKind) {
994	C = &(M.getContext());
995	int LongSize = M.getDataLayout().getPointerSizeInBits();
996	IntptrTy = Type::getIntNTy(C&: *C, N: LongSize);
997	PtrTy = PointerType::getUnqual(C&: *C);
998	TargetTriple = M.getTargetTriple();
999	Mapping = getShadowMapping(TargetTriple, LongSize, IsKasan: this->CompileKernel);
1000
1001	if (ClOverrideDestructorKind != AsanDtorKind::Invalid)
1002	this->DestructorKind = ClOverrideDestructorKind;
1003	assert(this->DestructorKind != AsanDtorKind::Invalid);
1004	}
1005
1006	bool instrumentModule();
1007
1008	private:
1009	void initializeCallbacks();
1010
1011	void instrumentGlobals(IRBuilder<> &IRB, bool *CtorComdat);
1012	void InstrumentGlobalsCOFF(IRBuilder<> &IRB,
1013	ArrayRef<GlobalVariable *> ExtendedGlobals,
1014	ArrayRef<Constant *> MetadataInitializers);
1015	void instrumentGlobalsELF(IRBuilder<> &IRB,
1016	ArrayRef<GlobalVariable *> ExtendedGlobals,
1017	ArrayRef<Constant *> MetadataInitializers,
1018	const std::string &UniqueModuleId);
1019	void InstrumentGlobalsMachO(IRBuilder<> &IRB,
1020	ArrayRef<GlobalVariable *> ExtendedGlobals,
1021	ArrayRef<Constant *> MetadataInitializers);
1022	void
1023	InstrumentGlobalsWithMetadataArray(IRBuilder<> &IRB,
1024	ArrayRef<GlobalVariable *> ExtendedGlobals,
1025	ArrayRef<Constant *> MetadataInitializers);
1026
1027	GlobalVariable CreateMetadataGlobal(Constant Initializer,
1028	StringRef OriginalName);
1029	void SetComdatForGlobalMetadata(GlobalVariable G, GlobalVariable Metadata,
1030	StringRef InternalSuffix);
1031	Instruction *CreateAsanModuleDtor();
1032
1033	const GlobalVariable getExcludedAliasedGlobal(const* GlobalAlias &GA) const;
1034	bool shouldInstrumentGlobal(GlobalVariable G) const*;
1035	bool ShouldUseMachOGlobalsSection() const;
1036	StringRef getGlobalMetadataSection() const;
1037	void poisonOneInitializer(Function &GlobalInit);
1038	void createInitializerPoisonCalls();
1039	uint64_t getMinRedzoneSizeForGlobal() const {
1040	return getRedzoneSizeForScale(MappingScale: Mapping.Scale);
1041	}
1042	uint64_t getRedzoneSizeForGlobal(uint64_t SizeInBytes) const;
1043	int GetAsanVersion() const;
1044	GlobalVariable *getOrCreateModuleName();
1045
1046	Module &M;
1047	AsanFunctionInserter Inserter;
1048	bool CompileKernel;
1049	bool InsertVersionCheck;
1050	bool Recover;
1051	bool UseGlobalsGC;
1052	bool UsePrivateAlias;
1053	bool UseOdrIndicator;
1054	bool UseCtorComdat;
1055	AsanDtorKind DestructorKind;
1056	AsanCtorKind ConstructorKind;
1057	Type *IntptrTy;
1058	PointerType *PtrTy;
1059	LLVMContext *C;
1060	Triple TargetTriple;
1061	ShadowMapping Mapping;
1062	FunctionCallee AsanPoisonGlobals;
1063	FunctionCallee AsanUnpoisonGlobals;
1064	FunctionCallee AsanRegisterGlobals;
1065	FunctionCallee AsanUnregisterGlobals;
1066	FunctionCallee AsanRegisterImageGlobals;
1067	FunctionCallee AsanUnregisterImageGlobals;
1068	FunctionCallee AsanRegisterElfGlobals;
1069	FunctionCallee AsanUnregisterElfGlobals;
1070
1071	Function AsanCtorFunction = nullptr*;
1072	Function AsanDtorFunction = nullptr*;
1073	GlobalVariable ModuleName = nullptr*;
1074	};
1075
1076	// Stack poisoning does not play well with exception handling.
1077	// When an exception is thrown, we essentially bypass the code
1078	// that unpoisones the stack. This is why the run-time library has
1079	// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire
1080	// stack in the interceptor. This however does not work inside the
1081	// actual function which catches the exception. Most likely because the
1082	// compiler hoists the load of the shadow value somewhere too high.
1083	// This causes asan to report a non-existing bug on 453.povray.
1084	// It sounds like an LLVM bug.
1085	struct FunctionStackPoisoner : public InstVisitor<FunctionStackPoisoner> {
1086	Function &F;
1087	AddressSanitizer &ASan;
1088	RuntimeCallInserter &RTCI;
1089	DIBuilder DIB;
1090	LLVMContext *C;
1091	Type *IntptrTy;
1092	Type *IntptrPtrTy;
1093	ShadowMapping Mapping;
1094
1095	SmallVector<AllocaInst *, `16`> AllocaVec;
1096	SmallVector<AllocaInst *, `16`> StaticAllocasToMoveUp;
1097	SmallVector<Instruction *, `8`> RetVec;
1098
1099	FunctionCallee AsanStackMallocFunc[kMaxAsanStackMallocSizeClass + `1`],
1100	AsanStackFreeFunc[kMaxAsanStackMallocSizeClass + `1`];
1101	FunctionCallee AsanSetShadowFunc[`0x100`] = {};
1102	FunctionCallee AsanPoisonStackMemoryFunc, AsanUnpoisonStackMemoryFunc;
1103	FunctionCallee AsanAllocaPoisonFunc, AsanAllocasUnpoisonFunc;
1104
1105	// Stores a place and arguments of poisoning/unpoisoning call for alloca.
1106	struct AllocaPoisonCall {
1107	IntrinsicInst *InsBefore;
1108	AllocaInst *AI;
1109	uint64_t Size;
1110	bool DoPoison;
1111	};
1112	SmallVector<AllocaPoisonCall, `8`> DynamicAllocaPoisonCallVec;
1113	SmallVector<AllocaPoisonCall, `8`> StaticAllocaPoisonCallVec;
1114
1115	SmallVector<AllocaInst *, `1`> DynamicAllocaVec;
1116	SmallVector<IntrinsicInst *, `1`> StackRestoreVec;
1117	AllocaInst DynamicAllocaLayout = nullptr*;
1118	IntrinsicInst LocalEscapeCall = nullptr*;
1119
1120	bool HasInlineAsm = false;
1121	bool HasReturnsTwiceCall = false;
1122	bool PoisonStack;
1123
1124	FunctionStackPoisoner(Function &F, AddressSanitizer &ASan,
1125	RuntimeCallInserter &RTCI)
1126	: F(F), ASan(ASan), RTCI(RTCI),
1127	DIB (F.getParent(), /AllowUnresolved/* false), C(ASan.C),
1128	IntptrTy(ASan.IntptrTy),
1129	IntptrPtrTy(PointerType::get(C&: IntptrTy->getContext(), AddressSpace: `0`)),
1130	Mapping (ASan.Mapping),
1131	PoisonStack(ClStack && !F.getParent()->getTargetTriple().isAMDGPU()) {}
1132
1133	bool runOnFunction() {
1134	if (!PoisonStack)
1135	return false;
1136
1137	if (ClRedzoneByvalArgs)
1138	copyArgsPassedByValToAllocas();
1139
1140	// Collect alloca, ret, lifetime instructions etc.
1141	for (BasicBlock BB : depth_first(G: &F.getEntryBlock())) visit(BB&: BB);
1142
1143	if (AllocaVec.empty() && DynamicAllocaVec.empty()) return false;
1144
1145	initializeCallbacks(M&: *F.getParent());
1146
1147	processDynamicAllocas();
1148	processStaticAllocas();
1149
1150	if (ClDebugStack) {
1151	LLVM_DEBUG(dbgs() << F);
1152	}
1153	return true;
1154	}
1155
1156	// Arguments marked with the "byval" attribute are implicitly copied without
1157	// using an alloca instruction. To produce redzones for those arguments, we
1158	// copy them a second time into memory allocated with an alloca instruction.
1159	void copyArgsPassedByValToAllocas();
1160
1161	// Finds all Alloca instructions and puts
1162	// poisoned red zones around all of them.
1163	// Then unpoison everything back before the function returns.
1164	void processStaticAllocas();
1165	void processDynamicAllocas();
1166
1167	void createDynamicAllocasInitStorage();
1168
1169	// ----------------------- Visitors.
1170	/// Collect all Ret instructions, or the musttail call instruction if it
1171	/// precedes the return instruction.
1172	void visitReturnInst(ReturnInst &RI) {
1173	if (CallInst *CI = RI.getParent()->getTerminatingMustTailCall())
1174	RetVec.push_back(Elt: CI);
1175	else
1176	RetVec.push_back(Elt: &RI);
1177	}
1178
1179	/// Collect all Resume instructions.
1180	void visitResumeInst(ResumeInst &RI) { RetVec.push_back(Elt: &RI); }
1181
1182	/// Collect all CatchReturnInst instructions.
1183	void visitCleanupReturnInst(CleanupReturnInst &CRI) { RetVec.push_back(Elt: &CRI); }
1184
1185	void unpoisonDynamicAllocasBeforeInst(Instruction *InstBefore,
1186	Value *SavedStack) {
1187	IRBuilder<> IRB(InstBefore);
1188	Value *DynamicAreaPtr = IRB.CreatePtrToInt(V: SavedStack, DestTy: IntptrTy);
1189	// When we insert _asan_allocas_unpoison before @llvm.stackrestore, we
1190	// need to adjust extracted SP to compute the address of the most recent
1191	// alloca. We have a special @llvm.get.dynamic.area.offset intrinsic for
1192	// this purpose.
1193	if (!isa<ReturnInst>(Val: InstBefore)) {
1194	Value *DynamicAreaOffset = IRB.CreateIntrinsic(
1195	ID: Intrinsic::get_dynamic_area_offset, OverloadTypes: {IntptrTy}, Args: {});
1196
1197	DynamicAreaPtr = IRB.CreateAdd(LHS: IRB.CreatePtrToInt(V: SavedStack, DestTy: IntptrTy),
1198	RHS: DynamicAreaOffset);
1199	}
1200
1201	RTCI.createRuntimeCall(
1202	IRB, Callee: AsanAllocasUnpoisonFunc,
1203	Args: {IRB.CreateLoad(Ty: IntptrTy, Ptr: DynamicAllocaLayout), DynamicAreaPtr});
1204	}
1205
1206	// Unpoison dynamic allocas redzones.
1207	void unpoisonDynamicAllocas() {
1208	for (Instruction *Ret : RetVec)
1209	unpoisonDynamicAllocasBeforeInst(InstBefore: Ret, SavedStack: DynamicAllocaLayout);
1210
1211	for (Instruction *StackRestoreInst : StackRestoreVec)
1212	unpoisonDynamicAllocasBeforeInst(InstBefore: StackRestoreInst,
1213	SavedStack: StackRestoreInst->getOperand(i: `0`));
1214	}
1215
1216	// Deploy and poison redzones around dynamic alloca call. To do this, we
1217	// should replace this call with another one with changed parameters and
1218	// replace all its uses with new address, so
1219	// addr = alloca type, old_size, align
1220	// is replaced by
1221	// new_size = (old_size + additional_size) sizeof(type)*
1222	// tmp = alloca i8, new_size, max(align, 32)
1223	// addr = tmp + 32 (first 32 bytes are for the left redzone).
1224	// Additional_size is added to make new memory allocation contain not only
1225	// requested memory, but also left, partial and right redzones.
1226	void handleDynamicAllocaCall(AllocaInst *AI);
1227
1228	/// Collect Alloca instructions we want (and can) handle.
1229	void visitAllocaInst(AllocaInst &AI) {
1230	// FIXME: Handle scalable vectors instead of ignoring them.
1231	const Type *AllocaType = AI.getAllocatedType();
1232	const auto *STy = dyn_cast<StructType>(Val: AllocaType);
1233	if (!ASan.isInterestingAlloca(AI) \|\| isa<ScalableVectorType>(Val: AllocaType) \|\|
1234	(STy && STy->containsHomogeneousScalableVectorTypes())) {
1235	if (AI.isStaticAlloca()) {
1236	// Skip over allocas that are present before* the first instrumented*
1237	// alloca, we don't want to move those around.
1238	if (AllocaVec.empty())
1239	return;
1240
1241	StaticAllocasToMoveUp.push_back(Elt: &AI);
1242	}
1243	return;
1244	}
1245
1246	if (!AI.isStaticAlloca())
1247	DynamicAllocaVec.push_back(Elt: &AI);
1248	else
1249	AllocaVec.push_back(Elt: &AI);
1250	}
1251
1252	/// Collect lifetime intrinsic calls to check for use-after-scope
1253	/// errors.
1254	void visitIntrinsicInst(IntrinsicInst &II) {
1255	Intrinsic::ID ID = II.getIntrinsicID();
1256	if (ID == Intrinsic::stackrestore) StackRestoreVec.push_back(Elt: &II);
1257	if (ID == Intrinsic::localescape) LocalEscapeCall = &II;
1258	if (!ASan.UseAfterScope)
1259	return;
1260	if (!II.isLifetimeStartOrEnd())
1261	return;
1262	// Find alloca instruction that corresponds to llvm.lifetime argument.
1263	AllocaInst *AI = dyn_cast<AllocaInst>(Val: II.getArgOperand(i: `0`));
1264	// We're interested only in allocas we can handle.
1265	if (!AI \|\| !ASan.isInterestingAlloca(AI: *AI))
1266	return;
1267
1268	std::optional<TypeSize> Size = AI->getAllocationSize(DL: AI->getDataLayout());
1269	// Check that size is known and can be stored in IntptrTy.
1270	// TODO: Add support for scalable vectors if possible.
1271	if (!Size \|\| Size ->isScalable() \|\|
1272	!ConstantInt::isValueValidForType(Ty: IntptrTy, V: *Size))
1273	return;
1274
1275	bool DoPoison = (ID == Intrinsic::lifetime_end);
1276	AllocaPoisonCall APC = {.InsBefore: &II, .AI: AI, .Size: *Size, .DoPoison: DoPoison};
1277	if (AI->isStaticAlloca())
1278	StaticAllocaPoisonCallVec.push_back(Elt: APC);
1279	else if (ClInstrumentDynamicAllocas)
1280	DynamicAllocaPoisonCallVec.push_back(Elt: APC);
1281	}
1282
1283	void visitCallBase(CallBase &CB) {
1284	if (CallInst *CI = dyn_cast<CallInst>(Val: &CB)) {
1285	HasInlineAsm \|= CI->isInlineAsm() && &CB != ASan.LocalDynamicShadow;
1286	HasReturnsTwiceCall \|= CI->canReturnTwice();
1287	}
1288	}
1289
1290	// ---------------------- Helpers.
1291	void initializeCallbacks(Module &M);
1292
1293	// Copies bytes from ShadowBytes into shadow memory for indexes where
1294	// ShadowMask is not zero. If ShadowMask[i] is zero, we assume that
1295	// ShadowBytes[i] is constantly zero and doesn't need to be overwritten.
1296	void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes,
1297	IRBuilder<> &IRB, Value *ShadowBase);
1298	void copyToShadow(ArrayRef<uint8_t> ShadowMask, ArrayRef<uint8_t> ShadowBytes,
1299	size_t Begin, size_t End, IRBuilder<> &IRB,
1300	Value *ShadowBase);
1301	void copyToShadowInline(ArrayRef<uint8_t> ShadowMask,
1302	ArrayRef<uint8_t> ShadowBytes, size_t Begin,
1303	size_t End, IRBuilder<> &IRB, Value *ShadowBase);
1304
1305	void poisonAlloca(Value V, uint64_t Size, IRBuilder<> &IRB, bool* DoPoison);
1306
1307	Value createAllocaForLayout(IRBuilder<> &IRB, const* ASanStackFrameLayout &L,
1308	bool Dynamic);
1309	PHINode createPHI(IRBuilder<> &IRB, Value Cond, Value *ValueIfTrue,
1310	Instruction ThenTerm, Value ValueIfFalse);
1311	};
1312
1313	} // end anonymous namespace
1314
1315	void AddressSanitizerPass::printPipeline(
1316	raw_ostream &OS, function_ref<StringRef(StringRef)> MapClassName2PassName) {
1317	static_cast<PassInfoMixin<AddressSanitizerPass> >(this*)->printPipeline(
1318	OS, MapClassName2PassName);
1319	OS << `'<'`;
1320	if (Options.CompileKernel)
1321	OS << "kernel;";
1322	if (Options.UseAfterScope)
1323	OS << "use-after-scope";
1324	OS << `'>'`;
1325	}
1326
1327	AddressSanitizerPass::AddressSanitizerPass(
1328	const AddressSanitizerOptions &Options, bool UseGlobalGC,
1329	bool UseOdrIndicator, AsanDtorKind DestructorKind,
1330	AsanCtorKind ConstructorKind)
1331	: Options (Options), UseGlobalGC(UseGlobalGC),
1332	UseOdrIndicator(UseOdrIndicator), DestructorKind(DestructorKind),
1333	ConstructorKind(ConstructorKind) {}
1334
1335	PreservedAnalyses AddressSanitizerPass::run(Module &M,
1336	ModuleAnalysisManager &MAM) {
1337	// Return early if nosanitize_address module flag is present for the module.
1338	// This implies that asan pass has already run before.
1339	if (checkIfAlreadyInstrumented(M, Flag: "nosanitize_address"))
1340	return PreservedAnalyses::all();
1341
1342	ModuleAddressSanitizer ModuleSanitizer(
1343	M, Options.InsertVersionCheck, Options.CompileKernel, Options.Recover,
1344	UseGlobalGC, UseOdrIndicator, DestructorKind, ConstructorKind);
1345	bool Modified = false;
1346	auto &FAM = MAM.getResult<FunctionAnalysisManagerModuleProxy>(IR&: M).getManager();
1347	const StackSafetyGlobalInfo *const SSGI =
1348	ClUseStackSafety ? &MAM.getResult<StackSafetyGlobalAnalysis>(IR&: M) : nullptr;
1349	for (Function &F : M) {
1350	if (F.empty())
1351	continue;
1352	if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage)
1353	continue;
1354	if (!ClDebugFunc.empty() && ClDebugFunc == F.getName())
1355	continue;
1356	if (F.getName().starts_with(Prefix: "__asan_"))
1357	continue;
1358	if (F.isPresplitCoroutine())
1359	continue;
1360	AddressSanitizer FunctionSanitizer(
1361	M, SSGI, Options.InstrumentationWithCallsThreshold,
1362	Options.MaxInlinePoisoningSize, Options.CompileKernel, Options.Recover,
1363	Options.UseAfterScope, Options.UseAfterReturn);
1364	const TargetLibraryInfo &TLI = FAM.getResult<TargetLibraryAnalysis>(IR&: F);
1365	const TargetTransformInfo &TTI = FAM.getResult<TargetIRAnalysis>(IR&: F);
1366	Modified \|= FunctionSanitizer.instrumentFunction(F, TLI: &TLI, TTI: &TTI);
1367	}
1368	Modified \|= ModuleSanitizer.instrumentModule();
1369	if (!Modified)
1370	return PreservedAnalyses::all();
1371
1372	PreservedAnalyses PA = PreservedAnalyses::none();
1373	// GlobalsAA is considered stateless and does not get invalidated unless
1374	// explicitly invalidated; PreservedAnalyses::none() is not enough. Sanitizers
1375	// make changes that require GlobalsAA to be invalidated.
1376	PA.abandon<GlobalsAA>();
1377	return PA;
1378	}
1379
1380	static size_t TypeStoreSizeToSizeIndex(uint32_t TypeSize) {
1381	size_t Res = llvm::countr_zero(Val: TypeSize / `8`);
1382	assert(Res < kNumberOfAccessSizes);
1383	return Res;
1384	}
1385
1386	/// Check if \p G has been created by a trusted compiler pass.
1387	static bool GlobalWasGeneratedByCompiler(GlobalVariable *G) {
1388	// Do not instrument @llvm.global_ctors, @llvm.used, etc.
1389	if (G->getName().starts_with(Prefix: "llvm.") \|\|
1390	// Do not instrument gcov counter arrays.
1391	G->getName().starts_with(Prefix: "__llvm_gcov_ctr") \|\|
1392	// Do not instrument rtti proxy symbols for function sanitizer.
1393	G->getName().starts_with(Prefix: "__llvm_rtti_proxy"))
1394	return true;
1395
1396	// Do not instrument asan globals.
1397	if (G->getName().starts_with(Prefix: kAsanGenPrefix) \|\|
1398	G->getName().starts_with(Prefix: kSanCovGenPrefix) \|\|
1399	G->getName().starts_with(Prefix: kODRGenPrefix))
1400	return true;
1401
1402	return false;
1403	}
1404
1405	static bool isUnsupportedAMDGPUAddrspace(Value *Addr) {
1406	Type *PtrTy = cast<PointerType>(Val: Addr->getType()->getScalarType());
1407	unsigned int AddrSpace = PtrTy->getPointerAddressSpace();
1408	// Globals in address space 1 and 4 are supported for AMDGPU.
1409	if (AddrSpace == `3` \|\| AddrSpace == `5`)
1410	return true;
1411	return false;
1412	}
1413
1414	static bool isSupportedAddrspace(const Triple &TargetTriple, Value *Addr) {
1415	Type *PtrTy = cast<PointerType>(Val: Addr->getType()->getScalarType());
1416	unsigned int AddrSpace = PtrTy->getPointerAddressSpace();
1417
1418	if (!SrcAddrSpaces.empty())
1419	return SrcAddrSpaces.count(V: AddrSpace);
1420
1421	if (TargetTriple.isAMDGPU())
1422	return !isUnsupportedAMDGPUAddrspace(Addr);
1423
1424	return AddrSpace == `0`;
1425	}
1426
1427	Value AddressSanitizer::memToShadow(Value Shadow, IRBuilder<> &IRB) {
1428	// Shadow >> scale
1429	Shadow = IRB.CreateLShr(LHS: Shadow, RHS: Mapping.Scale);
1430	if (Mapping.Offset == `0`) return Shadow;
1431	// (Shadow >> scale) \| offset
1432	Value *ShadowBase;
1433	if (LocalDynamicShadow)
1434	ShadowBase = LocalDynamicShadow;
1435	else
1436	ShadowBase = ConstantInt::get(Ty: IntptrTy, V: Mapping.Offset);
1437	if (Mapping.OrShadowOffset)
1438	return IRB.CreateOr(LHS: Shadow, RHS: ShadowBase);
1439	else
1440	return IRB.CreateAdd(LHS: Shadow, RHS: ShadowBase);
1441	}
1442
1443	// Instrument memset/memmove/memcpy
1444	void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI,
1445	RuntimeCallInserter &RTCI) {
1446	InstrumentationIRBuilder IRB(MI);
1447	if (isa<MemTransferInst>(Val: MI)) {
1448	RTCI.createRuntimeCall(
1449	IRB, Callee: isa<MemMoveInst>(Val: MI) ? AsanMemmove : AsanMemcpy,
1450	Args: {IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `0`), DestTy: PtrTy),
1451	IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `1`), DestTy: PtrTy),
1452	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `2`), DestTy: IntptrTy, isSigned: false)});
1453	} else if (isa<MemSetInst>(Val: MI)) {
1454	RTCI.createRuntimeCall(
1455	IRB, Callee: AsanMemset,
1456	Args: {IRB.CreateAddrSpaceCast(V: MI->getOperand(i_nocapture: `0`), DestTy: PtrTy),
1457	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `1`), DestTy: IRB.getInt32Ty(), isSigned: false),
1458	IRB.CreateIntCast(V: MI->getOperand(i_nocapture: `2`), DestTy: IntptrTy, isSigned: false)});
1459	}
1460	MI->eraseFromParent();
1461	}
1462
1463	/// Check if we want (and can) handle this alloca.
1464	bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
1465	auto [It, Inserted] = ProcessedAllocas.try_emplace(Key: &AI);
1466
1467	if (!Inserted)
1468	return It ->getSecond();
1469
1470	bool IsInteresting =
1471	(AI.getAllocatedType()->isSized() &&
1472	// alloca() may be called with 0 size, ignore it.
1473	((!AI.isStaticAlloca()) \|\| !getAllocaSizeInBytes(AI).isZero()) &&
1474	// We are only interested in allocas not promotable to registers.
1475	// Promotable allocas are common under -O0.
1476	(!ClSkipPromotableAllocas \|\| !isAllocaPromotable(AI: &AI)) &&
1477	// inalloca allocas are not treated as static, and we don't want
1478	// dynamic alloca instrumentation for them as well.
1479	!AI.isUsedWithInAlloca() &&
1480	// swifterror allocas are register promoted by ISel
1481	!AI.isSwiftError() &&
1482	// safe allocas are not interesting
1483	!(SSGI && SSGI->isSafe(AI)));
1484
1485	It ->second = IsInteresting;
1486	return IsInteresting;
1487	}
1488
1489	bool AddressSanitizer::ignoreAccess(Instruction Inst, Value Ptr) {
1490	// Check whether the target supports sanitizing the address space
1491	// of the pointer.
1492	if (!isSupportedAddrspace(TargetTriple, Addr: Ptr))
1493	return true;
1494
1495	// Ignore swifterror addresses.
1496	// swifterror memory addresses are mem2reg promoted by instruction
1497	// selection. As such they cannot have regular uses like an instrumentation
1498	// function and it makes no sense to track them as memory.
1499	if (Ptr->isSwiftError())
1500	return true;
1501
1502	// Treat memory accesses to promotable allocas as non-interesting since they
1503	// will not cause memory violations. This greatly speeds up the instrumented
1504	// executable at -O0.
1505	if (auto AI = dyn_cast_or_null<AllocaInst>(Val: Ptr))
1506	if (ClSkipPromotableAllocas && !isInterestingAlloca(AI: *AI))
1507	return true;
1508
1509	if (SSGI != nullptr && SSGI->stackAccessIsSafe(I: *Inst) &&
1510	findAllocaForValue(V: Ptr))
1511	return true;
1512
1513	return false;
1514	}
1515
1516	void AddressSanitizer::getInterestingMemoryOperands(
1517	Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting,
1518	const TargetTransformInfo *TTI) {
1519	// Do not instrument the load fetching the dynamic shadow address.
1520	if (LocalDynamicShadow == I)
1521	return;
1522
1523	if (LoadInst *LI = dyn_cast<LoadInst>(Val: I)) {
1524	if (!ClInstrumentReads \|\| ignoreAccess(Inst: I, Ptr: LI->getPointerOperand()))
1525	return;
1526	Interesting.emplace_back(Args&: I, Args: LI->getPointerOperandIndex(), Args: false,
1527	Args: LI->getType(), Args: LI->getAlign());
1528	} else if (StoreInst *SI = dyn_cast<StoreInst>(Val: I)) {
1529	if (!ClInstrumentWrites \|\| ignoreAccess(Inst: I, Ptr: SI->getPointerOperand()))
1530	return;
1531	Interesting.emplace_back(Args&: I, Args: SI->getPointerOperandIndex(), Args: true,
1532	Args: SI->getValueOperand()->getType(), Args: SI->getAlign());
1533	} else if (AtomicRMWInst *RMW = dyn_cast<AtomicRMWInst>(Val: I)) {
1534	if (!ClInstrumentAtomics \|\| ignoreAccess(Inst: I, Ptr: RMW->getPointerOperand()))
1535	return;
1536	Interesting.emplace_back(Args&: I, Args: RMW->getPointerOperandIndex(), Args: true,
1537	Args: RMW->getValOperand()->getType(), Args: std::nullopt);
1538	} else if (AtomicCmpXchgInst *XCHG = dyn_cast<AtomicCmpXchgInst>(Val: I)) {
1539	if (!ClInstrumentAtomics \|\| ignoreAccess(Inst: I, Ptr: XCHG->getPointerOperand()))
1540	return;
1541	Interesting.emplace_back(Args&: I, Args: XCHG->getPointerOperandIndex(), Args: true,
1542	Args: XCHG->getCompareOperand()->getType(),
1543	Args: std::nullopt);
1544	} else if (auto CI = dyn_cast<CallInst>(Val: I)) {
1545	switch (CI->getIntrinsicID()) {
1546	case Intrinsic::masked_load:
1547	case Intrinsic::masked_store:
1548	case Intrinsic::masked_gather:
1549	case Intrinsic::masked_scatter: {
1550	bool IsWrite = CI->getType()->isVoidTy();
1551	// Masked store has an initial operand for the value.
1552	unsigned OpOffset = IsWrite ? `1` : `0`;
1553	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1554	return;
1555
1556	auto BasePtr = CI->getOperand(i_nocapture: OpOffset);
1557	if (ignoreAccess(Inst: I, Ptr: BasePtr))
1558	return;
1559	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1560	MaybeAlign Alignment = CI->getParamAlign(ArgNo: `0`);
1561	Value *Mask = CI->getOperand(i_nocapture: `1` + OpOffset);
1562	Interesting.emplace_back(Args&: I, Args&: OpOffset, Args&: IsWrite, Args&: Ty, Args&: Alignment, Args&: Mask);
1563	break;
1564	}
1565	case Intrinsic::masked_expandload:
1566	case Intrinsic::masked_compressstore: {
1567	bool IsWrite = CI->getIntrinsicID() == Intrinsic::masked_compressstore;
1568	unsigned OpOffset = IsWrite ? `1` : `0`;
1569	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1570	return;
1571	auto BasePtr = CI->getOperand(i_nocapture: OpOffset);
1572	if (ignoreAccess(Inst: I, Ptr: BasePtr))
1573	return;
1574	MaybeAlign Alignment = BasePtr->getPointerAlignment(DL: *DL);
1575	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1576
1577	IRBuilder IB(I);
1578	Value *Mask = CI->getOperand(i_nocapture: `1` + OpOffset);
1579	// Use the popcount of Mask as the effective vector length.
1580	Type *ExtTy = VectorType::get(ElementType: IntptrTy, Other: cast<VectorType>(Val: Ty));
1581	Value *ExtMask = IB.CreateZExt(V: Mask, DestTy: ExtTy);
1582	Value *EVL = IB.CreateAddReduce(Src: ExtMask);
1583	Value *TrueMask = ConstantInt::get(Ty: Mask->getType(), V: `1`);
1584	Interesting.emplace_back(Args&: I, Args&: OpOffset, Args&: IsWrite, Args&: Ty, Args&: Alignment, Args&: TrueMask,
1585	Args&: EVL);
1586	break;
1587	}
1588	case Intrinsic::vp_load:
1589	case Intrinsic::vp_store:
1590	case Intrinsic::experimental_vp_strided_load:
1591	case Intrinsic::experimental_vp_strided_store: {
1592	auto *VPI = cast<VPIntrinsic>(Val: CI);
1593	unsigned IID = CI->getIntrinsicID();
1594	bool IsWrite = CI->getType()->isVoidTy();
1595	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1596	return;
1597	unsigned PtrOpNo = *VPI->getMemoryPointerParamPos(IID);
1598	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1599	MaybeAlign Alignment = VPI->getOperand(i_nocapture: PtrOpNo)->getPointerAlignment(DL: *DL);
1600	Value Stride = nullptr*;
1601	if (IID == Intrinsic::experimental_vp_strided_store \|\|
1602	IID == Intrinsic::experimental_vp_strided_load) {
1603	Stride = VPI->getOperand(i_nocapture: PtrOpNo + `1`);
1604	// Use the pointer alignment as the element alignment if the stride is a
1605	// multiple of the pointer alignment. Otherwise, the element alignment
1606	// should be Align(1).
1607	unsigned PointerAlign = Alignment.valueOrOne().value();
1608	if (!isa<ConstantInt>(Val: Stride) \|\|
1609	cast<ConstantInt>(Val: Stride)->getZExtValue() % PointerAlign != `0`)
1610	Alignment = Align (`1`);
1611	}
1612	Interesting.emplace_back(Args&: I, Args&: PtrOpNo, Args&: IsWrite, Args&: Ty, Args&: Alignment,
1613	Args: VPI->getMaskParam(), Args: VPI->getVectorLengthParam(),
1614	Args&: Stride);
1615	break;
1616	}
1617	case Intrinsic::vp_gather:
1618	case Intrinsic::vp_scatter: {
1619	auto *VPI = cast<VPIntrinsic>(Val: CI);
1620	unsigned IID = CI->getIntrinsicID();
1621	bool IsWrite = IID == Intrinsic::vp_scatter;
1622	if (IsWrite ? !ClInstrumentWrites : !ClInstrumentReads)
1623	return;
1624	unsigned PtrOpNo = *VPI->getMemoryPointerParamPos(IID);
1625	Type *Ty = IsWrite ? CI->getArgOperand(i: `0`)->getType() : CI->getType();
1626	MaybeAlign Alignment = VPI->getPointerAlignment();
1627	Interesting.emplace_back(Args&: I, Args&: PtrOpNo, Args&: IsWrite, Args&: Ty, Args&: Alignment,
1628	Args: VPI->getMaskParam(),
1629	Args: VPI->getVectorLengthParam());
1630	break;
1631	}
1632	default:
1633	if (auto *II = dyn_cast<IntrinsicInst>(Val: I)) {
1634	MemIntrinsicInfo IntrInfo;
1635	if (TTI->getTgtMemIntrinsic(Inst: II, Info&: IntrInfo))
1636	Interesting = IntrInfo.InterestingOperands;
1637	return;
1638	}
1639	for (unsigned ArgNo = `0`; ArgNo < CI->arg_size(); ArgNo++) {
1640	if (!ClInstrumentByval \|\| !CI->isByValArgument(ArgNo) \|\|
1641	ignoreAccess(Inst: I, Ptr: CI->getArgOperand(i: ArgNo)))
1642	continue;
1643	Type *Ty = CI->getParamByValType(ArgNo);
1644	Interesting.emplace_back(Args&: I, Args&: ArgNo, Args: false, Args&: Ty, Args: Align (`1`));
1645	}
1646	}
1647	}
1648	}
1649
1650	static bool isPointerOperand(Value *V) {
1651	return V->getType()->isPointerTy() \|\| isa<PtrToIntInst>(Val: V);
1652	}
1653
1654	// This is a rough heuristic; it may cause both false positives and
1655	// false negatives. The proper implementation requires cooperation with
1656	// the frontend.
1657	static bool isInterestingPointerComparison(Instruction *I) {
1658	if (ICmpInst *Cmp = dyn_cast<ICmpInst>(Val: I)) {
1659	if (!Cmp->isRelational())
1660	return false;
1661	} else {
1662	return false;
1663	}
1664	return isPointerOperand(V: I->getOperand(i: `0`)) &&
1665	isPointerOperand(V: I->getOperand(i: `1`));
1666	}
1667
1668	// This is a rough heuristic; it may cause both false positives and
1669	// false negatives. The proper implementation requires cooperation with
1670	// the frontend.
1671	static bool isInterestingPointerSubtraction(Instruction *I) {
1672	if (BinaryOperator *BO = dyn_cast<BinaryOperator>(Val: I)) {
1673	if (BO->getOpcode() != Instruction::Sub)
1674	return false;
1675	} else {
1676	return false;
1677	}
1678	return isPointerOperand(V: I->getOperand(i: `0`)) &&
1679	isPointerOperand(V: I->getOperand(i: `1`));
1680	}
1681
1682	bool AddressSanitizer::GlobalIsLinkerInitialized(GlobalVariable *G) {
1683	// If a global variable does not have dynamic initialization we don't
1684	// have to instrument it. However, if a global does not have initializer
1685	// at all, we assume it has dynamic initializer (in other TU).
1686	if (!G->hasInitializer())
1687	return false;
1688
1689	if (G->hasSanitizerMetadata() && G->getSanitizerMetadata().IsDynInit)
1690	return false;
1691
1692	return true;
1693	}
1694
1695	void AddressSanitizer::instrumentPointerComparisonOrSubtraction(
1696	Instruction *I, RuntimeCallInserter &RTCI) {
1697	IRBuilder<> IRB(I);
1698	FunctionCallee F = isa<ICmpInst>(Val: I) ? AsanPtrCmpFunction : AsanPtrSubFunction;
1699	Value *Param[`2`] = {I->getOperand(i: `0`), I->getOperand(i: `1`)};
1700	for (Value *&i : Param) {
1701	if (i->getType()->isPointerTy())
1702	i = IRB.CreatePointerCast(V: i, DestTy: IntptrTy);
1703	}
1704	RTCI.createRuntimeCall(IRB, Callee: F, Args: Param);
1705	}
1706
1707	static void doInstrumentAddress(AddressSanitizer Pass, Instruction I,
1708	Instruction InsertBefore, Value Addr,
1709	MaybeAlign Alignment, unsigned Granularity,
1710	TypeSize TypeStoreSize, bool IsWrite,
1711	Value SizeArgument, bool* UseCalls,
1712	uint32_t Exp, RuntimeCallInserter &RTCI) {
1713	// Instrument a 1-, 2-, 4-, 8-, or 16- byte access with one check
1714	// if the data is properly aligned.
1715	if (!TypeStoreSize.isScalable()) {
1716	const auto FixedSize = TypeStoreSize.getFixedValue();
1717	switch (FixedSize) {
1718	case `8`:
1719	case `16`:
1720	case `32`:
1721	case `64`:
1722	case `128`:
1723	if (!Alignment \|\| *Alignment >= Granularity \|\|
1724	*Alignment >= FixedSize / `8`)
1725	return Pass->instrumentAddress(OrigIns: I, InsertBefore, Addr, Alignment,
1726	TypeStoreSize: FixedSize, IsWrite, SizeArgument: nullptr, UseCalls,
1727	Exp, RTCI);
1728	}
1729	}
1730	Pass->instrumentUnusualSizeOrAlignment(I, InsertBefore, Addr, TypeStoreSize,
1731	IsWrite, SizeArgument: nullptr, UseCalls, Exp, RTCI);
1732	}
1733
1734	void AddressSanitizer::instrumentMaskedLoadOrStore(
1735	AddressSanitizer Pass, const* DataLayout &DL, Type IntptrTy, Value Mask,
1736	Value EVL, Value Stride, Instruction I, Value Addr,
1737	MaybeAlign Alignment, unsigned Granularity, Type OpType, bool* IsWrite,
1738	Value SizeArgument, bool* UseCalls, uint32_t Exp,
1739	RuntimeCallInserter &RTCI) {
1740	auto *VTy = cast<VectorType>(Val: OpType);
1741	TypeSize ElemTypeSize = DL.getTypeStoreSizeInBits(Ty: VTy->getScalarType());
1742	auto Zero = ConstantInt::get(Ty: IntptrTy, V: `0`);
1743
1744	IRBuilder IB(I);
1745	Instruction *LoopInsertBefore = I;
1746	if (EVL) {
1747	// The end argument of SplitBlockAndInsertForLane is assumed bigger
1748	// than zero, so we should check whether EVL is zero here.
1749	Type *EVLType = EVL->getType();
1750	Value *IsEVLZero = IB.CreateICmpNE(LHS: EVL, RHS: ConstantInt::get(Ty: EVLType, V: `0`));
1751	LoopInsertBefore = SplitBlockAndInsertIfThen(Cond: IsEVLZero, SplitBefore: I, Unreachable: false);
1752	IB.SetInsertPoint(LoopInsertBefore);
1753	// Cast EVL to IntptrTy.
1754	EVL = IB.CreateZExtOrTrunc(V: EVL, DestTy: IntptrTy);
1755	// To avoid undefined behavior for extracting with out of range index, use
1756	// the minimum of evl and element count as trip count.
1757	Value *EC = IB.CreateElementCount(Ty: IntptrTy, EC: VTy->getElementCount());
1758	EVL = IB.CreateBinaryIntrinsic(ID: Intrinsic::umin, LHS: EVL, RHS: EC);
1759	} else {
1760	EVL = IB.CreateElementCount(Ty: IntptrTy, EC: VTy->getElementCount());
1761	}
1762
1763	// Cast Stride to IntptrTy.
1764	if (Stride)
1765	Stride = IB.CreateZExtOrTrunc(V: Stride, DestTy: IntptrTy);
1766
1767	SplitBlockAndInsertForEachLane(End: EVL, InsertBefore: LoopInsertBefore->getIterator(),
1768	Func: [&](IRBuilderBase &IRB, Value *Index) {
1769	Value *MaskElem = IRB.CreateExtractElement(Vec: Mask, Idx: Index);
1770	if (auto *MaskElemC = dyn_cast<ConstantInt>(Val: MaskElem)) {
1771	if (MaskElemC->isZero())
1772	// No check
1773	return;
1774	// Unconditional check
1775	} else {
1776	// Conditional check
1777	Instruction *ThenTerm = SplitBlockAndInsertIfThen(
1778	Cond: MaskElem, SplitBefore: &IRB.GetInsertPoint(), Unreachable: false*);
1779	IRB.SetInsertPoint(ThenTerm);
1780	}
1781
1782	Value *InstrumentedAddress;
1783	if (isa<VectorType>(Val: Addr->getType())) {
1784	assert(
1785	cast<VectorType>(Addr->getType())->getElementType()->isPointerTy() &&
1786	"Expected vector of pointer.");
1787	InstrumentedAddress = IRB.CreateExtractElement(Vec: Addr, Idx: Index);
1788	} else if (Stride) {
1789	Index = IRB.CreateMul(LHS: Index, RHS: Stride);
1790	InstrumentedAddress = IRB.CreatePtrAdd(Ptr: Addr, Offset: Index);
1791	} else {
1792	InstrumentedAddress = IRB.CreateGEP(Ty: VTy, Ptr: Addr, IdxList: {Zero, Index});
1793	}
1794	doInstrumentAddress(Pass, I, InsertBefore: &*IRB.GetInsertPoint(), Addr: InstrumentedAddress,
1795	Alignment, Granularity, TypeStoreSize: ElemTypeSize, IsWrite,
1796	SizeArgument, UseCalls, Exp, RTCI);
1797	});
1798	}
1799
1800	void AddressSanitizer::instrumentMop(ObjectSizeOffsetVisitor &ObjSizeVis,
1801	InterestingMemoryOperand &O, bool UseCalls,
1802	const DataLayout &DL,
1803	RuntimeCallInserter &RTCI) {
1804	Value *Addr = O.getPtr();
1805
1806	// Optimization experiments.
1807	// The experiments can be used to evaluate potential optimizations that remove
1808	// instrumentation (assess false negatives). Instead of completely removing
1809	// some instrumentation, you set Exp to a non-zero value (mask of optimization
1810	// experiments that want to remove instrumentation of this instruction).
1811	// If Exp is non-zero, this pass will emit special calls into runtime
1812	// (e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls
1813	// make runtime terminate the program in a special way (with a different
1814	// exit status). Then you run the new compiler on a buggy corpus, collect
1815	// the special terminations (ideally, you don't see them at all -- no false
1816	// negatives) and make the decision on the optimization.
1817	uint32_t Exp = ClForceExperiment;
1818
1819	if (ClOpt && ClOptGlobals) {
1820	// If initialization order checking is disabled, a simple access to a
1821	// dynamically initialized global is always valid.
1822	GlobalVariable *G = dyn_cast<GlobalVariable>(Val: getUnderlyingObject(V: Addr));
1823	if (G && (!ClInitializers \|\| GlobalIsLinkerInitialized(G)) &&
1824	isSafeAccess(ObjSizeVis, Addr, TypeStoreSize: O.TypeStoreSize)) {
1825	NumOptimizedAccessesToGlobalVar ++;
1826	return;
1827	}
1828	}
1829
1830	if (ClOpt && ClOptStack) {
1831	// A direct inbounds access to a stack variable is always valid.
1832	if (isa<AllocaInst>(Val: getUnderlyingObject(V: Addr)) &&
1833	isSafeAccess(ObjSizeVis, Addr, TypeStoreSize: O.TypeStoreSize)) {
1834	NumOptimizedAccessesToStackVar ++;
1835	return;
1836	}
1837	}
1838
1839	if (O.IsWrite)
1840	NumInstrumentedWrites ++;
1841	else
1842	NumInstrumentedReads ++;
1843
1844	if (O.MaybeByteOffset) {
1845	Type Ty = Type::getInt8Ty(C&: C);
1846	IRBuilder IB(O.getInsn());
1847
1848	Value *OffsetOp = O.MaybeByteOffset;
1849	if (TargetTriple.isRISCV()) {
1850	Type *OffsetTy = OffsetOp->getType();
1851	// RVV indexed loads/stores zero-extend offset operands which are narrower
1852	// than XLEN to XLEN.
1853	if (OffsetTy->getScalarType()->getIntegerBitWidth() <
1854	static_cast<unsigned>(LongSize)) {
1855	VectorType *OrigType = cast<VectorType>(Val: OffsetTy);
1856	Type *ExtendTy = VectorType::get(ElementType: IntptrTy, Other: OrigType);
1857	OffsetOp = IB.CreateZExt(V: OffsetOp, DestTy: ExtendTy);
1858	}
1859	}
1860	Addr = IB.CreateGEP(Ty, Ptr: Addr, IdxList: {OffsetOp});
1861	}
1862
1863	unsigned Granularity = `1` << Mapping.Scale;
1864	if (O.MaybeMask) {
1865	instrumentMaskedLoadOrStore(Pass: this, DL, IntptrTy, Mask: O.MaybeMask, EVL: O.MaybeEVL,
1866	Stride: O.MaybeStride, I: O.getInsn(), Addr, Alignment: O.Alignment,
1867	Granularity, OpType: O.OpType, IsWrite: O.IsWrite, SizeArgument: nullptr,
1868	UseCalls, Exp, RTCI);
1869	} else {
1870	doInstrumentAddress(Pass: this, I: O.getInsn(), InsertBefore: O.getInsn(), Addr, Alignment: O.Alignment,
1871	Granularity, TypeStoreSize: O.TypeStoreSize, IsWrite: O.IsWrite, SizeArgument: nullptr,
1872	UseCalls, Exp, RTCI);
1873	}
1874	}
1875
1876	Instruction AddressSanitizer::generateCrashCode(Instruction InsertBefore,
1877	Value Addr, bool* IsWrite,
1878	size_t AccessSizeIndex,
1879	Value *SizeArgument,
1880	uint32_t Exp,
1881	RuntimeCallInserter &RTCI) {
1882	InstrumentationIRBuilder IRB(InsertBefore);
1883	Value ExpVal = Exp == `0` ? nullptr* : ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp);
1884	CallInst Call = nullptr*;
1885	if (SizeArgument) {
1886	if (Exp == `0`)
1887	Call = RTCI.createRuntimeCall(IRB, Callee: AsanErrorCallbackSized[IsWrite][`0`],
1888	Args: {Addr, SizeArgument});
1889	else
1890	Call = RTCI.createRuntimeCall(IRB, Callee: AsanErrorCallbackSized[IsWrite][`1`],
1891	Args: {Addr, SizeArgument, ExpVal});
1892	} else {
1893	if (Exp == `0`)
1894	Call = RTCI.createRuntimeCall(
1895	IRB, Callee: AsanErrorCallback[IsWrite][`0`][AccessSizeIndex], Args: Addr);
1896	else
1897	Call = RTCI.createRuntimeCall(
1898	IRB, Callee: AsanErrorCallback[IsWrite][`1`][AccessSizeIndex], Args: {Addr, ExpVal});
1899	}
1900
1901	Call->setCannotMerge();
1902	return Call;
1903	}
1904
1905	Value AddressSanitizer::createSlowPathCmp(IRBuilder<> &IRB, Value AddrLong,
1906	Value *ShadowValue,
1907	uint32_t TypeStoreSize) {
1908	size_t Granularity = static_cast<size_t>(`1`) << Mapping.Scale;
1909	// Addr & (Granularity - 1)
1910	Value *LastAccessedByte =
1911	IRB.CreateAnd(LHS: AddrLong, RHS: ConstantInt::get(Ty: IntptrTy, V: Granularity - `1`));
1912	// (Addr & (Granularity - 1)) + size - 1
1913	if (TypeStoreSize / `8` > `1`)
1914	LastAccessedByte = IRB.CreateAdd(
1915	LHS: LastAccessedByte, RHS: ConstantInt::get(Ty: IntptrTy, V: TypeStoreSize / `8` - `1`));
1916	// (uint8_t) ((Addr & (Granularity-1)) + size - 1)
1917	LastAccessedByte =
1918	IRB.CreateIntCast(V: LastAccessedByte, DestTy: ShadowValue->getType(), isSigned: false);
1919	// ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue
1920	return IRB.CreateICmpSGE(LHS: LastAccessedByte, RHS: ShadowValue);
1921	}
1922
1923	Instruction *AddressSanitizer::instrumentAMDGPUAddress(
1924	Instruction OrigIns, Instruction InsertBefore, Value *Addr,
1925	uint32_t TypeStoreSize, bool IsWrite, Value *SizeArgument) {
1926	// Do not instrument unsupported addrspaces.
1927	if (isUnsupportedAMDGPUAddrspace(Addr))
1928	return nullptr;
1929	Type *PtrTy = cast<PointerType>(Val: Addr->getType()->getScalarType());
1930	// Follow host instrumentation for global and constant addresses.
1931	if (PtrTy->getPointerAddressSpace() != `0`)
1932	return InsertBefore;
1933	// Instrument generic addresses in supported addressspaces.
1934	IRBuilder<> IRB(InsertBefore);
1935	Value *IsShared = IRB.CreateCall(Callee: AMDGPUAddressShared, Args: {Addr});
1936	Value *IsPrivate = IRB.CreateCall(Callee: AMDGPUAddressPrivate, Args: {Addr});
1937	Value *IsSharedOrPrivate = IRB.CreateOr(LHS: IsShared, RHS: IsPrivate);
1938	Value *Cmp = IRB.CreateNot(V: IsSharedOrPrivate);
1939	Value *AddrSpaceZeroLanding =
1940	SplitBlockAndInsertIfThen(Cond: Cmp, SplitBefore: InsertBefore, Unreachable: false);
1941	InsertBefore = cast<Instruction>(Val: AddrSpaceZeroLanding);
1942	return InsertBefore;
1943	}
1944
1945	Instruction *AddressSanitizer::genAMDGPUReportBlock(IRBuilder<> &IRB,
1946	Value Cond, bool* Recover) {
1947	Value *ReportCond = Cond;
1948	if (!Recover) {
1949	auto Ballot = Inserter.insertFunction(Name: kAMDGPUBallotName, Args: IRB.getInt64Ty(),
1950	Args: IRB.getInt1Ty());
1951	ReportCond = IRB.CreateIsNotNull(Arg: IRB.CreateCall(Callee: Ballot, Args: {Cond}));
1952	}
1953
1954	auto *Trm =
1955	SplitBlockAndInsertIfThen(Cond: ReportCond, SplitBefore: &IRB.GetInsertPoint(), Unreachable: false*,
1956	BranchWeights: MDBuilder (*C).createUnlikelyBranchWeights());
1957	Trm->getParent()->setName("asan.report");
1958
1959	if (Recover)
1960	return Trm;
1961
1962	Trm = SplitBlockAndInsertIfThen(Cond, SplitBefore: Trm, Unreachable: false);
1963	IRB.SetInsertPoint(Trm);
1964	return IRB.CreateCall(
1965	Callee: Inserter.insertFunction(Name: kAMDGPUUnreachableName, Args: IRB.getVoidTy()), Args: {});
1966	}
1967
1968	void AddressSanitizer::instrumentAddress(Instruction *OrigIns,
1969	Instruction InsertBefore, Value Addr,
1970	MaybeAlign Alignment,
1971	uint32_t TypeStoreSize, bool IsWrite,
1972	Value SizeArgument, bool* UseCalls,
1973	uint32_t Exp,
1974	RuntimeCallInserter &RTCI) {
1975	if (TargetTriple.isAMDGPU()) {
1976	InsertBefore = instrumentAMDGPUAddress(OrigIns, InsertBefore, Addr,
1977	TypeStoreSize, IsWrite, SizeArgument);
1978	if (!InsertBefore)
1979	return;
1980	}
1981
1982	InstrumentationIRBuilder IRB(InsertBefore);
1983	size_t AccessSizeIndex = TypeStoreSizeToSizeIndex(TypeSize: TypeStoreSize);
1984
1985	if (UseCalls && ClOptimizeCallbacks) {
1986	const ASanAccessInfo AccessInfo(IsWrite, CompileKernel, AccessSizeIndex);
1987	IRB.CreateIntrinsic(ID: Intrinsic::asan_check_memaccess, OverloadTypes: {},
1988	Args: {IRB.CreatePointerCast(V: Addr, DestTy: PtrTy),
1989	ConstantInt::get(Ty: Int32Ty, V: AccessInfo.Packed)});
1990	return;
1991	}
1992
1993	Value *AddrLong = IRB.CreatePointerCast(V: Addr, DestTy: IntptrTy);
1994	if (UseCalls) {
1995	if (Exp == `0`)
1996	RTCI.createRuntimeCall(
1997	IRB, Callee: AsanMemoryAccessCallback[IsWrite][`0`][AccessSizeIndex], Args: AddrLong);
1998	else
1999	RTCI.createRuntimeCall(
2000	IRB, Callee: AsanMemoryAccessCallback[IsWrite][`1`][AccessSizeIndex],
2001	Args: {AddrLong, ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp)});
2002	return;
2003	}
2004
2005	Type *ShadowTy =
2006	IntegerType::get(C&: *C, NumBits: std::max(a: `8U`, b: TypeStoreSize >> Mapping.Scale));
2007	Type ShadowPtrTy = PointerType::get(C&: C, AddressSpace: ClShadowAddrSpace);
2008	Value *ShadowPtr = memToShadow(Shadow: AddrLong, IRB);
2009	const uint64_t ShadowAlign =
2010	std::max<uint64_t>(a: Alignment.valueOrOne().value() >> Mapping.Scale, b: `1`);
2011	Value *ShadowValue = IRB.CreateAlignedLoad(
2012	Ty: ShadowTy, Ptr: IRB.CreateIntToPtr(V: ShadowPtr, DestTy: ShadowPtrTy), Align: Align (ShadowAlign));
2013
2014	Value *Cmp = IRB.CreateIsNotNull(Arg: ShadowValue);
2015	size_t Granularity = `1ULL` << Mapping.Scale;
2016	Instruction CrashTerm = nullptr*;
2017
2018	bool GenSlowPath = (ClAlwaysSlowPath \|\| (TypeStoreSize < `8` * Granularity));
2019
2020	if (TargetTriple.isAMDGCN()) {
2021	if (GenSlowPath) {
2022	auto *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeStoreSize);
2023	Cmp = IRB.CreateAnd(LHS: Cmp, RHS: Cmp2);
2024	}
2025	CrashTerm = genAMDGPUReportBlock(IRB, Cond: Cmp, Recover);
2026	} else if (GenSlowPath) {
2027	// We use branch weights for the slow path check, to indicate that the slow
2028	// path is rarely taken. This seems to be the case for SPEC benchmarks.
2029	Instruction *CheckTerm = SplitBlockAndInsertIfThen(
2030	Cond: Cmp, SplitBefore: InsertBefore, Unreachable: false, BranchWeights: MDBuilder (*C).createUnlikelyBranchWeights());
2031	BasicBlock *NextBB = cast<UncondBrInst>(Val: CheckTerm)->getSuccessor();
2032	IRB.SetInsertPoint(CheckTerm);
2033	Value *Cmp2 = createSlowPathCmp(IRB, AddrLong, ShadowValue, TypeStoreSize);
2034	if (Recover) {
2035	CrashTerm = SplitBlockAndInsertIfThen(Cond: Cmp2, SplitBefore: CheckTerm, Unreachable: false);
2036	} else {
2037	BasicBlock *CrashBlock =
2038	BasicBlock::Create(Context&: *C, Name: "", Parent: NextBB->getParent(), InsertBefore: NextBB);
2039	CrashTerm = new UnreachableInst (*C, CrashBlock);
2040	CondBrInst *NewTerm = CondBrInst::Create(Cond: Cmp2, IfTrue: CrashBlock, IfFalse: NextBB);
2041	ReplaceInstWithInst(From: CheckTerm, To: NewTerm);
2042	}
2043	} else {
2044	CrashTerm = SplitBlockAndInsertIfThen(Cond: Cmp, SplitBefore: InsertBefore, Unreachable: !Recover);
2045	}
2046
2047	Instruction *Crash = generateCrashCode(
2048	InsertBefore: CrashTerm, Addr: AddrLong, IsWrite, AccessSizeIndex, SizeArgument, Exp, RTCI);
2049	if (OrigIns->getDebugLoc())
2050	Crash->setDebugLoc(OrigIns->getDebugLoc());
2051	}
2052
2053	// Instrument unusual size or unusual alignment.
2054	// We can not do it with a single check, so we do 1-byte check for the first
2055	// and the last bytes. We call __asan_report__n(addr, real_size) to be able*
2056	// to report the actual access size.
2057	void AddressSanitizer::instrumentUnusualSizeOrAlignment(
2058	Instruction I, Instruction InsertBefore, Value *Addr,
2059	TypeSize TypeStoreSize, bool IsWrite, Value SizeArgument, bool* UseCalls,
2060	uint32_t Exp, RuntimeCallInserter &RTCI) {
2061	InstrumentationIRBuilder IRB(InsertBefore);
2062	Value *NumBits = IRB.CreateTypeSize(Ty: IntptrTy, Size: TypeStoreSize);
2063	Value *Size = IRB.CreateLShr(LHS: NumBits, RHS: ConstantInt::get(Ty: IntptrTy, V: `3`));
2064
2065	Value *AddrLong = IRB.CreatePointerCast(V: Addr, DestTy: IntptrTy);
2066	if (UseCalls) {
2067	if (Exp == `0`)
2068	RTCI.createRuntimeCall(IRB, Callee: AsanMemoryAccessCallbackSized[IsWrite][`0`],
2069	Args: {AddrLong, Size});
2070	else
2071	RTCI.createRuntimeCall(
2072	IRB, Callee: AsanMemoryAccessCallbackSized[IsWrite][`1`],
2073	Args: {AddrLong, Size, ConstantInt::get(Ty: IRB.getInt32Ty(), V: Exp)});
2074	} else {
2075	Value *SizeMinusOne = IRB.CreateSub(LHS: Size, RHS: ConstantInt::get(Ty: IntptrTy, V: `1`));
2076	Value *LastByte = IRB.CreateIntToPtr(
2077	V: IRB.CreateAdd(LHS: AddrLong, RHS: SizeMinusOne),
2078	DestTy: Addr->getType());
2079	instrumentAddress(OrigIns: I, InsertBefore, Addr, Alignment: {}, TypeStoreSize: `8`, IsWrite, SizeArgument: Size, UseCalls: false, Exp,
2080	RTCI);
2081	instrumentAddress(OrigIns: I, InsertBefore, Addr: LastByte, Alignment: {}, TypeStoreSize: `8`, IsWrite, SizeArgument: Size, UseCalls: false,
2082	Exp, RTCI);
2083	}
2084	}
2085
2086	void ModuleAddressSanitizer::poisonOneInitializer(Function &GlobalInit) {
2087	// Set up the arguments to our poison/unpoison functions.
2088	IRBuilder<> IRB(&GlobalInit.front(),
2089	GlobalInit.front().getFirstInsertionPt());
2090
2091	// Add a call to poison all external globals before the given function starts.
2092	Value *ModuleNameAddr =
2093	ConstantExpr::getPointerCast(C: getOrCreateModuleName(), Ty: IntptrTy);
2094	IRB.CreateCall(Callee: AsanPoisonGlobals, Args: ModuleNameAddr);
2095
2096	// Add calls to unpoison all globals before each return instruction.
2097	for (auto &BB : GlobalInit)
2098	if (ReturnInst *RI = dyn_cast<ReturnInst>(Val: BB.getTerminator()))
2099	CallInst::Create(Func: AsanUnpoisonGlobals, NameStr: "", InsertBefore: RI->getIterator());
2100	}
2101
2102	void ModuleAddressSanitizer::createInitializerPoisonCalls() {
2103	GlobalVariable *GV = M.getGlobalVariable(Name: "llvm.global_ctors");
2104	if (!GV)
2105	return;
2106
2107	ConstantArray *CA = dyn_cast<ConstantArray>(Val: GV->getInitializer());
2108	if (!CA)
2109	return;
2110
2111	for (Use &OP : CA->operands()) {
2112	if (isa<ConstantAggregateZero>(Val: OP)) continue;
2113	ConstantStruct *CS = cast<ConstantStruct>(Val&: OP);
2114
2115	// Must have a function or null ptr.
2116	if (Function *F = dyn_cast<Function>(Val: CS->getOperand(i_nocapture: `1`))) {
2117	if (F->getName() == kAsanModuleCtorName) continue;
2118	auto *Priority = cast<ConstantInt>(Val: CS->getOperand(i_nocapture: `0`));
2119	// Don't instrument CTORs that will run before asan.module_ctor.
2120	if (Priority->getLimitedValue() <= GetCtorAndDtorPriority(TargetTriple))
2121	continue;
2122	poisonOneInitializer(GlobalInit&: *F);
2123	}
2124	}
2125	}
2126
2127	const GlobalVariable *
2128	ModuleAddressSanitizer::getExcludedAliasedGlobal(const GlobalAlias &GA) const {
2129	// In case this function should be expanded to include rules that do not just
2130	// apply when CompileKernel is true, either guard all existing rules with an
2131	// 'if (CompileKernel) { ... }' or be absolutely sure that all these rules
2132	// should also apply to user space.
2133	assert(CompileKernel && "Only expecting to be called when compiling kernel");
2134
2135	const Constant *C = GA.getAliasee();
2136
2137	// When compiling the kernel, globals that are aliased by symbols prefixed
2138	// by "__" are special and cannot be padded with a redzone.
2139	if (GA.getName().starts_with(Prefix: "__"))
2140	return dyn_cast<GlobalVariable>(Val: C->stripPointerCastsAndAliases());
2141
2142	return nullptr;
2143	}
2144
2145	bool ModuleAddressSanitizer::shouldInstrumentGlobal(GlobalVariable G) const* {
2146	Type *Ty = G->getValueType();
2147	LLVM_DEBUG(dbgs() << "GLOBAL: " << *G << "\n");
2148
2149	if (G->hasSanitizerMetadata() && G->getSanitizerMetadata().NoAddress)
2150	return false;
2151	if (!Ty->isSized()) return false;
2152	if (!G->hasInitializer()) return false;
2153	if (!isSupportedAddrspace(TargetTriple, Addr: G))
2154	return false;
2155	if (GlobalWasGeneratedByCompiler(G)) return false; // Our own globals.
2156	// Two problems with thread-locals:
2157	// - The address of the main thread's copy can't be computed at link-time.
2158	// - Need to poison all copies, not just the main thread's one.
2159	if (G->isThreadLocal()) return false;
2160	// For now, just ignore this Global if the alignment is large.
2161	if (G->getAlign() && G->getAlign() > getMinRedzoneSizeForGlobal()) return* false;
2162
2163	// For non-COFF targets, only instrument globals known to be defined by this
2164	// TU.
2165	// FIXME: We can instrument comdat globals on ELF if we are using the
2166	// GC-friendly metadata scheme.
2167	if (!TargetTriple.isOSBinFormatCOFF()) {
2168	if (!G->hasExactDefinition() \|\| G->hasComdat())
2169	return false;
2170	} else {
2171	// On COFF, don't instrument non-ODR linkages.
2172	if (G->isInterposable())
2173	return false;
2174	// If the global has AvailableExternally linkage, then it is not in this
2175	// module, which means it does not need to be instrumented.
2176	if (G->hasAvailableExternallyLinkage())
2177	return false;
2178	}
2179
2180	// If a comdat is present, it must have a selection kind that implies ODR
2181	// semantics: no duplicates, any, or exact match.
2182	if (Comdat *C = G->getComdat()) {
2183	switch (C->getSelectionKind()) {
2184	case Comdat::Any:
2185	case Comdat::ExactMatch:
2186	case Comdat::NoDeduplicate:
2187	break;
2188	case Comdat::Largest:
2189	case Comdat::SameSize:
2190	return false;
2191	}
2192	}
2193
2194	if (G->hasSection()) {
2195	// The kernel uses explicit sections for mostly special global variables
2196	// that we should not instrument. E.g. the kernel may rely on their layout
2197	// without redzones, or remove them at link time ("discard."), etc.*
2198	if (CompileKernel)
2199	return false;
2200
2201	StringRef Section = G->getSection();
2202
2203	// Globals from llvm.metadata aren't emitted, do not instrument them.
2204	if (Section == "llvm.metadata") return false;
2205	// Do not instrument globals from special LLVM sections.
2206	if (Section.contains(Other: "__llvm") \|\| Section.contains(Other: "__LLVM"))
2207	return false;
2208
2209	// Do not instrument function pointers to initialization and termination
2210	// routines: dynamic linker will not properly handle redzones.
2211	if (Section.starts_with(Prefix: ".preinit_array") \|\|
2212	Section.starts_with(Prefix: ".init_array") \|\|
2213	Section.starts_with(Prefix: ".fini_array")) {
2214	return false;
2215	}
2216
2217	// Do not instrument user-defined sections (with names resembling
2218	// valid C identifiers)
2219	if (TargetTriple.isOSBinFormatELF()) {
2220	if (llvm::all_of(Range&: Section,
2221	P: [](char c) { return llvm::isAlnum(C: c) \|\| c == `'_'`; }))
2222	return false;
2223	}
2224
2225	// On COFF, if the section name contains '$', it is highly likely that the
2226	// user is using section sorting to create an array of globals similar to
2227	// the way initialization callbacks are registered in .init_array and
2228	// .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones
2229	// to such globals is counterproductive, because the intent is that they
2230	// will form an array, and out-of-bounds accesses are expected.
2231	// See https://github.com/google/sanitizers/issues/305
2232	// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx
2233	if (TargetTriple.isOSBinFormatCOFF() && Section.contains(C: `'$'`)) {
2234	LLVM_DEBUG(dbgs() << "Ignoring global in sorted section (contains '$'): "
2235	<< *G << "\n");
2236	return false;
2237	}
2238
2239	if (TargetTriple.isOSBinFormatMachO()) {
2240	StringRef ParsedSegment, ParsedSection;
2241	unsigned TAA = `0`, StubSize = `0`;
2242	bool TAAParsed;
2243	cantFail(Err: MCSectionMachO::ParseSectionSpecifier(
2244	Spec: Section, Segment&: ParsedSegment, Section&: ParsedSection, TAA, TAAParsed, StubSize));
2245
2246	// Ignore the globals from the __OBJC section. The ObjC runtime assumes
2247	// those conform to /usr/lib/objc/runtime.h, so we can't add redzones to
2248	// them.
2249	if (ParsedSegment == "__OBJC" \|\|
2250	(ParsedSegment == "__DATA" && ParsedSection.starts_with(Prefix: "__objc_"))) {
2251	LLVM_DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G << "\n");
2252	return false;
2253	}
2254	// See https://github.com/google/sanitizers/issues/32
2255	// Constant CFString instances are compiled in the following way:
2256	// -- the string buffer is emitted into
2257	// __TEXT,__cstring,cstring_literals
2258	// -- the constant NSConstantString structure referencing that buffer
2259	// is placed into __DATA,__cfstring
2260	// Therefore there's no point in placing redzones into __DATA,__cfstring.
2261	// Moreover, it causes the linker to crash on OS X 10.7
2262	if (ParsedSegment == "__DATA" && ParsedSection == "__cfstring") {
2263	LLVM_DEBUG(dbgs() << "Ignoring CFString: " << *G << "\n");
2264	return false;
2265	}
2266	// The linker merges the contents of cstring_literals and removes the
2267	// trailing zeroes.
2268	if (ParsedSegment == "__TEXT" && (TAA & MachO::S_CSTRING_LITERALS)) {
2269	LLVM_DEBUG(dbgs() << "Ignoring a cstring literal: " << *G << "\n");
2270	return false;
2271	}
2272	}
2273	}
2274
2275	if (CompileKernel) {
2276	// Globals that prefixed by "__" are special and cannot be padded with a
2277	// redzone.
2278	if (G->getName().starts_with(Prefix: "__"))
2279	return false;
2280	}
2281
2282	return true;
2283	}
2284
2285	// On Mach-O platforms, we emit global metadata in a separate section of the
2286	// binary in order to allow the linker to properly dead strip. This is only
2287	// supported on recent versions of ld64.
2288	bool ModuleAddressSanitizer::ShouldUseMachOGlobalsSection() const {
2289	if (!TargetTriple.isOSBinFormatMachO())
2290	return false;
2291
2292	if (TargetTriple.isMacOSX() && !TargetTriple.isMacOSXVersionLT(Major: `10`, Minor: `11`))
2293	return true;
2294	if (TargetTriple.isiOS() / or tvOS / && !TargetTriple.isOSVersionLT(Major: `9`))
2295	return true;
2296	if (TargetTriple.isWatchOS() && !TargetTriple.isOSVersionLT(Major: `2`))
2297	return true;
2298	if (TargetTriple.isDriverKit())
2299	return true;
2300	if (TargetTriple.isXROS())
2301	return true;
2302
2303	return false;
2304	}
2305
2306	StringRef ModuleAddressSanitizer::getGlobalMetadataSection() const {
2307	switch (TargetTriple.getObjectFormat()) {
2308	case Triple::COFF: return ".ASAN$GL";
2309	case Triple::ELF: return "asan_globals";
2310	case Triple::MachO: return "__DATA,__asan_globals,regular";
2311	case Triple::Wasm:
2312	case Triple::GOFF:
2313	case Triple::SPIRV:
2314	case Triple::XCOFF:
2315	case Triple::DXContainer:
2316	report_fatal_error(
2317	reason: "ModuleAddressSanitizer not implemented for object file format");
2318	case Triple::UnknownObjectFormat:
2319	break;
2320	}
2321	llvm_unreachable("unsupported object format");
2322	}
2323
2324	void ModuleAddressSanitizer::initializeCallbacks() {
2325	IRBuilder<> IRB(*C);
2326
2327	// Declare our poisoning and unpoisoning functions.
2328	AsanPoisonGlobals = Inserter.insertFunction(Name: kAsanPoisonGlobalsName,
2329	Args: IRB.getVoidTy(), Args&: IntptrTy);
2330	AsanUnpoisonGlobals =
2331	Inserter.insertFunction(Name: kAsanUnpoisonGlobalsName, Args: IRB.getVoidTy());
2332
2333	// Declare functions that register/unregister globals.
2334	AsanRegisterGlobals = Inserter.insertFunction(
2335	Name: kAsanRegisterGlobalsName, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
2336	AsanUnregisterGlobals = Inserter.insertFunction(
2337	Name: kAsanUnregisterGlobalsName, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
2338
2339	// Declare the functions that find globals in a shared object and then invoke
2340	// the (un)register function on them.
2341	AsanRegisterImageGlobals = Inserter.insertFunction(
2342	Name: kAsanRegisterImageGlobalsName, Args: IRB.getVoidTy(), Args&: IntptrTy);
2343	AsanUnregisterImageGlobals = Inserter.insertFunction(
2344	Name: kAsanUnregisterImageGlobalsName, Args: IRB.getVoidTy(), Args&: IntptrTy);
2345
2346	AsanRegisterElfGlobals =
2347	Inserter.insertFunction(Name: kAsanRegisterElfGlobalsName, Args: IRB.getVoidTy(),
2348	Args&: IntptrTy, Args&: IntptrTy, Args&: IntptrTy);
2349	AsanUnregisterElfGlobals =
2350	Inserter.insertFunction(Name: kAsanUnregisterElfGlobalsName, Args: IRB.getVoidTy(),
2351	Args&: IntptrTy, Args&: IntptrTy, Args&: IntptrTy);
2352	}
2353
2354	// Put the metadata and the instrumented global in the same group. This ensures
2355	// that the metadata is discarded if the instrumented global is discarded.
2356	void ModuleAddressSanitizer::SetComdatForGlobalMetadata(
2357	GlobalVariable G, GlobalVariable Metadata, StringRef InternalSuffix) {
2358	Module &M = *G->getParent();
2359	Comdat *C = G->getComdat();
2360	if (!C) {
2361	if (!G->hasName()) {
2362	// If G is unnamed, it must be internal. Give it an artificial name
2363	// so we can put it in a comdat.
2364	assert(G->hasLocalLinkage());
2365	G->setName(genName(suffix: "anon_global"));
2366	}
2367
2368	if (!InternalSuffix.empty() && G->hasLocalLinkage()) {
2369	std::string Name = std::string (G->getName());
2370	Name += InternalSuffix;
2371	C = M.getOrInsertComdat(Name);
2372	} else {
2373	C = M.getOrInsertComdat(Name: G->getName());
2374	}
2375
2376	// Make this IMAGE_COMDAT_SELECT_NODUPLICATES on COFF. Also upgrade private
2377	// linkage to internal linkage so that a symbol table entry is emitted. This
2378	// is necessary in order to create the comdat group.
2379	if (TargetTriple.isOSBinFormatCOFF()) {
2380	C->setSelectionKind(Comdat::NoDeduplicate);
2381	if (G->hasPrivateLinkage())
2382	G->setLinkage(GlobalValue::InternalLinkage);
2383	}
2384	G->setComdat(C);
2385	}
2386
2387	assert(G->hasComdat());
2388	Metadata->setComdat(G->getComdat());
2389	}
2390
2391	// Create a separate metadata global and put it in the appropriate ASan
2392	// global registration section.
2393	GlobalVariable *
2394	ModuleAddressSanitizer::CreateMetadataGlobal(Constant *Initializer,
2395	StringRef OriginalName) {
2396	auto Linkage = TargetTriple.isOSBinFormatMachO()
2397	? GlobalVariable::InternalLinkage
2398	: GlobalVariable::PrivateLinkage;
2399	GlobalVariable Metadata = new* GlobalVariable (
2400	M, Initializer->getType(), false, Linkage, Initializer,
2401	Twine ("__asan_global_") + GlobalValue::dropLLVMManglingEscape(Name: OriginalName));
2402	Metadata->setSection(getGlobalMetadataSection());
2403	// Place metadata in a large section for x86-64 ELF binaries to mitigate
2404	// relocation pressure.
2405	setGlobalVariableLargeSection(TargetTriple, GV&: *Metadata);
2406	return Metadata;
2407	}
2408
2409	Instruction *ModuleAddressSanitizer::CreateAsanModuleDtor() {
2410	AsanDtorFunction = Function::createWithDefaultAttr(
2411	Ty: FunctionType::get(Result: Type::getVoidTy(C&: C), isVarArg: false*),
2412	Linkage: GlobalValue::InternalLinkage, AddrSpace: `0`, N: kAsanModuleDtorName, M: &M);
2413	AsanDtorFunction->addFnAttr(Kind: Attribute::NoUnwind);
2414	// Ensure Dtor cannot be discarded, even if in a comdat.
2415	appendToUsed(M, Values: {AsanDtorFunction});
2416	BasicBlock AsanDtorBB = BasicBlock::Create(Context&: C, Name: "", Parent: AsanDtorFunction);
2417
2418	return ReturnInst::Create(C&: *C, InsertAtEnd: AsanDtorBB);
2419	}
2420
2421	void ModuleAddressSanitizer::InstrumentGlobalsCOFF(
2422	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2423	ArrayRef<Constant *> MetadataInitializers) {
2424	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2425	auto &DL = M.getDataLayout();
2426
2427	SmallVector<GlobalValue *, `16`> MetadataGlobals(ExtendedGlobals.size());
2428	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2429	Constant *Initializer = MetadataInitializers [i];
2430	GlobalVariable *G = ExtendedGlobals [i];
2431	GlobalVariable *Metadata = CreateMetadataGlobal(Initializer, OriginalName: G->getName());
2432	MDNode *MD = MDNode::get(Context&: M.getContext(), MDs: ValueAsMetadata::get(V: G));
2433	Metadata->setMetadata(KindID: LLVMContext::MD_associated, Node: MD);
2434	MetadataGlobals [i] = Metadata;
2435
2436	// The MSVC linker always inserts padding when linking incrementally. We
2437	// cope with that by aligning each struct to its size, which must be a power
2438	// of two.
2439	unsigned SizeOfGlobalStruct = DL.getTypeAllocSize(Ty: Initializer->getType());
2440	assert(isPowerOf2_32(SizeOfGlobalStruct) &&
2441	"global metadata will not be padded appropriately");
2442	Metadata->setAlignment(assumeAligned(Value: SizeOfGlobalStruct));
2443
2444	SetComdatForGlobalMetadata(G, Metadata, InternalSuffix: "");
2445	}
2446
2447	// Update llvm.compiler.used, adding the new metadata globals. This is
2448	// needed so that during LTO these variables stay alive.
2449	if (!MetadataGlobals.empty())
2450	appendToCompilerUsed(M, Values: MetadataGlobals);
2451	}
2452
2453	void ModuleAddressSanitizer::instrumentGlobalsELF(
2454	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2455	ArrayRef<Constant *> MetadataInitializers,
2456	const std::string &UniqueModuleId) {
2457	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2458
2459	// Putting globals in a comdat changes the semantic and potentially cause
2460	// false negative odr violations at link time. If odr indicators are used, we
2461	// keep the comdat sections, as link time odr violations will be detected on
2462	// the odr indicator symbols.
2463	bool UseComdatForGlobalsGC = UseOdrIndicator && !UniqueModuleId.empty();
2464
2465	SmallVector<GlobalValue *, `16`> MetadataGlobals(ExtendedGlobals.size());
2466	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2467	GlobalVariable *G = ExtendedGlobals [i];
2468	GlobalVariable *Metadata =
2469	CreateMetadataGlobal(Initializer: MetadataInitializers [i], OriginalName: G->getName());
2470	MDNode *MD = MDNode::get(Context&: M.getContext(), MDs: ValueAsMetadata::get(V: G));
2471	Metadata->setMetadata(KindID: LLVMContext::MD_associated, Node: MD);
2472	MetadataGlobals [i] = Metadata;
2473
2474	if (UseComdatForGlobalsGC)
2475	SetComdatForGlobalMetadata(G, Metadata, InternalSuffix: UniqueModuleId);
2476	}
2477
2478	// Update llvm.compiler.used, adding the new metadata globals. This is
2479	// needed so that during LTO these variables stay alive.
2480	if (!MetadataGlobals.empty())
2481	appendToCompilerUsed(M, Values: MetadataGlobals);
2482
2483	// RegisteredFlag serves two purposes. First, we can pass it to dladdr()
2484	// to look up the loaded image that contains it. Second, we can store in it
2485	// whether registration has already occurred, to prevent duplicate
2486	// registration.
2487	//
2488	// Common linkage ensures that there is only one global per shared library.
2489	GlobalVariable RegisteredFlag = new* GlobalVariable (
2490	M, IntptrTy, false, GlobalVariable::CommonLinkage,
2491	ConstantInt::get(Ty: IntptrTy, V: `0`), kAsanGlobalsRegisteredFlagName);
2492	RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility);
2493
2494	// Create start and stop symbols.
2495	GlobalVariable StartELFMetadata = new* GlobalVariable (
2496	M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr,
2497	"__start_" + getGlobalMetadataSection());
2498	StartELFMetadata->setVisibility(GlobalVariable::HiddenVisibility);
2499	GlobalVariable StopELFMetadata = new* GlobalVariable (
2500	M, IntptrTy, false, GlobalVariable::ExternalWeakLinkage, nullptr,
2501	"__stop_" + getGlobalMetadataSection());
2502	StopELFMetadata->setVisibility(GlobalVariable::HiddenVisibility);
2503
2504	// Create a call to register the globals with the runtime.
2505	if (ConstructorKind == AsanCtorKind::Global)
2506	IRB.CreateCall(Callee: AsanRegisterElfGlobals,
2507	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy),
2508	IRB.CreatePointerCast(V: StartELFMetadata, DestTy: IntptrTy),
2509	IRB.CreatePointerCast(V: StopELFMetadata, DestTy: IntptrTy)});
2510
2511	// We also need to unregister globals at the end, e.g., when a shared library
2512	// gets closed.
2513	if (DestructorKind != AsanDtorKind::None && !MetadataGlobals.empty()) {
2514	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2515	IrbDtor.CreateCall(Callee: AsanUnregisterElfGlobals,
2516	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy),
2517	IRB.CreatePointerCast(V: StartELFMetadata, DestTy: IntptrTy),
2518	IRB.CreatePointerCast(V: StopELFMetadata, DestTy: IntptrTy)});
2519	}
2520	}
2521
2522	void ModuleAddressSanitizer::InstrumentGlobalsMachO(
2523	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2524	ArrayRef<Constant *> MetadataInitializers) {
2525	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2526
2527	// On recent Mach-O platforms, use a structure which binds the liveness of
2528	// the global variable to the metadata struct. Keep the list of "Liveness" GV
2529	// created to be added to llvm.compiler.used
2530	StructType *LivenessTy = StructType::get(elt1: IntptrTy, elts: IntptrTy);
2531	SmallVector<GlobalValue *, `16`> LivenessGlobals(ExtendedGlobals.size());
2532
2533	for (size_t i = `0`; i < ExtendedGlobals.size(); i++) {
2534	Constant *Initializer = MetadataInitializers [i];
2535	GlobalVariable *G = ExtendedGlobals [i];
2536	GlobalVariable *Metadata = CreateMetadataGlobal(Initializer, OriginalName: G->getName());
2537
2538	// On recent Mach-O platforms, we emit the global metadata in a way that
2539	// allows the linker to properly strip dead globals.
2540	auto LivenessBinder =
2541	ConstantStruct::get(T: LivenessTy, Vs: Initializer->getAggregateElement(Elt: `0u`),
2542	Vs: ConstantExpr::getPointerCast(C: Metadata, Ty: IntptrTy));
2543	GlobalVariable Liveness = new* GlobalVariable (
2544	M, LivenessTy, false, GlobalVariable::InternalLinkage, LivenessBinder,
2545	Twine ("__asan_binder_") + G->getName());
2546	Liveness->setSection("__DATA,__asan_liveness,regular,live_support");
2547	LivenessGlobals [i] = Liveness;
2548	}
2549
2550	// Update llvm.compiler.used, adding the new liveness globals. This is
2551	// needed so that during LTO these variables stay alive. The alternative
2552	// would be to have the linker handling the LTO symbols, but libLTO
2553	// current API does not expose access to the section for each symbol.
2554	if (!LivenessGlobals.empty())
2555	appendToCompilerUsed(M, Values: LivenessGlobals);
2556
2557	// RegisteredFlag serves two purposes. First, we can pass it to dladdr()
2558	// to look up the loaded image that contains it. Second, we can store in it
2559	// whether registration has already occurred, to prevent duplicate
2560	// registration.
2561	//
2562	// common linkage ensures that there is only one global per shared library.
2563	GlobalVariable RegisteredFlag = new* GlobalVariable (
2564	M, IntptrTy, false, GlobalVariable::CommonLinkage,
2565	ConstantInt::get(Ty: IntptrTy, V: `0`), kAsanGlobalsRegisteredFlagName);
2566	RegisteredFlag->setVisibility(GlobalVariable::HiddenVisibility);
2567
2568	if (ConstructorKind == AsanCtorKind::Global)
2569	IRB.CreateCall(Callee: AsanRegisterImageGlobals,
2570	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy)});
2571
2572	// We also need to unregister globals at the end, e.g., when a shared library
2573	// gets closed.
2574	if (DestructorKind != AsanDtorKind::None) {
2575	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2576	IrbDtor.CreateCall(Callee: AsanUnregisterImageGlobals,
2577	Args: {IRB.CreatePointerCast(V: RegisteredFlag, DestTy: IntptrTy)});
2578	}
2579	}
2580
2581	void ModuleAddressSanitizer::InstrumentGlobalsWithMetadataArray(
2582	IRBuilder<> &IRB, ArrayRef<GlobalVariable *> ExtendedGlobals,
2583	ArrayRef<Constant *> MetadataInitializers) {
2584	assert(ExtendedGlobals.size() == MetadataInitializers.size());
2585	unsigned N = ExtendedGlobals.size();
2586	assert(N > `0`);
2587
2588	// On platforms that don't have a custom metadata section, we emit an array
2589	// of global metadata structures.
2590	ArrayType *ArrayOfGlobalStructTy =
2591	ArrayType::get(ElementType: MetadataInitializers [`0`]->getType(), NumElements: N);
2592	auto AllGlobals = new GlobalVariable (
2593	M, ArrayOfGlobalStructTy, false, GlobalVariable::InternalLinkage,
2594	ConstantArray::get(T: ArrayOfGlobalStructTy, V: MetadataInitializers), "");
2595	if (Mapping.Scale > `3`)
2596	AllGlobals->setAlignment(Align (`1ULL` << Mapping.Scale));
2597
2598	if (ConstructorKind == AsanCtorKind::Global)
2599	IRB.CreateCall(Callee: AsanRegisterGlobals,
2600	Args: {IRB.CreatePointerCast(V: AllGlobals, DestTy: IntptrTy),
2601	ConstantInt::get(Ty: IntptrTy, V: N)});
2602
2603	// We also need to unregister globals at the end, e.g., when a shared library
2604	// gets closed.
2605	if (DestructorKind != AsanDtorKind::None) {
2606	IRBuilder<> IrbDtor(CreateAsanModuleDtor());
2607	IrbDtor.CreateCall(Callee: AsanUnregisterGlobals,
2608	Args: {IRB.CreatePointerCast(V: AllGlobals, DestTy: IntptrTy),
2609	ConstantInt::get(Ty: IntptrTy, V: N)});
2610	}
2611	}
2612
2613	// This function replaces all global variables with new variables that have
2614	// trailing redzones. It also creates a function that poisons
2615	// redzones and inserts this function into llvm.global_ctors.
2616	// Sets CtorComdat to true if the global registration code emitted into the*
2617	// asan constructor is comdat-compatible.
2618	void ModuleAddressSanitizer::instrumentGlobals(IRBuilder<> &IRB,
2619	bool *CtorComdat) {
2620	// Build set of globals that are aliased by some GA, where
2621	// getExcludedAliasedGlobal(GA) returns the relevant GlobalVariable.
2622	SmallPtrSet<const GlobalVariable *, `16`> AliasedGlobalExclusions;
2623	if (CompileKernel) {
2624	for (auto &GA : M.aliases()) {
2625	if (const GlobalVariable *GV = getExcludedAliasedGlobal(GA))
2626	AliasedGlobalExclusions.insert(Ptr: GV);
2627	}
2628	}
2629
2630	SmallVector<GlobalVariable *, `16`> GlobalsToChange;
2631	for (auto &G : M.globals()) {
2632	if (!AliasedGlobalExclusions.count(Ptr: &G) && shouldInstrumentGlobal(G: &G))
2633	GlobalsToChange.push_back(Elt: &G);
2634	}
2635
2636	size_t n = GlobalsToChange.size();
2637	auto &DL = M.getDataLayout();
2638
2639	// A global is described by a structure
2640	// size_t beg;
2641	// size_t size;
2642	// size_t size_with_redzone;
2643	// const char name;*
2644	// const char module_name;*
2645	// size_t has_dynamic_init;
2646	// size_t padding_for_windows_msvc_incremental_link;
2647	// size_t odr_indicator;
2648	// We initialize an array of such structures and pass it to a run-time call.
2649	StructType *GlobalStructTy =
2650	StructType::get(elt1: IntptrTy, elts: IntptrTy, elts: IntptrTy, elts: IntptrTy, elts: IntptrTy,
2651	elts: IntptrTy, elts: IntptrTy, elts: IntptrTy);
2652	SmallVector<GlobalVariable *, `16`> NewGlobals(n);
2653	SmallVector<Constant *, `16`> Initializers(n);
2654
2655	for (size_t i = `0`; i < n; i++) {
2656	GlobalVariable *G = GlobalsToChange [i];
2657
2658	GlobalValue::SanitizerMetadata MD;
2659	if (G->hasSanitizerMetadata())
2660	MD = G->getSanitizerMetadata();
2661
2662	// The runtime library tries demangling symbol names in the descriptor but
2663	// functionality like __cxa_demangle may be unavailable (e.g.
2664	// -static-libstdc++). So we demangle the symbol names here.
2665	std::string NameForGlobal = G->getName().str();
2666	GlobalVariable *Name =
2667	createPrivateGlobalForString(M, Str: llvm::demangle(MangledName: NameForGlobal),
2668	/AllowMerging/ true, NamePrefix: genName(suffix: "global"));
2669
2670	Type *Ty = G->getValueType();
2671	const uint64_t SizeInBytes = DL.getTypeAllocSize(Ty);
2672	const uint64_t RightRedzoneSize = getRedzoneSizeForGlobal(SizeInBytes);
2673	Type *RightRedZoneTy = ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: RightRedzoneSize);
2674
2675	StructType *NewTy = StructType::get(elt1: Ty, elts: RightRedZoneTy);
2676	Constant *NewInitializer = ConstantStruct::get(
2677	T: NewTy, Vs: G->getInitializer(), Vs: Constant::getNullValue(Ty: RightRedZoneTy));
2678
2679	// Create a new global variable with enough space for a redzone.
2680	GlobalValue::LinkageTypes Linkage = G->getLinkage();
2681	if (G->isConstant() && Linkage == GlobalValue::PrivateLinkage)
2682	Linkage = GlobalValue::InternalLinkage;
2683	GlobalVariable NewGlobal = new* GlobalVariable (
2684	M, NewTy, G->isConstant(), Linkage, NewInitializer, "", G,
2685	G->getThreadLocalMode(), G->getAddressSpace());
2686	NewGlobal->copyAttributesFrom(Src: G);
2687	NewGlobal->setComdat(G->getComdat());
2688	NewGlobal->setAlignment(Align (getMinRedzoneSizeForGlobal()));
2689	// Don't fold globals with redzones. ODR violation detector and redzone
2690	// poisoning implicitly creates a dependence on the global's address, so it
2691	// is no longer valid for it to be marked unnamed_addr.
2692	NewGlobal->setUnnamedAddr(GlobalValue::UnnamedAddr::None);
2693
2694	// Move null-terminated C strings to "__asan_cstring" section on Darwin.
2695	if (TargetTriple.isOSBinFormatMachO() && !G->hasSection() &&
2696	G->isConstant()) {
2697	auto Seq = dyn_cast<ConstantDataSequential>(Val: G->getInitializer());
2698	if (Seq && Seq->isCString())
2699	NewGlobal->setSection("__TEXT,__asan_cstring,regular");
2700	}
2701
2702	// Transfer the debug info and type metadata. The payload starts at offset
2703	// zero so we can copy the metadata over as is.
2704	NewGlobal->copyMetadata(Src: G, Offset: `0`);
2705
2706	G->replaceAllUsesWith(V: NewGlobal);
2707	NewGlobal->takeName(V: G);
2708	G->eraseFromParent();
2709	NewGlobals [i] = NewGlobal;
2710
2711	Constant *ODRIndicator = Constant::getNullValue(Ty: IntptrTy);
2712	GlobalValue *InstrumentedGlobal = NewGlobal;
2713
2714	bool CanUsePrivateAliases =
2715	TargetTriple.isOSBinFormatELF() \|\| TargetTriple.isOSBinFormatMachO() \|\|
2716	TargetTriple.isOSBinFormatWasm();
2717	if (CanUsePrivateAliases && UsePrivateAlias) {
2718	// Create local alias for NewGlobal to avoid crash on ODR between
2719	// instrumented and non-instrumented libraries.
2720	InstrumentedGlobal =
2721	GlobalAlias::create(Linkage: GlobalValue::PrivateLinkage, Name: "", Aliasee: NewGlobal);
2722	}
2723
2724	// ODR should not happen for local linkage.
2725	if (NewGlobal->hasLocalLinkage()) {
2726	ODRIndicator = ConstantInt::getAllOnesValue(Ty: IntptrTy);
2727	} else if (UseOdrIndicator) {
2728	// With local aliases, we need to provide another externally visible
2729	// symbol __odr_asan_XXX to detect ODR violation.
2730	auto *ODRIndicatorSym =
2731	new GlobalVariable (M, IRB.getInt8Ty(), false, Linkage,
2732	Constant::getNullValue(Ty: IRB.getInt8Ty()),
2733	kODRGenPrefix + NameForGlobal, nullptr,
2734	NewGlobal->getThreadLocalMode());
2735
2736	// Set meaningful attributes for indicator symbol.
2737	ODRIndicatorSym->setVisibility(NewGlobal->getVisibility());
2738	ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass());
2739	ODRIndicatorSym->setAlignment(Align (`1`));
2740	ODRIndicator = ConstantExpr::getPtrToInt(C: ODRIndicatorSym, Ty: IntptrTy);
2741	}
2742
2743	Constant *Initializer = ConstantStruct::get(
2744	T: GlobalStructTy,
2745	Vs: ConstantExpr::getPointerCast(C: InstrumentedGlobal, Ty: IntptrTy),
2746	Vs: ConstantInt::get(Ty: IntptrTy, V: SizeInBytes),
2747	Vs: ConstantInt::get(Ty: IntptrTy, V: SizeInBytes + RightRedzoneSize),
2748	Vs: ConstantExpr::getPointerCast(C: Name, Ty: IntptrTy),
2749	Vs: ConstantExpr::getPointerCast(C: getOrCreateModuleName(), Ty: IntptrTy),
2750	Vs: ConstantInt::get(Ty: IntptrTy, V: MD.IsDynInit),
2751	Vs: Constant::getNullValue(Ty: IntptrTy), Vs: ODRIndicator);
2752
2753	LLVM_DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n");
2754
2755	Initializers [i] = Initializer;
2756	}
2757
2758	// Add instrumented globals to llvm.compiler.used list to avoid LTO from
2759	// ConstantMerge'ing them.
2760	SmallVector<GlobalValue *, `16`> GlobalsToAddToUsedList;
2761	for (size_t i = `0`; i < n; i++) {
2762	GlobalVariable *G = NewGlobals [i];
2763	if (G->getName().empty()) continue;
2764	GlobalsToAddToUsedList.push_back(Elt: G);
2765	}
2766	appendToCompilerUsed(M, Values: ArrayRef<GlobalValue *>(GlobalsToAddToUsedList));
2767
2768	if (UseGlobalsGC && TargetTriple.isOSBinFormatELF()) {
2769	// Use COMDAT and register globals even if n == 0 to ensure that (a) the
2770	// linkage unit will only have one module constructor, and (b) the register
2771	// function will be called. The module destructor is not created when n ==
2772	// 0.
2773	CtorComdat = true*;
2774	instrumentGlobalsELF(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers, UniqueModuleId: getUniqueModuleId(M: &M));
2775	} else if (n == `0`) {
2776	// When UseGlobalsGC is false, COMDAT can still be used if n == 0, because
2777	// all compile units will have identical module constructor/destructor.
2778	*CtorComdat = TargetTriple.isOSBinFormatELF();
2779	} else {
2780	CtorComdat = false*;
2781	if (UseGlobalsGC && TargetTriple.isOSBinFormatCOFF()) {
2782	InstrumentGlobalsCOFF(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2783	} else if (UseGlobalsGC && ShouldUseMachOGlobalsSection()) {
2784	InstrumentGlobalsMachO(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2785	} else {
2786	InstrumentGlobalsWithMetadataArray(IRB, ExtendedGlobals: NewGlobals, MetadataInitializers: Initializers);
2787	}
2788	}
2789
2790	// Create calls for poisoning before initializers run and unpoisoning after.
2791	if (ClInitializers)
2792	createInitializerPoisonCalls();
2793
2794	LLVM_DEBUG(dbgs() << M);
2795	}
2796
2797	uint64_t
2798	ModuleAddressSanitizer::getRedzoneSizeForGlobal(uint64_t SizeInBytes) const {
2799	constexpr uint64_t kMaxRZ = `1` << `18`;
2800	const uint64_t MinRZ = getMinRedzoneSizeForGlobal();
2801
2802	uint64_t RZ = `0`;
2803	if (SizeInBytes <= MinRZ / `2`) {
2804	// Reduce redzone size for small size objects, e.g. int, char[1]. MinRZ is
2805	// at least 32 bytes, optimize when SizeInBytes is less than or equal to
2806	// half of MinRZ.
2807	RZ = MinRZ - SizeInBytes;
2808	} else {
2809	// Calculate RZ, where MinRZ <= RZ <= MaxRZ, and RZ ~ 1/4 SizeInBytes.*
2810	RZ = std::clamp(val: (SizeInBytes / MinRZ / `4`) * MinRZ, lo: MinRZ, hi: kMaxRZ);
2811
2812	// Round up to multiple of MinRZ.
2813	if (SizeInBytes % MinRZ)
2814	RZ += MinRZ - (SizeInBytes % MinRZ);
2815	}
2816
2817	assert((RZ + SizeInBytes) % MinRZ == `0`);
2818
2819	return RZ;
2820	}
2821
2822	int ModuleAddressSanitizer::GetAsanVersion() const {
2823	int LongSize = M.getDataLayout().getPointerSizeInBits();
2824	bool isAndroid = M.getTargetTriple().isAndroid();
2825	int Version = `8`;
2826	// 32-bit Android is one version ahead because of the switch to dynamic
2827	// shadow.
2828	Version += (LongSize == `32` && isAndroid);
2829	return Version;
2830	}
2831
2832	GlobalVariable *ModuleAddressSanitizer::getOrCreateModuleName() {
2833	if (!ModuleName) {
2834	// We shouldn't merge same module names, as this string serves as unique
2835	// module ID in runtime.
2836	ModuleName =
2837	createPrivateGlobalForString(M, Str: M.getModuleIdentifier(),
2838	/AllowMerging/ false, NamePrefix: genName(suffix: "module"));
2839	}
2840	return ModuleName;
2841	}
2842
2843	bool ModuleAddressSanitizer::instrumentModule() {
2844	initializeCallbacks();
2845
2846	for (Function &F : M)
2847	removeASanIncompatibleFnAttributes(F, /ReadsArgMem=/false);
2848
2849	// Create a module constructor. A destructor is created lazily because not all
2850	// platforms, and not all modules need it.
2851	if (ConstructorKind == AsanCtorKind::Global) {
2852	if (CompileKernel) {
2853	// The kernel always builds with its own runtime, and therefore does not
2854	// need the init and version check calls.
2855	AsanCtorFunction = createSanitizerCtor(M, CtorName: kAsanModuleCtorName);
2856	} else {
2857	std::string AsanVersion = std::to_string(val: GetAsanVersion());
2858	std::string VersionCheckName =
2859	InsertVersionCheck ? (kAsanVersionCheckNamePrefix + AsanVersion) : "";
2860	std::tie(args&: AsanCtorFunction, args: std::ignore) =
2861	createSanitizerCtorAndInitFunctions(
2862	M, CtorName: kAsanModuleCtorName, InitName: kAsanInitName, /InitArgTypes=/{},
2863	/InitArgs=/{}, VersionCheckName);
2864	}
2865	}
2866
2867	bool CtorComdat = true;
2868	if (ClGlobals) {
2869	assert(AsanCtorFunction \|\| ConstructorKind == AsanCtorKind::None);
2870	if (AsanCtorFunction) {
2871	IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator());
2872	instrumentGlobals(IRB, CtorComdat: &CtorComdat);
2873	} else {
2874	IRBuilder<> IRB(*C);
2875	instrumentGlobals(IRB, CtorComdat: &CtorComdat);
2876	}
2877	}
2878
2879	const uint64_t Priority = GetCtorAndDtorPriority(TargetTriple);
2880
2881	// Put the constructor and destructor in comdat if both
2882	// (1) global instrumentation is not TU-specific
2883	// (2) target is ELF.
2884	if (UseCtorComdat && TargetTriple.isOSBinFormatELF() && CtorComdat) {
2885	if (AsanCtorFunction) {
2886	AsanCtorFunction->setComdat(M.getOrInsertComdat(Name: kAsanModuleCtorName));
2887	appendToGlobalCtors(M, F: AsanCtorFunction, Priority, Data: AsanCtorFunction);
2888	}
2889	if (AsanDtorFunction) {
2890	AsanDtorFunction->setComdat(M.getOrInsertComdat(Name: kAsanModuleDtorName));
2891	appendToGlobalDtors(M, F: AsanDtorFunction, Priority, Data: AsanDtorFunction);
2892	}
2893	} else {
2894	if (AsanCtorFunction)
2895	appendToGlobalCtors(M, F: AsanCtorFunction, Priority);
2896	if (AsanDtorFunction)
2897	appendToGlobalDtors(M, F: AsanDtorFunction, Priority);
2898	}
2899
2900	return true;
2901	}
2902
2903	void AddressSanitizer::initializeCallbacks(const TargetLibraryInfo *TLI) {
2904	IRBuilder<> IRB(*C);
2905	// Create __asan_report callbacks.*
2906	// IsWrite, TypeSize and Exp are encoded in the function name.
2907	for (int Exp = `0`; Exp < `2`; Exp++) {
2908	for (size_t AccessIsWrite = `0`; AccessIsWrite <= `1`; AccessIsWrite++) {
2909	const std::string TypeStr = AccessIsWrite ? "store" : "load";
2910	const std::string ExpStr = Exp ? "exp_" : "";
2911	const std::string EndingStr = Recover ? "_noabort" : "";
2912
2913	SmallVector<Type *, `3`> Args2 = {IntptrTy, IntptrTy};
2914	SmallVector<Type *, `2`> Args1{`1`, IntptrTy};
2915	AttributeList AL2;
2916	AttributeList AL1;
2917	if (Exp) {
2918	Type ExpType = Type::getInt32Ty(C&: C);
2919	Args2.push_back(Elt: ExpType);
2920	Args1.push_back(Elt: ExpType);
2921	if (auto AK = TLI->getExtAttrForI32Param(Signed: false)) {
2922	AL2 = AL2.addParamAttribute(C&: *C, ArgNo: `2`, Kind: AK);
2923	AL1 = AL1.addParamAttribute(C&: *C, ArgNo: `1`, Kind: AK);
2924	}
2925	}
2926	AsanErrorCallbackSized[AccessIsWrite][Exp] = Inserter.insertFunction(
2927	Name: kAsanReportErrorTemplate + ExpStr + TypeStr + "_n" + EndingStr,
2928	Args: FunctionType::get(Result: IRB.getVoidTy(), Params: Args2, isVarArg: false), Args&: AL2);
2929
2930	AsanMemoryAccessCallbackSized[AccessIsWrite][Exp] =
2931	Inserter.insertFunction(
2932	Name: ClMemoryAccessCallbackPrefix + ExpStr + TypeStr + "N" + EndingStr,
2933	Args: FunctionType::get(Result: IRB.getVoidTy(), Params: Args2, isVarArg: false), Args&: AL2);
2934
2935	for (size_t AccessSizeIndex = `0`; AccessSizeIndex < kNumberOfAccessSizes;
2936	AccessSizeIndex++) {
2937	const std::string Suffix = TypeStr + itostr(X: `1ULL` << AccessSizeIndex);
2938	AsanErrorCallback[AccessIsWrite][Exp][AccessSizeIndex] =
2939	Inserter.insertFunction(
2940	Name: kAsanReportErrorTemplate + ExpStr + Suffix + EndingStr,
2941	Args: FunctionType::get(Result: IRB.getVoidTy(), Params: Args1, isVarArg: false), Args&: AL1);
2942
2943	AsanMemoryAccessCallback[AccessIsWrite][Exp][AccessSizeIndex] =
2944	Inserter.insertFunction(
2945	Name: ClMemoryAccessCallbackPrefix + ExpStr + Suffix + EndingStr,
2946	Args: FunctionType::get(Result: IRB.getVoidTy(), Params: Args1, isVarArg: false), Args&: AL1);
2947	}
2948	}
2949	}
2950
2951	const std::string MemIntrinCallbackPrefix =
2952	(CompileKernel && !ClKasanMemIntrinCallbackPrefix)
2953	? std::string ("")
2954	: ClMemoryAccessCallbackPrefix;
2955	AsanMemmove = Inserter.insertFunction(Name: MemIntrinCallbackPrefix + "memmove",
2956	Args&: PtrTy, Args&: PtrTy, Args&: PtrTy, Args&: IntptrTy);
2957	AsanMemcpy = Inserter.insertFunction(Name: MemIntrinCallbackPrefix + "memcpy",
2958	Args&: PtrTy, Args&: PtrTy, Args&: PtrTy, Args&: IntptrTy);
2959	AsanMemset =
2960	Inserter.insertFunction(Name: MemIntrinCallbackPrefix + "memset",
2961	Args: TLI->getAttrList(C, ArgNos: {`1`},
2962	/Signed=/false),
2963	Args&: PtrTy, Args&: PtrTy, Args: IRB.getInt32Ty(), Args&: IntptrTy);
2964
2965	AsanHandleNoReturnFunc =
2966	Inserter.insertFunction(Name: kAsanHandleNoReturnName, Args: IRB.getVoidTy());
2967
2968	AsanPtrCmpFunction =
2969	Inserter.insertFunction(Name: kAsanPtrCmp, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
2970	AsanPtrSubFunction =
2971	Inserter.insertFunction(Name: kAsanPtrSub, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
2972	if (Mapping.InGlobal)
2973	AsanShadowGlobal = M.getOrInsertGlobal(Name: "__asan_shadow",
2974	Ty: ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: `0`));
2975
2976	AMDGPUAddressShared =
2977	Inserter.insertFunction(Name: kAMDGPUAddressSharedName, Args: IRB.getInt1Ty(), Args&: PtrTy);
2978	AMDGPUAddressPrivate = Inserter.insertFunction(Name: kAMDGPUAddressPrivateName,
2979	Args: IRB.getInt1Ty(), Args&: PtrTy);
2980	}
2981
2982	bool AddressSanitizer::maybeInsertAsanInitAtFunctionEntry(Function &F) {
2983	// For each NSObject descendant having a +load method, this method is invoked
2984	// by the ObjC runtime before any of the static constructors is called.
2985	// Therefore we need to instrument such methods with a call to __asan_init
2986	// at the beginning in order to initialize our runtime before any access to
2987	// the shadow memory.
2988	// We cannot just ignore these methods, because they may call other
2989	// instrumented functions.
2990	if (F.getName().contains(Other: " load]")) {
2991	FunctionCallee AsanInitFunction =
2992	declareSanitizerInitFunction(M&: *F.getParent(), InitName: kAsanInitName, InitArgTypes: {});
2993	IRBuilder<> IRB(&F.front(), F.front().begin());
2994	IRB.CreateCall(Callee: AsanInitFunction, Args: {});
2995	return true;
2996	}
2997	return false;
2998	}
2999
3000	bool AddressSanitizer::maybeInsertDynamicShadowAtFunctionEntry(Function &F) {
3001	// Generate code only when dynamic addressing is needed.
3002	if (Mapping.Offset != kDynamicShadowSentinel)
3003	return false;
3004
3005	IRBuilder<> IRB(&F.front().front());
3006	if (Mapping.InGlobal) {
3007	if (ClWithIfuncSuppressRemat) {
3008	// An empty inline asm with input reg == output reg.
3009	// An opaque pointer-to-int cast, basically.
3010	InlineAsm *Asm = InlineAsm::get(
3011	Ty: FunctionType::get(Result: IntptrTy, Params: {AsanShadowGlobal->getType()}, isVarArg: false),
3012	AsmString: StringRef (""), Constraints: StringRef ("=r,0"),
3013	/hasSideEffects=/false);
3014	LocalDynamicShadow =
3015	IRB.CreateCall(Callee: Asm, Args: {AsanShadowGlobal}, Name: ".asan.shadow");
3016	} else {
3017	LocalDynamicShadow =
3018	IRB.CreatePointerCast(V: AsanShadowGlobal, DestTy: IntptrTy, Name: ".asan.shadow");
3019	}
3020	} else {
3021	Value *GlobalDynamicAddress = F.getParent()->getOrInsertGlobal(
3022	Name: kAsanShadowMemoryDynamicAddress, Ty: IntptrTy);
3023	LocalDynamicShadow = IRB.CreateLoad(Ty: IntptrTy, Ptr: GlobalDynamicAddress);
3024	}
3025	return true;
3026	}
3027
3028	void AddressSanitizer::markEscapedLocalAllocas(Function &F) {
3029	// Find the one possible call to llvm.localescape and pre-mark allocas passed
3030	// to it as uninteresting. This assumes we haven't started processing allocas
3031	// yet. This check is done up front because iterating the use list in
3032	// isInterestingAlloca would be algorithmically slower.
3033	assert(ProcessedAllocas.empty() && "must process localescape before allocas");
3034
3035	// Try to get the declaration of llvm.localescape. If it's not in the module,
3036	// we can exit early.
3037	if (!F.getParent()->getFunction(Name: "llvm.localescape")) return;
3038
3039	// Look for a call to llvm.localescape call in the entry block. It can't be in
3040	// any other block.
3041	for (Instruction &I : F.getEntryBlock()) {
3042	IntrinsicInst *II = dyn_cast<IntrinsicInst>(Val: &I);
3043	if (II && II->getIntrinsicID() == Intrinsic::localescape) {
3044	// We found a call. Mark all the allocas passed in as uninteresting.
3045	for (Value *Arg : II->args()) {
3046	AllocaInst *AI = dyn_cast<AllocaInst>(Val: Arg->stripPointerCasts());
3047	assert(AI && AI->isStaticAlloca() &&
3048	"non-static alloca arg to localescape");
3049	ProcessedAllocas [AI] = false;
3050	}
3051	break;
3052	}
3053	}
3054	}
3055	// Mitigation for https://github.com/google/sanitizers/issues/749
3056	// We don't instrument Windows catch-block parameters to avoid
3057	// interfering with exception handling assumptions.
3058	void AddressSanitizer::markCatchParametersAsUninteresting(Function &F) {
3059	for (BasicBlock &BB : F) {
3060	for (Instruction &I : BB) {
3061	if (auto *CatchPad = dyn_cast<CatchPadInst>(Val: &I)) {
3062	// Mark the parameters to a catch-block as uninteresting to avoid
3063	// instrumenting them.
3064	for (Value *Operand : CatchPad->arg_operands())
3065	if (auto *AI = dyn_cast<AllocaInst>(Val: Operand))
3066	ProcessedAllocas [AI] = false;
3067	}
3068	}
3069	}
3070	}
3071
3072	bool AddressSanitizer::suppressInstrumentationSiteForDebug(int &Instrumented) {
3073	bool ShouldInstrument =
3074	ClDebugMin < `0` \|\| ClDebugMax < `0` \|\|
3075	(Instrumented >= ClDebugMin && Instrumented <= ClDebugMax);
3076	Instrumented++;
3077	return !ShouldInstrument;
3078	}
3079
3080	bool AddressSanitizer::instrumentFunction(Function &F,
3081	const TargetLibraryInfo *TLI,
3082	const TargetTransformInfo *TTI) {
3083	bool FunctionModified = false;
3084
3085	// Do not apply any instrumentation for naked functions.
3086	if (F.hasFnAttribute(Kind: Attribute::Naked))
3087	return FunctionModified;
3088
3089	// If needed, insert __asan_init before checking for SanitizeAddress attr.
3090	// This function needs to be called even if the function body is not
3091	// instrumented.
3092	if (maybeInsertAsanInitAtFunctionEntry(F))
3093	FunctionModified = true;
3094
3095	// Leave if the function doesn't need instrumentation.
3096	if (!F.hasFnAttribute(Kind: Attribute::SanitizeAddress)) return FunctionModified;
3097
3098	if (F.hasFnAttribute(Kind: Attribute::DisableSanitizerInstrumentation))
3099	return FunctionModified;
3100
3101	LLVM_DEBUG(dbgs() << "ASAN instrumenting:\n" << F << "\n");
3102
3103	initializeCallbacks(TLI);
3104
3105	FunctionStateRAII CleanupObj(this);
3106
3107	RuntimeCallInserter RTCI(F);
3108
3109	FunctionModified \|= maybeInsertDynamicShadowAtFunctionEntry(F);
3110
3111	// We can't instrument allocas used with llvm.localescape. Only static allocas
3112	// can be passed to that intrinsic.
3113	markEscapedLocalAllocas(F);
3114
3115	if (TargetTriple.isOSWindows())
3116	markCatchParametersAsUninteresting(F);
3117
3118	// We want to instrument every address only once per basic block (unless there
3119	// are calls between uses).
3120	SmallPtrSet<Value *, `16`> TempsToInstrument;
3121	SmallVector<InterestingMemoryOperand, `16`> OperandsToInstrument;
3122	SmallVector<MemIntrinsic *, `16`> IntrinToInstrument;
3123	SmallVector<Instruction *, `8`> NoReturnCalls;
3124	SmallVector<BasicBlock *, `16`> AllBlocks;
3125	SmallVector<Instruction *, `16`> PointerComparisonsOrSubtracts;
3126
3127	// Fill the set of memory operations to instrument.
3128	for (auto &BB : F) {
3129	AllBlocks.push_back(Elt: &BB);
3130	TempsToInstrument.clear();
3131	int NumInsnsPerBB = `0`;
3132	for (auto &Inst : BB) {
3133	if (LooksLikeCodeInBug11395(I: &Inst)) return false;
3134	// Skip instructions inserted by another instrumentation.
3135	if (Inst.hasMetadata(KindID: LLVMContext::MD_nosanitize))
3136	continue;
3137	SmallVector<InterestingMemoryOperand, `1`> InterestingOperands;
3138	getInterestingMemoryOperands(I: &Inst, Interesting&: InterestingOperands, TTI);
3139
3140	if (!InterestingOperands.empty()) {
3141	for (auto &Operand : InterestingOperands) {
3142	if (ClOpt && ClOptSameTemp) {
3143	Value *Ptr = Operand.getPtr();
3144	// If we have a mask, skip instrumentation if we've already
3145	// instrumented the full object. But don't add to TempsToInstrument
3146	// because we might get another load/store with a different mask.
3147	if (Operand.MaybeMask) {
3148	if (TempsToInstrument.count(Ptr))
3149	continue; // We've seen this (whole) temp in the current BB.
3150	} else {
3151	if (!TempsToInstrument.insert(Ptr).second)
3152	continue; // We've seen this temp in the current BB.
3153	}
3154	}
3155	OperandsToInstrument.push_back(Elt: Operand);
3156	NumInsnsPerBB++;
3157	}
3158	} else if (((ClInvalidPointerPairs \|\| ClInvalidPointerCmp) &&
3159	isInterestingPointerComparison(I: &Inst)) \|\|
3160	((ClInvalidPointerPairs \|\| ClInvalidPointerSub) &&
3161	isInterestingPointerSubtraction(I: &Inst))) {
3162	PointerComparisonsOrSubtracts.push_back(Elt: &Inst);
3163	} else if (MemIntrinsic *MI = dyn_cast<MemIntrinsic>(Val: &Inst)) {
3164	// ok, take it.
3165	IntrinToInstrument.push_back(Elt: MI);
3166	NumInsnsPerBB++;
3167	} else {
3168	if (auto *CB = dyn_cast<CallBase>(Val: &Inst)) {
3169	// A call inside BB.
3170	TempsToInstrument.clear();
3171	if (CB->doesNotReturn())
3172	NoReturnCalls.push_back(Elt: CB);
3173	}
3174	if (CallInst *CI = dyn_cast<CallInst>(Val: &Inst))
3175	maybeMarkSanitizerLibraryCallNoBuiltin(CI, TLI);
3176	}
3177	if (NumInsnsPerBB >= ClMaxInsnsToInstrumentPerBB) break;
3178	}
3179	}
3180
3181	bool UseCalls = (InstrumentationWithCallsThreshold >= `0` &&
3182	OperandsToInstrument.size() + IntrinToInstrument.size() >
3183	(unsigned)InstrumentationWithCallsThreshold);
3184	const DataLayout &DL = F.getDataLayout();
3185	ObjectSizeOffsetVisitor ObjSizeVis(DL, TLI, F.getContext());
3186
3187	// Instrument.
3188	int NumInstrumented = `0`;
3189	for (auto &Operand : OperandsToInstrument) {
3190	if (!suppressInstrumentationSiteForDebug(Instrumented&: NumInstrumented))
3191	instrumentMop(ObjSizeVis, O&: Operand, UseCalls,
3192	DL: F.getDataLayout(), RTCI);
3193	FunctionModified = true;
3194	}
3195	for (auto *Inst : IntrinToInstrument) {
3196	if (!suppressInstrumentationSiteForDebug(Instrumented&: NumInstrumented))
3197	instrumentMemIntrinsic(MI: Inst, RTCI);
3198	FunctionModified = true;
3199	}
3200
3201	FunctionStackPoisoner FSP(F, *this, RTCI);
3202	bool ChangedStack = FSP.runOnFunction();
3203
3204	// We must unpoison the stack before NoReturn calls (throw, _exit, etc).
3205	// See e.g. https://github.com/google/sanitizers/issues/37
3206	for (auto *CI : NoReturnCalls) {
3207	IRBuilder<> IRB(CI);
3208	RTCI.createRuntimeCall(IRB, Callee: AsanHandleNoReturnFunc, Args: {});
3209	}
3210
3211	for (auto *Inst : PointerComparisonsOrSubtracts) {
3212	instrumentPointerComparisonOrSubtraction(I: Inst, RTCI);
3213	FunctionModified = true;
3214	}
3215
3216	if (ChangedStack \|\| !NoReturnCalls.empty())
3217	FunctionModified = true;
3218
3219	LLVM_DEBUG(dbgs() << "ASAN done instrumenting: " << FunctionModified << " "
3220	<< F << "\n");
3221
3222	return FunctionModified;
3223	}
3224
3225	// Workaround for bug 11395: we don't want to instrument stack in functions
3226	// with large assembly blobs (32-bit only), otherwise reg alloc may crash.
3227	// FIXME: remove once the bug 11395 is fixed.
3228	bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) {
3229	if (LongSize != `32`) return false;
3230	CallInst *CI = dyn_cast<CallInst>(Val: I);
3231	if (!CI \|\| !CI->isInlineAsm()) return false;
3232	if (CI->arg_size() <= `5`)
3233	return false;
3234	// We have inline assembly with quite a few arguments.
3235	return true;
3236	}
3237
3238	void FunctionStackPoisoner::initializeCallbacks(Module &) {
3239	IRBuilder<> IRB(*C);
3240	if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always \|\|
3241	ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) {
3242	const char *MallocNameTemplate =
3243	ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Always
3244	? kAsanStackMallocAlwaysNameTemplate
3245	: kAsanStackMallocNameTemplate;
3246	for (int Index = `0`; Index <= kMaxAsanStackMallocSizeClass; Index++) {
3247	std::string Suffix = itostr(X: Index);
3248	AsanStackMallocFunc[Index] = ASan.Inserter.insertFunction(
3249	Name: MallocNameTemplate + Suffix, Args&: IntptrTy, Args&: IntptrTy);
3250	AsanStackFreeFunc[Index] =
3251	ASan.Inserter.insertFunction(Name: kAsanStackFreeNameTemplate + Suffix,
3252	Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3253	}
3254	}
3255	if (ASan.UseAfterScope) {
3256	AsanPoisonStackMemoryFunc = ASan.Inserter.insertFunction(
3257	Name: kAsanPoisonStackMemoryName, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3258	AsanUnpoisonStackMemoryFunc = ASan.Inserter.insertFunction(
3259	Name: kAsanUnpoisonStackMemoryName, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3260	}
3261
3262	for (size_t Val : {`0x00`, `0x01`, `0x02`, `0x03`, `0x04`, `0x05`, `0x06`, `0x07`, `0xf1`, `0xf2`,
3263	`0xf3`, `0xf5`, `0xf8`}) {
3264	std::ostringstream Name;
3265	Name << kAsanSetShadowPrefix;
3266	Name << std::setw(`2`) << std::setfill(`'0'`) << std::hex << Val;
3267	AsanSetShadowFunc[Val] = ASan.Inserter.insertFunction(
3268	Name: Name.str(), Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3269	}
3270
3271	AsanAllocaPoisonFunc = ASan.Inserter.insertFunction(
3272	Name: kAsanAllocaPoison, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3273	AsanAllocasUnpoisonFunc = ASan.Inserter.insertFunction(
3274	Name: kAsanAllocasUnpoison, Args: IRB.getVoidTy(), Args&: IntptrTy, Args&: IntptrTy);
3275	}
3276
3277	void FunctionStackPoisoner::copyToShadowInline(ArrayRef<uint8_t> ShadowMask,
3278	ArrayRef<uint8_t> ShadowBytes,
3279	size_t Begin, size_t End,
3280	IRBuilder<> &IRB,
3281	Value *ShadowBase) {
3282	if (Begin >= End)
3283	return;
3284
3285	const size_t LargestStoreSizeInBytes =
3286	std::min<size_t>(a: sizeof(uint64_t), b: ASan.LongSize / `8`);
3287
3288	const bool IsLittleEndian = F.getDataLayout().isLittleEndian();
3289
3290	// Poison given range in shadow using larges store size with out leading and
3291	// trailing zeros in ShadowMask. Zeros never change, so they need neither
3292	// poisoning nor up-poisoning. Still we don't mind if some of them get into a
3293	// middle of a store.
3294	for (size_t i = Begin; i < End;) {
3295	if (!ShadowMask [i]) {
3296	assert(!ShadowBytes[i]);
3297	++i;
3298	continue;
3299	}
3300
3301	size_t StoreSizeInBytes = LargestStoreSizeInBytes;
3302	// Fit store size into the range.
3303	while (StoreSizeInBytes > End - i)
3304	StoreSizeInBytes /= `2`;
3305
3306	// Minimize store size by trimming trailing zeros.
3307	for (size_t j = StoreSizeInBytes - `1`; j && !ShadowMask [i + j]; --j) {
3308	while (j <= StoreSizeInBytes / `2`)
3309	StoreSizeInBytes /= `2`;
3310	}
3311
3312	uint64_t Val = `0`;
3313	for (size_t j = `0`; j < StoreSizeInBytes; j++) {
3314	if (IsLittleEndian)
3315	Val \|= (uint64_t)ShadowBytes [i + j] << (`8` * j);
3316	else
3317	Val = (Val << `8`) \| ShadowBytes [i + j];
3318	}
3319
3320	Value *Ptr = IRB.CreateAdd(LHS: ShadowBase, RHS: ConstantInt::get(Ty: IntptrTy, V: i));
3321	Value Poison = IRB.getIntN(N: StoreSizeInBytes `8`, C: Val);
3322	IRB.CreateAlignedStore(
3323	Val: Poison, Ptr: IRB.CreateIntToPtr(V: Ptr, DestTy: PointerType::getUnqual(C&: Poison->getContext())),
3324	Align: Align (`1`));
3325
3326	i += StoreSizeInBytes;
3327	}
3328	}
3329
3330	void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask,
3331	ArrayRef<uint8_t> ShadowBytes,
3332	IRBuilder<> &IRB, Value *ShadowBase) {
3333	copyToShadow(ShadowMask, ShadowBytes, Begin: `0`, End: ShadowMask.size(), IRB, ShadowBase);
3334	}
3335
3336	void FunctionStackPoisoner::copyToShadow(ArrayRef<uint8_t> ShadowMask,
3337	ArrayRef<uint8_t> ShadowBytes,
3338	size_t Begin, size_t End,
3339	IRBuilder<> &IRB, Value *ShadowBase) {
3340	assert(ShadowMask.size() == ShadowBytes.size());
3341	size_t Done = Begin;
3342	for (size_t i = Begin, j = Begin + `1`; i < End; i = j++) {
3343	if (!ShadowMask [i]) {
3344	assert(!ShadowBytes[i]);
3345	continue;
3346	}
3347	uint8_t Val = ShadowBytes [i];
3348	if (!AsanSetShadowFunc[Val])
3349	continue;
3350
3351	// Skip same values.
3352	for (; j < End && ShadowMask [j] && Val == ShadowBytes [j]; ++j) {
3353	}
3354
3355	if (j - i >= ASan.MaxInlinePoisoningSize) {
3356	copyToShadowInline(ShadowMask, ShadowBytes, Begin: Done, End: i, IRB, ShadowBase);
3357	RTCI.createRuntimeCall(
3358	IRB, Callee: AsanSetShadowFunc[Val],
3359	Args: {IRB.CreateAdd(LHS: ShadowBase, RHS: ConstantInt::get(Ty: IntptrTy, V: i)),
3360	ConstantInt::get(Ty: IntptrTy, V: j - i)});
3361	Done = j;
3362	}
3363	}
3364
3365	copyToShadowInline(ShadowMask, ShadowBytes, Begin: Done, End, IRB, ShadowBase);
3366	}
3367
3368	// Fake stack allocator (asan_fake_stack.h) has 11 size classes
3369	// for every power of 2 from kMinStackMallocSize to kMaxAsanStackMallocSizeClass
3370	static int StackMallocSizeClass(uint64_t LocalStackSize) {
3371	assert(LocalStackSize <= kMaxStackMallocSize);
3372	uint64_t MaxSize = kMinStackMallocSize;
3373	for (int i = `0`;; i++, MaxSize *= `2`)
3374	if (LocalStackSize <= MaxSize) return i;
3375	llvm_unreachable("impossible LocalStackSize");
3376	}
3377
3378	void FunctionStackPoisoner::copyArgsPassedByValToAllocas() {
3379	Instruction *CopyInsertPoint = &F.front().front();
3380	if (CopyInsertPoint == ASan.LocalDynamicShadow) {
3381	// Insert after the dynamic shadow location is determined
3382	CopyInsertPoint = CopyInsertPoint->getNextNode();
3383	assert(CopyInsertPoint);
3384	}
3385	IRBuilder<> IRB(CopyInsertPoint);
3386	const DataLayout &DL = F.getDataLayout();
3387	for (Argument &Arg : F.args()) {
3388	if (Arg.hasByValAttr()) {
3389	Type *Ty = Arg.getParamByValType();
3390	const Align Alignment =
3391	DL.getValueOrABITypeAlignment(Alignment: Arg.getParamAlign(), Ty);
3392
3393	AllocaInst *AI = IRB.CreateAlloca(
3394	Ty, ArraySize: nullptr,
3395	Name: (Arg.hasName() ? Arg.getName() : "Arg" + Twine (Arg.getArgNo())) +
3396	".byval");
3397	AI->setAlignment(Alignment);
3398	Arg.replaceAllUsesWith(V: AI);
3399
3400	uint64_t AllocSize = DL.getTypeAllocSize(Ty);
3401	IRB.CreateMemCpy(Dst: AI, DstAlign: Alignment, Src: &Arg, SrcAlign: Alignment, Size: AllocSize);
3402	}
3403	}
3404	}
3405
3406	PHINode FunctionStackPoisoner::createPHI(IRBuilder<> &IRB, Value Cond,
3407	Value *ValueIfTrue,
3408	Instruction *ThenTerm,
3409	Value *ValueIfFalse) {
3410	PHINode *PHI = IRB.CreatePHI(Ty: ValueIfTrue->getType(), NumReservedValues: `2`);
3411	BasicBlock *CondBlock = cast<Instruction>(Val: Cond)->getParent();
3412	PHI->addIncoming(V: ValueIfFalse, BB: CondBlock);
3413	BasicBlock *ThenBlock = ThenTerm->getParent();
3414	PHI->addIncoming(V: ValueIfTrue, BB: ThenBlock);
3415	return PHI;
3416	}
3417
3418	Value *FunctionStackPoisoner::createAllocaForLayout(
3419	IRBuilder<> &IRB, const ASanStackFrameLayout &L, bool Dynamic) {
3420	AllocaInst *Alloca;
3421	if (Dynamic) {
3422	Alloca = IRB.CreateAlloca(Ty: IRB.getInt8Ty(),
3423	ArraySize: ConstantInt::get(Ty: IRB.getInt64Ty(), V: L.FrameSize),
3424	Name: "MyAlloca");
3425	} else {
3426	Alloca = IRB.CreateAlloca(Ty: ArrayType::get(ElementType: IRB.getInt8Ty(), NumElements: L.FrameSize),
3427	ArraySize: nullptr, Name: "MyAlloca");
3428	assert(Alloca->isStaticAlloca());
3429	}
3430	assert((ClRealignStack & (ClRealignStack - `1`)) == `0`);
3431	uint64_t FrameAlignment = std::max(a: L.FrameAlignment, b: uint64_t(ClRealignStack));
3432	Alloca->setAlignment(Align (FrameAlignment));
3433	return Alloca;
3434	}
3435
3436	void FunctionStackPoisoner::createDynamicAllocasInitStorage() {
3437	BasicBlock &FirstBB = *F.begin();
3438	IRBuilder<> IRB(dyn_cast<Instruction>(Val: FirstBB.begin()));
3439	DynamicAllocaLayout = IRB.CreateAlloca(Ty: IntptrTy, ArraySize: nullptr);
3440	IRB.CreateStore(Val: Constant::getNullValue(Ty: IntptrTy), Ptr: DynamicAllocaLayout);
3441	DynamicAllocaLayout->setAlignment(Align (`32`));
3442	}
3443
3444	void FunctionStackPoisoner::processDynamicAllocas() {
3445	if (!ClInstrumentDynamicAllocas \|\| DynamicAllocaVec.empty()) {
3446	assert(DynamicAllocaPoisonCallVec.empty());
3447	return;
3448	}
3449
3450	// Insert poison calls for lifetime intrinsics for dynamic allocas.
3451	for (const auto &APC : DynamicAllocaPoisonCallVec) {
3452	assert(APC.InsBefore);
3453	assert(APC.AI);
3454	assert(ASan.isInterestingAlloca(*APC.AI));
3455	assert(!APC.AI->isStaticAlloca());
3456
3457	IRBuilder<> IRB(APC.InsBefore);
3458	poisonAlloca(V: APC.AI, Size: APC.Size, IRB, DoPoison: APC.DoPoison);
3459	// Dynamic allocas will be unpoisoned unconditionally below in
3460	// unpoisonDynamicAllocas.
3461	// Flag that we need unpoison static allocas.
3462	}
3463
3464	// Handle dynamic allocas.
3465	createDynamicAllocasInitStorage();
3466	for (auto &AI : DynamicAllocaVec)
3467	handleDynamicAllocaCall(AI);
3468	unpoisonDynamicAllocas();
3469	}
3470
3471	/// Collect instructions in the entry block after \p InsBefore which initialize
3472	/// permanent storage for a function argument. These instructions must remain in
3473	/// the entry block so that uninitialized values do not appear in backtraces. An
3474	/// added benefit is that this conserves spill slots. This does not move stores
3475	/// before instrumented / "interesting" allocas.
3476	static void findStoresToUninstrumentedArgAllocas(
3477	AddressSanitizer &ASan, Instruction &InsBefore,
3478	SmallVectorImpl<Instruction *> &InitInsts) {
3479	Instruction *Start = InsBefore.getNextNode();
3480	for (Instruction *It = Start; It; It = It->getNextNode()) {
3481	// Argument initialization looks like:
3482	// 1) store <Argument>, <Alloca> OR
3483	// 2) <CastArgument> = cast <Argument> to ...
3484	// store <CastArgument> to <Alloca>
3485	// Do not consider any other kind of instruction.
3486	//
3487	// Note: This covers all known cases, but may not be exhaustive. An
3488	// alternative to pattern-matching stores is to DFS over all Argument uses:
3489	// this might be more general, but is probably much more complicated.
3490	if (isa<AllocaInst>(Val: It) \|\| isa<CastInst>(Val: It))
3491	continue;
3492	if (auto *Store = dyn_cast<StoreInst>(Val: It)) {
3493	// The store destination must be an alloca that isn't interesting for
3494	// ASan to instrument. These are moved up before InsBefore, and they're
3495	// not interesting because allocas for arguments can be mem2reg'd.
3496	auto *Alloca = dyn_cast<AllocaInst>(Val: Store->getPointerOperand());
3497	if (!Alloca \|\| ASan.isInterestingAlloca(AI: *Alloca))
3498	continue;
3499
3500	Value *Val = Store->getValueOperand();
3501	bool IsDirectArgInit = isa<Argument>(Val);
3502	bool IsArgInitViaCast =
3503	isa<CastInst>(Val) &&
3504	isa<Argument>(Val: cast<CastInst>(Val)->getOperand(i_nocapture: `0`)) &&
3505	// Check that the cast appears directly before the store. Otherwise
3506	// moving the cast before InsBefore may break the IR.
3507	Val == It->getPrevNode();
3508	bool IsArgInit = IsDirectArgInit \|\| IsArgInitViaCast;
3509	if (!IsArgInit)
3510	continue;
3511
3512	if (IsArgInitViaCast)
3513	InitInsts.push_back(Elt: cast<Instruction>(Val));
3514	InitInsts.push_back(Elt: Store);
3515	continue;
3516	}
3517
3518	// Do not reorder past unknown instructions: argument initialization should
3519	// only involve casts and stores.
3520	return;
3521	}
3522	}
3523
3524	static StringRef getAllocaName(AllocaInst *AI) {
3525	// Alloca could have been renamed for uniqueness. Its true name will have been
3526	// recorded as an annotation.
3527	if (AI->hasMetadata(KindID: LLVMContext::MD_annotation)) {
3528	MDTuple *AllocaAnnotations =
3529	cast<MDTuple>(Val: AI->getMetadata(KindID: LLVMContext::MD_annotation));
3530	for (auto &Annotation : AllocaAnnotations->operands()) {
3531	if (!isa<MDTuple>(Val: Annotation))
3532	continue;
3533	auto AnnotationTuple = cast<MDTuple>(Val: Annotation);
3534	for (unsigned Index = `0`; Index < AnnotationTuple->getNumOperands();
3535	Index++) {
3536	// All annotations are strings
3537	auto MetadataString =
3538	cast<MDString>(Val: AnnotationTuple->getOperand(I: Index));
3539	if (MetadataString->getString() == "alloca_name_altered")
3540	return cast<MDString>(Val: AnnotationTuple->getOperand(I: Index + `1`))
3541	->getString();
3542	}
3543	}
3544	}
3545	return AI->getName();
3546	}
3547
3548	void FunctionStackPoisoner::processStaticAllocas() {
3549	if (AllocaVec.empty()) {
3550	assert(StaticAllocaPoisonCallVec.empty());
3551	return;
3552	}
3553
3554	int StackMallocIdx = -`1`;
3555	DebugLoc EntryDebugLocation;
3556	if (auto SP = F.getSubprogram())
3557	EntryDebugLocation =
3558	DILocation::get(Context&: SP->getContext(), Line: SP->getScopeLine(), Column: `0`, Scope: SP);
3559
3560	Instruction *InsBefore = AllocaVec [`0`];
3561	IRBuilder<> IRB(InsBefore);
3562
3563	// Make sure non-instrumented allocas stay in the entry block. Otherwise,
3564	// debug info is broken, because only entry-block allocas are treated as
3565	// regular stack slots.
3566	auto InsBeforeB = InsBefore->getParent();
3567	assert(InsBeforeB == &F.getEntryBlock());
3568	for (auto *AI : StaticAllocasToMoveUp)
3569	if (AI->getParent() == InsBeforeB)
3570	AI->moveBefore(InsertPos: InsBefore->getIterator());
3571
3572	// Move stores of arguments into entry-block allocas as well. This prevents
3573	// extra stack slots from being generated (to house the argument values until
3574	// they can be stored into the allocas). This also prevents uninitialized
3575	// values from being shown in backtraces.
3576	SmallVector<Instruction *, `8`> ArgInitInsts;
3577	findStoresToUninstrumentedArgAllocas(ASan, InsBefore&: *InsBefore, InitInsts&: ArgInitInsts);
3578	for (Instruction *ArgInitInst : ArgInitInsts)
3579	ArgInitInst->moveBefore(InsertPos: InsBefore->getIterator());
3580
3581	// If we have a call to llvm.localescape, keep it in the entry block.
3582	if (LocalEscapeCall)
3583	LocalEscapeCall->moveBefore(InsertPos: InsBefore->getIterator());
3584
3585	SmallVector<ASanStackVariableDescription, `16`> SVD;
3586	SVD.reserve(N: AllocaVec.size());
3587	for (AllocaInst *AI : AllocaVec) {
3588	StringRef Name = getAllocaName(AI);
3589	ASanStackVariableDescription D = {.Name: Name.data(),
3590	.Size: ASan.getAllocaSizeInBytes(AI: *AI),
3591	.LifetimeSize: `0`,
3592	.Alignment: AI->getAlign().value(),
3593	.AI: AI,
3594	.Offset: `0`,
3595	.Line: `0`};
3596	SVD.push_back(Elt: D);
3597	}
3598
3599	// Minimal header size (left redzone) is 4 pointers,
3600	// i.e. 32 bytes on 64-bit platforms and 16 bytes in 32-bit platforms.
3601	uint64_t Granularity = `1ULL` << Mapping.Scale;
3602	uint64_t MinHeaderSize = std::max(a: (uint64_t)ASan.LongSize / `2`, b: Granularity);
3603	const ASanStackFrameLayout &L =
3604	ComputeASanStackFrameLayout(Vars&: SVD, Granularity, MinHeaderSize);
3605
3606	// Build AllocaToSVDMap for ASanStackVariableDescription lookup.
3607	DenseMap<const AllocaInst , ASanStackVariableDescription > AllocaToSVDMap;
3608	for (auto &Desc : SVD)
3609	AllocaToSVDMap [Desc.AI] = &Desc;
3610
3611	// Update SVD with information from lifetime intrinsics.
3612	for (const auto &APC : StaticAllocaPoisonCallVec) {
3613	assert(APC.InsBefore);
3614	assert(APC.AI);
3615	assert(ASan.isInterestingAlloca(*APC.AI));
3616	assert(APC.AI->isStaticAlloca());
3617
3618	ASanStackVariableDescription &Desc = *AllocaToSVDMap [APC.AI];
3619	Desc.LifetimeSize = Desc.Size;
3620	if (const DILocation *FnLoc = EntryDebugLocation.get()) {
3621	if (const DILocation *LifetimeLoc = APC.InsBefore->getDebugLoc().get()) {
3622	if (LifetimeLoc->getFile() == FnLoc->getFile())
3623	if (unsigned Line = LifetimeLoc->getLine())
3624	Desc.Line = std::min(a: Desc.Line ? Desc.Line : Line, b: Line);
3625	}
3626	}
3627	}
3628
3629	auto DescriptionString = ComputeASanStackFrameDescription(Vars: SVD);
3630	LLVM_DEBUG(dbgs() << DescriptionString << " --- " << L.FrameSize << "\n");
3631	uint64_t LocalStackSize = L.FrameSize;
3632	bool DoStackMalloc =
3633	ASan.UseAfterReturn != AsanDetectStackUseAfterReturnMode::Never &&
3634	!ASan.CompileKernel && LocalStackSize <= kMaxStackMallocSize;
3635	bool DoDynamicAlloca = ClDynamicAllocaStack;
3636	// Don't do dynamic alloca or stack malloc if:
3637	// 1) There is inline asm: too often it makes assumptions on which registers
3638	// are available.
3639	// 2) There is a returns_twice call (typically setjmp), which is
3640	// optimization-hostile, and doesn't play well with introduced indirect
3641	// register-relative calculation of local variable addresses.
3642	DoDynamicAlloca &= !HasInlineAsm && !HasReturnsTwiceCall;
3643	DoStackMalloc &= !HasInlineAsm && !HasReturnsTwiceCall;
3644
3645	Type *PtrTy = F.getDataLayout().getAllocaPtrType(Ctx&: F.getContext());
3646	Value *StaticAlloca =
3647	DoDynamicAlloca ? nullptr : createAllocaForLayout(IRB, L, Dynamic: false);
3648
3649	Value *FakeStackPtr;
3650	Value *FakeStackInt;
3651	Value *LocalStackBase;
3652	Value *LocalStackBaseAlloca;
3653	uint8_t DIExprFlags = DIExpression::ApplyOffset;
3654
3655	if (DoStackMalloc) {
3656	LocalStackBaseAlloca =
3657	IRB.CreateAlloca(Ty: IntptrTy, ArraySize: nullptr, Name: "asan_local_stack_base");
3658	if (ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode::Runtime) {
3659	// void FakeStack = __asan_option_detect_stack_use_after_return*
3660	// ? __asan_stack_malloc_N(LocalStackSize)
3661	// : nullptr;
3662	// void LocalStackBase = (FakeStack) ? FakeStack :*
3663	// alloca(LocalStackSize);
3664	Constant *OptionDetectUseAfterReturn = F.getParent()->getOrInsertGlobal(
3665	Name: kAsanOptionDetectUseAfterReturn, Ty: IRB.getInt32Ty());
3666	Value *UseAfterReturnIsEnabled = IRB.CreateICmpNE(
3667	LHS: IRB.CreateLoad(Ty: IRB.getInt32Ty(), Ptr: OptionDetectUseAfterReturn),
3668	RHS: Constant::getNullValue(Ty: IRB.getInt32Ty()));
3669	Instruction *Term =
3670	SplitBlockAndInsertIfThen(Cond: UseAfterReturnIsEnabled, SplitBefore: InsBefore, Unreachable: false);
3671	IRBuilder<> IRBIf(Term);
3672	StackMallocIdx = StackMallocSizeClass(LocalStackSize);
3673	assert(StackMallocIdx <= kMaxAsanStackMallocSizeClass);
3674	Value *FakeStackValue =
3675	RTCI.createRuntimeCall(IRB&: IRBIf, Callee: AsanStackMallocFunc[StackMallocIdx],
3676	Args: ConstantInt::get(Ty: IntptrTy, V: LocalStackSize));
3677	IRB.SetInsertPoint(InsBefore);
3678	FakeStackInt = createPHI(IRB, Cond: UseAfterReturnIsEnabled, ValueIfTrue: FakeStackValue,
3679	ThenTerm: Term, ValueIfFalse: ConstantInt::get(Ty: IntptrTy, V: `0`));
3680	} else {
3681	// assert(ASan.UseAfterReturn == AsanDetectStackUseAfterReturnMode:Always)
3682	// void FakeStack = __asan_stack_malloc_N(LocalStackSize);*
3683	// void LocalStackBase = (FakeStack) ? FakeStack :*
3684	// alloca(LocalStackSize);
3685	StackMallocIdx = StackMallocSizeClass(LocalStackSize);
3686	FakeStackInt =
3687	RTCI.createRuntimeCall(IRB, Callee: AsanStackMallocFunc[StackMallocIdx],
3688	Args: ConstantInt::get(Ty: IntptrTy, V: LocalStackSize));
3689	}
3690	FakeStackPtr = IRB.CreateIntToPtr(V: FakeStackInt, DestTy: PtrTy);
3691	Value *NoFakeStack =
3692	IRB.CreateICmpEQ(LHS: FakeStackInt, RHS: Constant::getNullValue(Ty: IntptrTy));
3693	Instruction *Term =
3694	SplitBlockAndInsertIfThen(Cond: NoFakeStack, SplitBefore: InsBefore, Unreachable: false);
3695	IRBuilder<> IRBIf(Term);
3696	Value *AllocaValue =
3697	DoDynamicAlloca ? createAllocaForLayout(IRB&: IRBIf, L, Dynamic: true) : StaticAlloca;
3698
3699	IRB.SetInsertPoint(InsBefore);
3700	LocalStackBase =
3701	createPHI(IRB, Cond: NoFakeStack, ValueIfTrue: AllocaValue, ThenTerm: Term, ValueIfFalse: FakeStackPtr);
3702	IRB.CreateStore(Val: LocalStackBase, Ptr: LocalStackBaseAlloca);
3703	DIExprFlags \|= DIExpression::DerefBefore;
3704	} else {
3705	// void FakeStack = nullptr;*
3706	// void LocalStackBase = alloca(LocalStackSize);*
3707	FakeStackInt = Constant::getNullValue(Ty: IntptrTy);
3708	FakeStackPtr = Constant::getNullValue(Ty: PtrTy);
3709	LocalStackBase =
3710	DoDynamicAlloca ? createAllocaForLayout(IRB, L, Dynamic: true) : StaticAlloca;
3711	LocalStackBaseAlloca = LocalStackBase;
3712	}
3713
3714	// Replace Alloca instructions with base+offset.
3715	SmallVector<Value *> NewAllocaPtrs;
3716	for (const auto &Desc : SVD) {
3717	AllocaInst *AI = Desc.AI;
3718	replaceDbgDeclare(Address: AI, NewAddress: LocalStackBaseAlloca, Builder&: DIB, DIExprFlags, Offset: Desc.Offset);
3719	Value *NewAllocaPtr = IRB.CreatePtrAdd(
3720	Ptr: LocalStackBase, Offset: ConstantInt::get(Ty: IntptrTy, V: Desc.Offset));
3721	AI->replaceAllUsesWith(V: NewAllocaPtr);
3722	NewAllocaPtrs.push_back(Elt: NewAllocaPtr);
3723	}
3724
3725	// The left-most redzone has enough space for at least 4 pointers.
3726	// Write the Magic value to redzone[0].
3727	IRB.CreateStore(Val: ConstantInt::get(Ty: IntptrTy, V: kCurrentStackFrameMagic),
3728	Ptr: LocalStackBase);
3729	// Write the frame description constant to redzone[1].
3730	Value *BasePlus1 = IRB.CreatePtrAdd(
3731	Ptr: LocalStackBase, Offset: ConstantInt::get(Ty: IntptrTy, V: ASan.LongSize / `8`));
3732	GlobalVariable *StackDescriptionGlobal =
3733	createPrivateGlobalForString(M&: *F.getParent(), Str: DescriptionString,
3734	/AllowMerging/ true, NamePrefix: genName(suffix: "stack"));
3735	Value *Description = IRB.CreatePointerCast(V: StackDescriptionGlobal, DestTy: IntptrTy);
3736	IRB.CreateStore(Val: Description, Ptr: BasePlus1);
3737	// Write the PC to redzone[2].
3738	Value *BasePlus2 = IRB.CreatePtrAdd(
3739	Ptr: LocalStackBase, Offset: ConstantInt::get(Ty: IntptrTy, V: `2` * ASan.LongSize / `8`));
3740	IRB.CreateStore(Val: IRB.CreatePointerCast(V: &F, DestTy: IntptrTy), Ptr: BasePlus2);
3741
3742	const auto &ShadowAfterScope = GetShadowBytesAfterScope(Vars: SVD, Layout: L);
3743
3744	// Poison the stack red zones at the entry.
3745	Value *ShadowBase =
3746	ASan.memToShadow(Shadow: IRB.CreatePtrToInt(V: LocalStackBase, DestTy: IntptrTy), IRB);
3747	// As mask we must use most poisoned case: red zones and after scope.
3748	// As bytes we can use either the same or just red zones only.
3749	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowAfterScope, IRB, ShadowBase);
3750
3751	if (!StaticAllocaPoisonCallVec.empty()) {
3752	const auto &ShadowInScope = GetShadowBytes(Vars: SVD, Layout: L);
3753
3754	// Poison static allocas near lifetime intrinsics.
3755	for (const auto &APC : StaticAllocaPoisonCallVec) {
3756	const ASanStackVariableDescription &Desc = *AllocaToSVDMap [APC.AI];
3757	assert(Desc.Offset % L.Granularity == `0`);
3758	size_t Begin = Desc.Offset / L.Granularity;
3759	size_t End = Begin + (APC.Size + L.Granularity - `1`) / L.Granularity;
3760
3761	IRBuilder<> IRB(APC.InsBefore);
3762	copyToShadow(ShadowMask: ShadowAfterScope,
3763	ShadowBytes: APC.DoPoison ? ShadowAfterScope : ShadowInScope, Begin, End,
3764	IRB, ShadowBase);
3765	}
3766	}
3767
3768	// Remove lifetime markers now that these are no longer allocas.
3769	for (Value *NewAllocaPtr : NewAllocaPtrs) {
3770	for (User *U : make_early_inc_range(Range: NewAllocaPtr->users())) {
3771	auto *I = cast<Instruction>(Val: U);
3772	if (I->isLifetimeStartOrEnd())
3773	I->eraseFromParent();
3774	}
3775	}
3776
3777	SmallVector<uint8_t, `64`> ShadowClean(ShadowAfterScope.size(), `0`);
3778	SmallVector<uint8_t, `64`> ShadowAfterReturn;
3779
3780	// (Un)poison the stack before all ret instructions.
3781	for (Instruction *Ret : RetVec) {
3782	IRBuilder<> IRBRet(Ret);
3783	// Mark the current frame as retired.
3784	IRBRet.CreateStore(Val: ConstantInt::get(Ty: IntptrTy, V: kRetiredStackFrameMagic),
3785	Ptr: LocalStackBase);
3786	if (DoStackMalloc) {
3787	assert(StackMallocIdx >= `0`);
3788	// if FakeStack != 0 // LocalStackBase == FakeStack
3789	// // In use-after-return mode, poison the whole stack frame.
3790	// if StackMallocIdx <= 4
3791	// // For small sizes inline the whole thing:
3792	// memset(ShadowBase, kAsanStackAfterReturnMagic, ShadowSize);
3793	// SavedFlagPtr(FakeStack) = 0
3794	// else
3795	// __asan_stack_free_N(FakeStack, LocalStackSize)
3796	// else
3797	// <This is not a fake stack; unpoison the redzones>
3798	Value *Cmp =
3799	IRBRet.CreateICmpNE(LHS: FakeStackInt, RHS: Constant::getNullValue(Ty: IntptrTy));
3800	Instruction ThenTerm, ElseTerm;
3801	SplitBlockAndInsertIfThenElse(Cond: Cmp, SplitBefore: Ret, ThenTerm: &ThenTerm, ElseTerm: &ElseTerm);
3802
3803	IRBuilder<> IRBPoison(ThenTerm);
3804	if (ASan.MaxInlinePoisoningSize != `0` && StackMallocIdx <= `4`) {
3805	int ClassSize = kMinStackMallocSize << StackMallocIdx;
3806	ShadowAfterReturn.resize(N: ClassSize / L.Granularity,
3807	NV: kAsanStackUseAfterReturnMagic);
3808	copyToShadow(ShadowMask: ShadowAfterReturn, ShadowBytes: ShadowAfterReturn, IRB&: IRBPoison,
3809	ShadowBase);
3810	Value *SavedFlagPtrPtr = IRBPoison.CreatePtrAdd(
3811	Ptr: FakeStackPtr,
3812	Offset: ConstantInt::get(Ty: IntptrTy, V: ClassSize - ASan.LongSize / `8`));
3813	Value *SavedFlagPtr = IRBPoison.CreateLoad(Ty: IntptrTy, Ptr: SavedFlagPtrPtr);
3814	IRBPoison.CreateStore(
3815	Val: Constant::getNullValue(Ty: IRBPoison.getInt8Ty()),
3816	Ptr: IRBPoison.CreateIntToPtr(V: SavedFlagPtr, DestTy: IRBPoison.getPtrTy()));
3817	} else {
3818	// For larger frames call __asan_stack_free_.*
3819	RTCI.createRuntimeCall(
3820	IRB&: IRBPoison, Callee: AsanStackFreeFunc[StackMallocIdx],
3821	Args: {FakeStackInt, ConstantInt::get(Ty: IntptrTy, V: LocalStackSize)});
3822	}
3823
3824	IRBuilder<> IRBElse(ElseTerm);
3825	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowClean, IRB&: IRBElse, ShadowBase);
3826	} else {
3827	copyToShadow(ShadowMask: ShadowAfterScope, ShadowBytes: ShadowClean, IRB&: IRBRet, ShadowBase);
3828	}
3829	}
3830
3831	// We are done. Remove the old unused alloca instructions.
3832	for (auto *AI : AllocaVec)
3833	AI->eraseFromParent();
3834	}
3835
3836	void FunctionStackPoisoner::poisonAlloca(Value *V, uint64_t Size,
3837	IRBuilder<> &IRB, bool DoPoison) {
3838	// For now just insert the call to ASan runtime.
3839	Value *AddrArg = IRB.CreatePointerCast(V, DestTy: IntptrTy);
3840	Value *SizeArg = ConstantInt::get(Ty: IntptrTy, V: Size);
3841	RTCI.createRuntimeCall(
3842	IRB, Callee: DoPoison ? AsanPoisonStackMemoryFunc : AsanUnpoisonStackMemoryFunc,
3843	Args: {AddrArg, SizeArg});
3844	}
3845
3846	// Handling llvm.lifetime intrinsics for a given %alloca:
3847	// (1) collect all llvm.lifetime.xxx(%size, %value) describing the alloca.
3848	// (2) if %size is constant, poison memory for llvm.lifetime.end (to detect
3849	// invalid accesses) and unpoison it for llvm.lifetime.start (the memory
3850	// could be poisoned by previous llvm.lifetime.end instruction, as the
3851	// variable may go in and out of scope several times, e.g. in loops).
3852	// (3) if we poisoned at least one %alloca in a function,
3853	// unpoison the whole stack frame at function exit.
3854	void FunctionStackPoisoner::handleDynamicAllocaCall(AllocaInst *AI) {
3855	IRBuilder<> IRB(AI);
3856
3857	const Align Alignment = std::max(a: Align (kAllocaRzSize), b: AI->getAlign());
3858	const uint64_t AllocaRedzoneMask = kAllocaRzSize - `1`;
3859
3860	Value *Zero = Constant::getNullValue(Ty: IntptrTy);
3861	Value *AllocaRzSize = ConstantInt::get(Ty: IntptrTy, V: kAllocaRzSize);
3862	Value *AllocaRzMask = ConstantInt::get(Ty: IntptrTy, V: AllocaRedzoneMask);
3863
3864	// Since we need to extend alloca with additional memory to locate
3865	// redzones, and OldSize is number of allocated blocks with
3866	// ElementSize size, get allocated memory size in bytes by
3867	// OldSize ElementSize.*
3868	Value *OldSize = IRB.CreateAllocationSize(DestTy: IntptrTy, AI);
3869
3870	// PartialSize = OldSize % 32
3871	Value *PartialSize = IRB.CreateAnd(LHS: OldSize, RHS: AllocaRzMask);
3872
3873	// Misalign = kAllocaRzSize - PartialSize;
3874	Value *Misalign = IRB.CreateSub(LHS: AllocaRzSize, RHS: PartialSize);
3875
3876	// PartialPadding = Misalign != kAllocaRzSize ? Misalign : 0;
3877	Value *Cond = IRB.CreateICmpNE(LHS: Misalign, RHS: AllocaRzSize);
3878	Value *PartialPadding = IRB.CreateSelect(C: Cond, True: Misalign, False: Zero);
3879
3880	// AdditionalChunkSize = Alignment + PartialPadding + kAllocaRzSize
3881	// Alignment is added to locate left redzone, PartialPadding for possible
3882	// partial redzone and kAllocaRzSize for right redzone respectively.
3883	Value *AdditionalChunkSize = IRB.CreateAdd(
3884	LHS: ConstantInt::get(Ty: IntptrTy, V: Alignment.value() + kAllocaRzSize),
3885	RHS: PartialPadding);
3886
3887	Value *NewSize = IRB.CreateAdd(LHS: OldSize, RHS: AdditionalChunkSize);
3888
3889	// Insert new alloca with new NewSize and Alignment params.
3890	AllocaInst *NewAlloca = IRB.CreateAlloca(Ty: IRB.getInt8Ty(), ArraySize: NewSize);
3891	NewAlloca->setAlignment(Alignment);
3892
3893	// NewAddress = Address + Alignment
3894	Value *NewAddress =
3895	IRB.CreateAdd(LHS: IRB.CreatePtrToInt(V: NewAlloca, DestTy: IntptrTy),
3896	RHS: ConstantInt::get(Ty: IntptrTy, V: Alignment.value()));
3897
3898	// Insert __asan_alloca_poison call for new created alloca.
3899	RTCI.createRuntimeCall(IRB, Callee: AsanAllocaPoisonFunc, Args: {NewAddress, OldSize});
3900
3901	// Store the last alloca's address to DynamicAllocaLayout. We'll need this
3902	// for unpoisoning stuff.
3903	IRB.CreateStore(Val: IRB.CreatePtrToInt(V: NewAlloca, DestTy: IntptrTy), Ptr: DynamicAllocaLayout);
3904
3905	Value *NewAddressPtr = IRB.CreateIntToPtr(V: NewAddress, DestTy: AI->getType());
3906
3907	// Remove lifetime markers now that this is no longer an alloca.
3908	for (User *U : make_early_inc_range(Range: AI->users())) {
3909	auto *I = cast<Instruction>(Val: U);
3910	if (I->isLifetimeStartOrEnd())
3911	I->eraseFromParent();
3912	}
3913
3914	// Replace all uses of AddressReturnedByAlloca with NewAddressPtr.
3915	AI->replaceAllUsesWith(V: NewAddressPtr);
3916
3917	// We are done. Erase old alloca from parent.
3918	AI->eraseFromParent();
3919	}
3920
3921	// isSafeAccess returns true if Addr is always inbounds with respect to its
3922	// base object. For example, it is a field access or an array access with
3923	// constant inbounds index.
3924	bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis,
3925	Value Addr, TypeSize TypeStoreSize) const* {
3926	if (TypeStoreSize.isScalable())
3927	// TODO: We can use vscale_range to convert a scalable value to an
3928	// upper bound on the access size.
3929	return false;
3930
3931	SizeOffsetAPInt SizeOffset = ObjSizeVis.compute(V: Addr);
3932	if (!SizeOffset.bothKnown())
3933	return false;
3934
3935	uint64_t Size = SizeOffset.Size.getZExtValue();
3936	int64_t Offset = SizeOffset.Offset.getSExtValue();
3937
3938	// Three checks are required to ensure safety:
3939	// . Offset >= 0 (since the offset is given from the base ptr)
3940	// . Size >= Offset (unsigned)
3941	// . Size - Offset >= NeededSize (unsigned)
3942	return Offset >= `0` && Size >= uint64_t(Offset) &&
3943	Size - uint64_t(Offset) >= TypeStoreSize / `8`;
3944	}
3945

Browse the source code of llvm_projects/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp